Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs

2021-11-10T06:24:00

Description

[![](https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op)](<https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op>) Microsoft has released security updates as part of its monthly [Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov>) release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system. Of the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release. The most critical of the flaws are [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) (CVSS score: 8.8) and [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) (CVSS score: 7.8), each concerning a [post-authentication remote code execution flaw](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>) in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively. The Exchange Server issue is also one of the bugs that was demonstrated at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforementioned vulnerabilities were used in real-world attacks. "Earlier this year, Microsoft alerted that APT Group HAFNIUM was exploiting [four zero-day vulnerabilities](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) in the Microsoft Exchange server," said Bharat Jogi, director of vulnerability and threat research at Qualys. "This evolved into exploits of Exchange server vulnerabilities by DearCry Ransomware — including attacks on infectious disease researchers, law firms, universities, defense contractors, policy think tanks and NGOs. Instances such as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks," Jogi added. Also addressed are four publicly disclosed, but not exploited, vulnerabilities — * [**CVE-2021-43208**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability * [**CVE-2021-43209**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability * [**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability * [**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Microsoft's November patch also comes with a resolution for [CVE-2021-3711](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>), a critical buffer overflow flaw in [OpenSSL's SM2 decryption function](<https://thehackernews.com/2021/09/qnap-working-on-patches-for-openssl.html>) that came to light in late August 2021 and could be abused by adversaries to run arbitrary code and cause a denial-of-service (DoS) condition. Other important remediations include fixes for multiple remote code execution flaws in Chakra Scripting Engine ([CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>)), Microsoft Defender ([CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)), Microsoft Virtual Machine Bus ([CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>)), Remote Desktop Client ([CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)), and on-premises versions of Microsoft Dynamics 365 ([CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>)). Lastly, the update is rounded by patches for a number of privilege escalation vulnerabilities affecting NTFS ([CVE-2021-41367](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41367>), [CVE-2021-41370](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41370>), [CVE-2021-42283](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42283>)), Windows Kernel ([CVE-2021-42285](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42285>)), Visual Studio Code ([CVE-2021-42322](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42322>)), Windows Desktop Bridge ([CVE-2021-36957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36957>)), and Windows Fast FAT File System Driver ([CVE-2021-41377](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41377>)) To [install](<https://support.microsoft.com/en-us/windows/get-the-latest-windows-update-7d20e88c-0568-483a-37bc-c3885390d212#WindowsVersion=Windows_11>) the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates. ### Software Patches From Other Vendors In addition to Microsoft, security updates have also been released by a number of other vendors to rectify several vulnerabilities, including — * [Adobe](<https://helpx.adobe.com/security.html>) * [Android](<https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html>) * [Cisco](<https://thehackernews.com/2021/11/hardcoded-ssh-key-in-cisco-policy-suite.html>) * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>) * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>) * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-November/thread.html>) * [Samba](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/samba-releases-security-updates>) * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864>) * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>), and * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>) Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:554E88E6A1CE9AFD04BF297E68311306", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op)](<https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op>)\n\nMicrosoft has released security updates as part of its monthly [Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov>) release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system.\n\nOf the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release. \n\nThe most critical of the flaws are [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) (CVSS score: 8.8) and [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) (CVSS score: 7.8), each concerning a [post-authentication remote code execution flaw](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>) in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.\n\nThe Exchange Server issue is also one of the bugs that was demonstrated at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforementioned vulnerabilities were used in real-world attacks.\n\n\"Earlier this year, Microsoft alerted that APT Group HAFNIUM was exploiting [four zero-day vulnerabilities](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) in the Microsoft Exchange server,\" said Bharat Jogi, director of vulnerability and threat research at Qualys.\n\n\"This evolved into exploits of Exchange server vulnerabilities by DearCry Ransomware \u2014 including attacks on infectious disease researchers, law firms, universities, defense contractors, policy think tanks and NGOs. Instances such as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks,\" Jogi added.\n\nAlso addressed are four publicly disclosed, but not exploited, vulnerabilities \u2014\n\n * [**CVE-2021-43208**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability\n * [**CVE-2021-43209**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability\n * [**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n * [**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\nMicrosoft's November patch also comes with a resolution for [CVE-2021-3711](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>), a critical buffer overflow flaw in [OpenSSL's SM2 decryption function](<https://thehackernews.com/2021/09/qnap-working-on-patches-for-openssl.html>) that came to light in late August 2021 and could be abused by adversaries to run arbitrary code and cause a denial-of-service (DoS) condition.\n\nOther important remediations include fixes for multiple remote code execution flaws in Chakra Scripting Engine ([CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>)), Microsoft Defender ([CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)), Microsoft Virtual Machine Bus ([CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>)), Remote Desktop Client ([CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)), and on-premises versions of Microsoft Dynamics 365 ([CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>)).\n\nLastly, the update is rounded by patches for a number of privilege escalation vulnerabilities affecting NTFS ([CVE-2021-41367](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41367>), [CVE-2021-41370](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41370>), [CVE-2021-42283](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42283>)), Windows Kernel ([CVE-2021-42285](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42285>)), Visual Studio Code ([CVE-2021-42322](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42322>)), Windows Desktop Bridge ([CVE-2021-36957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36957>)), and Windows Fast FAT File System Driver ([CVE-2021-41377](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41377>))\n\nTo [install](<https://support.microsoft.com/en-us/windows/get-the-latest-windows-update-7d20e88c-0568-483a-37bc-c3885390d212#WindowsVersion=Windows_11>) the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nIn addition to Microsoft, security updates have also been released by a number of other vendors to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html>)\n * [Cisco](<https://thehackernews.com/2021/11/hardcoded-ssh-key-in-cisco-policy-suite.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-November/thread.html>)\n * [Samba](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/samba-releases-security-updates>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-11-10T06:24:00", "modified": "2021-11-10T06:24:06", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-42322", "CVE-2021-43208", "CVE-2021-43209"], "immutableFields": [], "lastseen": "2022-05-09T12:38:08", "viewCount": 144, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:E0CBBC69-61ED-4D83-81A9-B9CC05150AF0", "AKB:EA6AD256-9B4E-4DC6-B230-9ADED3EE40C0"]}, {"type": "avleonov", "idList": ["AVLEONOV:C2458CFFC4493B2CEDB0D34243DEBE3F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0802", "CPAI-2021-0803", "CPAI-2021-0853", "CPAI-2021-0906"]}, {"type": "cisa", "idList": ["CISA:D12090E3D1C36426271DE8458FFF31E4"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:5FED86D0D8C258D157F6DA659FC59DF3"]}, {"type": "cve", "idList": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-42322", "CVE-2021-43208", "CVE-2021-43209"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4963-1:90BFC", "DEBIAN:DSA-4963-1:DA7BC"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3711"]}, {"type": "f5", "idList": ["F5:K40812100"]}, {"type": "freebsd", "idList": ["96811D4A-04EC-11EC-9B84-D4C9EF517024", "C9387E4D-2F5F-11EC-8BE6-D4C9EF517024"]}, {"type": "github", "idList": ["GHSA-5WW6-PX42-WC85"]}, {"type": "githubexploit", "idList": ["1E02B057-FCE8-5F88-8BC9-0289C8F014BE", "516883FF-25B0-5E12-9FA2-038E48B62C0E", "55F902F5-E290-577E-A48D-FB56855B1CBB"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1352429"]}, {"type": "hivepro", "idList": ["HIVEPRO:846AE370AF77A81941A26AF3FC365026"]}, {"type": "ibm", "idList": ["0A8AE9390CCE72E1D4E933D651B5B2CD80B7A5B27CB13F1CF43C5C0A1238DB93", "18DD82726ED611CE07A6FE2592344159C821D9BD564B6D65D1831A37C7550D6F", "25514A79ECD6817174D110214E069F3D23C2603471F12B322B692159C4B74847", "4EA0B21CBC1507E92BCBE50A7BEAF54CC9CB28005D7893FBDEBD48FF2E06CF9A", "6114AA58C88DEA3B51D60EE5AA041A1E98B149140679ECA428F08C326A32F6AE", "790C6DE37FC85CD0EB50AB9506237BA69A094168AF99EC98BABC7F19E45BB02C", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85", "989C1D438780A4A9BE58BFAFBD0206327799DA296D6A38C66DFC8C896986E544", "A0CD9A22E5D088DB9C207BFDB7A5A5C2C5314C8720A58AA744A101705F8C5E9E", "A109199E005479F832F573F606044A00BC599B13E5938D58B5815EFCCF05BA20", "A9825E8CC51EB2B11D8BD8D1F2CBD4888E1383983402068533B69BD9674B808D", "A9A2CE03FFA5C6CAA7413CEF62A78852B6185FB44D49F7BEC2869A5382FC81DF", "AEDA88262CA7D9131BC64000D7DB1B57E10378E85003F0929852E5336EAE0A2E", "B498A5EBA0E68B48D535AA59E01B9097C6BDB3E1AB3D4647DCF6C37E05CB58B8", "C4F763173F7EDE643BBD8CF0B62B209FFF2F591A4B32589852C2E53528B11E72", "E0FDC61D822C325E91C2F377292B2B9F1F3CF389F1853458926D9A8FF435767B", "EB8F31C93BD7E41A11EB86029A059AA21310DE2294422DCEDE1529D9B98A0560"]}, {"type": "ics", "idList": ["ICSA-22-069-09", "ICSA-22-132-02"]}, {"type": "kaspersky", "idList": ["KLA12337", "KLA12339", "KLA12340", "KLA12341", "KLA12342", "KLA12343", "KLA12345", "KLA12346", "KLA12349"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634"]}, {"type": "krebs", "idList": ["KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC"]}, {"type": "mageia", "idList": ["MGASA-2021-0429", "MGASA-2022-0035"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:459DABFC50E1B6D279EDCFD609D8DD50"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_CHAINEDSERIALIZATIONBINDER_DENYLIST_TYPO_RCE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-26443", "MS:CVE-2021-36957", "MS:CVE-2021-3711", "MS:CVE-2021-38631", "MS:CVE-2021-38666", "MS:CVE-2021-41367", "MS:CVE-2021-41370", "MS:CVE-2021-41371", "MS:CVE-2021-41377", "MS:CVE-2021-42279", "MS:CVE-2021-42283", "MS:CVE-2021-42285", "MS:CVE-2021-42292", "MS:CVE-2021-42298", "MS:CVE-2021-42316", "MS:CVE-2021-42321", "MS:CVE-2021-42322", "MS:CVE-2021-43208", "MS:CVE-2021-43209"]}, {"type": "mskb", "idList": ["KB4486670", "KB5002035", "KB5002056", "KB5002072", "KB5007192", "KB5007205", "KB5007207", "KB5007409", "KB5008478", "KB5008479"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4963.NASL", "EULEROS_SA-2021-2639.NASL", "EULEROS_SA-2021-2668.NASL", "EULEROS_SA-2021-2692.NASL", "EULEROS_SA-2021-2717.NASL", "EULEROS_SA-2021-2733.NASL", "EULEROS_SA-2021-2770.NASL", "EULEROS_SA-2022-1088.NASL", "EULEROS_SA-2022-1391.NASL", "EULEROS_SA-2022-1417.NASL", "FREEBSD_PKG_96811D4A04EC11EC9B84D4C9EF517024.NASL", "MACOS_MS21_NOV_OFFICE.NASL", "MICROSOFT_VISUAL_STUDIO_CODE_1_62_1.NASL", "MYSQL_5_7_36.NASL", "MYSQL_8_0_27.NASL", "NNM_6_0_0.NASL", "NNM_6_0_1.NASL", "OPENSSL_1_1_1L.NASL", "OPENSUSE-2021-1188.NASL", "OPENSUSE-2021-2830.NASL", "PHOTONOS_PHSA-2021-2_0-0383_NXTGN.NASL", "PHOTONOS_PHSA-2021-3_0-0290_NXTGN.NASL", "PHOTONOS_PHSA-2021-4_0-0094_OPENSSL.NASL", "SECURITYCENTER_OPENSSL_1_1_1L_TNS_2021_16.NASL", "SMB_NT_MS21_NOVEMBER_3DVIEWER.NASL", "SMB_NT_MS21_NOV_5007186.NASL", "SMB_NT_MS21_NOV_5007189.NASL", "SMB_NT_MS21_NOV_5007192.NASL", "SMB_NT_MS21_NOV_5007205.NASL", "SMB_NT_MS21_NOV_5007206.NASL", "SMB_NT_MS21_NOV_5007207.NASL", "SMB_NT_MS21_NOV_5007215.NASL", "SMB_NT_MS21_NOV_5007233.NASL", "SMB_NT_MS21_NOV_5007245.NASL", "SMB_NT_MS21_NOV_5007246.NASL", "SMB_NT_MS21_NOV_5007255.NASL", "SMB_NT_MS21_NOV_EXCEL.NASL", "SMB_NT_MS21_NOV_EXCEL_C2R.NASL", "SMB_NT_MS21_NOV_EXCHANGE.NASL", "SMB_NT_MS21_NOV_EXCHANGE_REMOTE.NASL", "SMB_NT_MS21_NOV_MICROSOFT_DYNAMICS.NASL", "SMB_NT_MS21_NOV_OFFICE.NASL", "SMB_NT_MS21_NOV_OFFICE_C2R.NASL", "SMB_NT_MS21_NOV_WIN_DEFENDER.NASL", "SUSE_SU-2021-2830-1.NASL", "SUSE_SU-2021-2833-1.NASL", "SUSE_SU-2022-2134-1.NASL", "UBUNTU_USN-5051-1.NASL"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2021-3711"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2022", "ORACLE:CPUJAN2022", "ORACLE:CPUOCT2021"]}, {"type": "osv", "idList": ["OSV:DSA-4963-1", "OSV:GHSA-5WW6-PX42-WC85", "OSV:RUSTSEC-2021-0097"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166153"]}, {"type": "photon", "idList": ["PHSA-2021-0094", "PHSA-2021-0290", "PHSA-2021-2.0-0383", "PHSA-2021-3.0-0290", "PHSA-2021-4.0-0094"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:F128DF1DF900C5377CF4BBF1DFD03A1A"]}, {"type": "redhat", "idList": ["RHSA-2021:4618"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3711"]}, {"type": "rustsec", "idList": ["RUSTSEC-2021-0097"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1188-1", "OPENSUSE-SU-2021:2830-1", "SUSE-SU-2022:1396-1"]}, {"type": "thn", "idList": ["THN:3AB82AD3C4EB492FE308B1276534EBD7"]}, {"type": "threatpost", "idList": ["THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:703466E6007D5E2783255F53CBE5B433", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80"]}, {"type": "ubuntu", "idList": ["USN-5051-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3711"]}, {"type": "veracode", "idList": ["VERACODE:31821"]}, {"type": "zdi", "idList": ["ZDI-21-702", "ZDI-21-909"]}, {"type": "zdt", "idList": ["1337DAY-ID-37423"]}]}, "score": {"value": 9.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:E0CBBC69-61ED-4D83-81A9-B9CC05150AF0", "AKB:EA6AD256-9B4E-4DC6-B230-9ADED3EE40C0"]}, {"type": "avleonov", "idList": ["AVLEONOV:C2458CFFC4493B2CEDB0D34243DEBE3F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0802", "CPAI-2021-0803", "CPAI-2021-0853", "CPAI-2021-0906"]}, {"type": "cisa", "idList": ["CISA:D12090E3D1C36426271DE8458FFF31E4"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:5FED86D0D8C258D157F6DA659FC59DF3"]}, {"type": "cve", "idList": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-42322", "CVE-2021-43208", "CVE-2021-43209"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4963-1:DA7BC"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3711"]}, {"type": "f5", "idList": ["F5:K40812100"]}, {"type": "freebsd", "idList": ["96811D4A-04EC-11EC-9B84-D4C9EF517024"]}, {"type": "githubexploit", "idList": ["1E02B057-FCE8-5F88-8BC9-0289C8F014BE", "55F902F5-E290-577E-A48D-FB56855B1CBB"]}, {"type": "hackerone", "idList": ["H1:1352429"]}, {"type": "hivepro", "idList": ["HIVEPRO:846AE370AF77A81941A26AF3FC365026"]}, {"type": "ibm", "idList": ["4EA0B21CBC1507E92BCBE50A7BEAF54CC9CB28005D7893FBDEBD48FF2E06CF9A", "A109199E005479F832F573F606044A00BC599B13E5938D58B5815EFCCF05BA20", "A9825E8CC51EB2B11D8BD8D1F2CBD4888E1383983402068533B69BD9674B808D", "C4F763173F7EDE643BBD8CF0B62B209FFF2F591A4B32589852C2E53528B11E72"]}, {"type": "ics", "idList": ["ICSA-22-069-09"]}, {"type": "kaspersky", "idList": ["KLA12337", "KLA12339", "KLA12340", "KLA12341", "KLA12342", "KLA12343", "KLA12345", "KLA12346"]}, {"type": "krebs", "idList": ["KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:459DABFC50E1B6D279EDCFD609D8DD50"]}, {"type": "mscve", "idList": ["MS:CVE-2021-26443", "MS:CVE-2021-36957", "MS:CVE-2021-3711", "MS:CVE-2021-38631", "MS:CVE-2021-38666", "MS:CVE-2021-41367", "MS:CVE-2021-41370", "MS:CVE-2021-41371", "MS:CVE-2021-41377", "MS:CVE-2021-42279", "MS:CVE-2021-42283", "MS:CVE-2021-42285", "MS:CVE-2021-42292", "MS:CVE-2021-42298", "MS:CVE-2021-42316", "MS:CVE-2021-42321", "MS:CVE-2021-42322", "MS:CVE-2021-43208", "MS:CVE-2021-43209"]}, {"type": "mskb", "idList": ["KB4486670", "KB5002056", "KB5007192"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4963.NASL", "EULEROS_SA-2021-2668.NASL", "EULEROS_SA-2021-2692.NASL", "EULEROS_SA-2021-2717.NASL", "EULEROS_SA-2021-2733.NASL", "EULEROS_SA-2021-2770.NASL", "FREEBSD_PKG_96811D4A04EC11EC9B84D4C9EF517024.NASL", "MACOS_MS21_NOV_OFFICE.NASL", "MICROSOFT_VISUAL_STUDIO_CODE_1_62_1.NASL", "OPENSUSE-2021-1188.NASL", "OPENSUSE-2021-2830.NASL", "PHOTONOS_PHSA-2021-2_0-0383_NXTGN.NASL", "PHOTONOS_PHSA-2021-3_0-0290_NXTGN.NASL", "PHOTONOS_PHSA-2021-4_0-0094_OPENSSL.NASL", "SECURITYCENTER_OPENSSL_1_1_1L_TNS_2021_16.NASL", "SMB_NT_MS21_NOV_EXCEL.NASL", "SMB_NT_MS21_NOV_EXCHANGE.NASL", "SMB_NT_MS21_NOV_MICROSOFT_DYNAMICS.NASL", "SMB_NT_MS21_NOV_OFFICE.NASL", "SMB_NT_MS21_NOV_WIN_DEFENDER.NASL", "SUSE_SU-2021-2830-1.NASL", "SUSE_SU-2021-2833-1.NASL", "UBUNTU_USN-5051-1.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166153"]}, {"type": "photon", "idList": ["PHSA-2021-2.0-0383", "PHSA-2021-3.0-0290", "PHSA-2021-4.0-0094"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:F128DF1DF900C5377CF4BBF1DFD03A1A"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3711"]}, {"type": "rustsec", "idList": ["RUSTSEC-2021-0097"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1188-1", "OPENSUSE-SU-2021:2830-1"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "thn", "idList": ["THN:3AB82AD3C4EB492FE308B1276534EBD7"]}, {"type": "threatpost", "idList": ["THREATPOST:703466E6007D5E2783255F53CBE5B433", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3"]}, {"type": "ubuntu", "idList": ["USN-5051-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3711"]}, {"type": "zdi", "idList": ["ZDI-21-702"]}, {"type": "zdt", "idList": ["1337DAY-ID-37423"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-26443", "epss": "0.000790000", "percentile": "0.322030000", "modified": "2023-03-18"}, {"cve": "CVE-2021-36957", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-3711", "epss": "0.018450000", "percentile": "0.864590000", "modified": "2023-03-17"}, {"cve": "CVE-2021-38631", "epss": "0.000430000", "percentile": "0.073530000", "modified": "2023-03-18"}, {"cve": "CVE-2021-38666", "epss": "0.015900000", "percentile": "0.853670000", "modified": "2023-03-18"}, {"cve": "CVE-2021-41367", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-41370", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-41371", "epss": "0.000430000", "percentile": "0.073530000", "modified": "2023-03-18"}, {"cve": "CVE-2021-41377", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42279", "epss": "0.004850000", "percentile": "0.722630000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42283", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42285", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42292", "epss": "0.002160000", "percentile": "0.578790000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42298", "epss": "0.001160000", "percentile": "0.437880000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42316", "epss": "0.011190000", "percentile": "0.823840000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42321", "epss": "0.944740000", "percentile": "0.987060000", "modified": "2023-03-18"}, {"cve": "CVE-2021-42322", "epss": "0.000440000", "percentile": "0.082980000", "modified": "2023-03-18"}, {"cve": "CVE-2021-43208", "epss": "0.001600000", "percentile": "0.508200000", "modified": "2023-03-18"}, {"cve": "CVE-2021-43209", "epss": "0.004190000", "percentile": "0.701590000", "modified": "2023-03-17"}], "vulnersScore": 9.8}, "_state": {"dependencies": 1660032824, "score": 1684011499, "epss": 1679159933}, "_internal": {"score_hash": "69f900061ae6c0b6009062a22dbc2b8c"}}

{"qualysblog": [{"lastseen": "2021-11-26T18:36:54", "description": "### **Microsoft Patch Tuesday \u2013 November 2021**\n\nMicrosoft patched 55 vulnerabilities in their November 2021 Patch Tuesday release, of which six are rated as critical severity and six were previously reported as zero-days.\n\n#### **Critical Microsoft Vulnerabilities Patched**\n\n[CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>) - Microsoft Defender Remote Code Execution Vulnerability\n\nThis vulnerability in Microsoft Defender can be exploited using Maliciously crafted files. The remote code execution vulnerability will be triggered when the malicious file is opened by a user or scanned automatically via an outdated version of Microsoft Defender\n\n[CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>) - Chakra Scripting Engine Memory Corruption Vulnerability\n\nThe Buffer Overflow vulnerability is because of a boundary error issue in Chakra Scripting Engine, which allows remote attackers to execute arbitrary code by initiating the memory corruption.\n\n[CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability\n\nThis vulnerability is a Remote Code Execution bug in on-prem Microsoft Dynamics 365 setups. There are very few public details regarding this vulnerability.\n\n[CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>) - Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability\n\nThe vulnerability exists when a VM Guest fails to handle communication on a VMBus Channel. An authenticated user can exploit this vulnerability by sending a specially crafted communication on the VMBus Channel from the Guest to the Host, allowing the attacker to execute arbitrary code on the Host.\n\n[CVE-2021-3711](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3711>) - OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow\n\nThis is a Buffer Overflow vulnerability in OpenSSL software which is embedded in Microsoft Visual Studio. The vulnerability was introduced due to a miscalculation in the buffer size in OpenSSL's SM2 function. An attacker can exploit this vulnerability to crash the application and potentially execute arbitrary code with the user's permission to run the application.\n\n[CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>) - Remote Desktop Client Remote Code Execution Vulnerability\n\nThis vulnerability in Remote Desktop Clients can be exploited by an attacker who controls a Remote Desktop Server. The attacker can trick a user into connecting to the compromised/malicious Desktop Server, resulting in remote code execution.\n\n#### **Other High Priority Actively Exploited Vulnerabilities:**\n\n[CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) - Microsoft Exchange Server Remote Code Execution Vulnerability\n\nThis is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution. Microsoft has additional details in a [public blog post](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>).\n\n[CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) - Microsoft Excel Security Feature Bypass Vulnerability\n\nThe vulnerability in Microsoft Excel can be exploited using a Specially Crafted File, allowing an attacker to execute code. The vulnerability affects both Windows and macOS versions; a patch for the latter has not yet been released.\n\n#### **Following were the four of the six zero-day vulnerabilities:**\n\n[CVE-2021-43208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) \u2013 3D Viewer Remote Code Execution Vulnerability\n\n[CVE-2021-43209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) \u2013 3D Viewer Remote Code Execution Vulnerability\n\n[CVE-2021-38631](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) \u2013 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\n[CVE-2021-41371](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) \u2013 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\n### **Adobe Patch Tuesday \u2013 October 2021**\n\nAdobe addressed 4 CVEs this [Patch Tuesday](<https://helpx.adobe.com/security.html>), and 2 of them are rated as critical severity impacting RoboHelp Server, Adobe, and Adobe Creative Cloud.\n\n### **Discover Patch Tuesday Vulnerabilities in VMDR**\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:(qid:`50116` OR qid:`50117` OR qid:`91831` OR qid:`91832` OR qid:`91833` OR qid:`91834` OR qid:`91835` OR qid:`91836` OR qid:`91837` OR qid:`110394` OR qid:`110395` OR qid:`376026`)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/patch-tuesday-screenshot-1-1070x602.png)\n\n### **Respond by Patching**\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the "Missing" patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n \n \n (qid:`50116` OR qid:`50117` OR qid:`91831` OR qid:`91832` OR qid:`91833` OR qid:`91834` OR qid:`91835` OR qid:`91836` OR qid:`91837` OR qid:`110394` OR qid:`110395` OR qid:`376026`)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/patch-tuesday-screenshot-2-1070x602.png)\n\n### **Patch Tuesday Dashboard**\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard.](<https://success.qualys.com/discussions/s/article/000006755>)\n\n#### **Webinar Series: This Month in Vulnerabilities and Patches**\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [This Month in Vulnerabilities and Patches](<https://event.on24.com/wcc/r/3509444/01AB8685B078D8E9469DE21953BD584F>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, November 2021\n * Adobe Patch Tuesday, November 2021\n\n[Join us live or watch on demand!](<https://event.on24.com/wcc/r/3509444/01AB8685B078D8E9469DE21953BD584F>)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture1-1.png)Thursday, November 11, 2021 or later on demand\n\n### **About Patch Tuesday**\n\nPatch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T01:07:53", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (November 2021) \u2013 Microsoft 55 Vulnerabilities with 6 Critical, 6 Zero-Days. Adobe 4 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42279", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-11T01:07:53", "id": "QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-11-26T17:20:32", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.![](chrome-extension://gmpljdlgcdkljlppaekciacdmdlhfeon/images/beside-link-icon.svg)](<https://www.hivepro.com/wp-content/uploads/2021/11/Microsofts-Patch-Tuesday-Security-Updates-for-November_TA202147.pdf>)\n\nFor the month of November, Microsoft has reported a total of 55 vulnerabilities, 6(CVE-2021-38666, CVE-2021-26443, CVE-2021-42279, CVE-2021-42298, CVE-2021-42316, CVE-2021-3711) of which have been rated critical. Four (CVE-2021-43208, CVE-2021-43209) of these vulnerabilities have been publicly known and two (CVE-2021-42292, CVE-2021-42321) of them have been exploited in the wild. Patches of all these vulnerabilities have been published by Microsoft. This Advisory only focuses on the important 12 vulnerabilities.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-01-1024x698.png) ![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-02_1-1024x660.png) ![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-02_02-1024x620.png)\n\n * ![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-03-1024x510.png)\n\n#### Patch Link\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43208>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43209>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38631>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41371>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26443>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42279>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42298>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42316>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>\n\n#### References\n\n<https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/>\n\n<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-10T11:20:36", "type": "hivepro", "title": "Microsoft\u2019s Patch Tuesday Security Updates for November", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42279", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-10T11:20:36", "id": "HIVEPRO:846AE370AF77A81941A26AF3FC365026", "href": "https://www.hivepro.com/microsofts-patch-tuesday-security-updates-for-november/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-11-26T17:27:08", "description": "**Microsoft Corp.** today released updates to quash at least 55 security bugs in its **Windows** operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today -- potentially giving adversaries a head start in figuring out how to exploit them.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\nAmong the zero-day bugs is [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>), a "security feature bypass" problem with **Microsoft Excel versions 2013-2021** that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren't available yet).\n\nMicrosoft's revised, more sparse security advisories don't offer much detail on what exactly is being bypassed in Excel with this flaw. But **Dustin Childs **over at **Trend Micro's Zero Day Initiative** [says](<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>) the vulnerability is likely due to loading code that should be limited by a user prompt -- such as a warning about external content or scripts -- but for whatever reason that prompt does not appear, thus bypassing the security feature.\n\nThe other critical flaw patched today that's already being exploited in the wild is [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>), yet another zero-day in **Microsoft Exchange Server**. You may recall that earlier this year a majority of the world's organizations running Microsoft Exchange Servers were [hit with four zero-day attacks that let thieves install backdoors and siphon email](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>).\n\nAs Exchange zero-days go, CVE-2021-42321 appears somewhat mild by comparison. Unlike the four zero-days involved in the mass compromise of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to be already authenticated to the target's system. Microsoft has published a blog post/FAQ about the Exchange zero-day [here](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>).\n\nTwo of the vulnerabilities that were disclosed prior to today's patches are [CVE-2021-38631](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) and [CVE-2021-41371](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>). Both involve weaknesses in Microsoft's **Remote Desktop Protocol** (RDP, Windows' built-in remote administration tool) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems. The flaws let an attacker view the RDP password for the vulnerable system.\n\n"Given the interest that cybercriminals -- especially ransomware initial access brokers -- have in RDP, it is likely that it will be exploited at some point," said **Allan Liska**, senior security architect at **Recorded Future**.\n\nLiska notes this month's patch batch also brings us [CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>), which is a Remote Code Execution vulnerability in the Windows RDP Client.\n\n"This is a serious vulnerability, labeled critical by Microsoft," Liska added. "In its Exploitability Assessment section Microsoft has labelled this vulnerability 'Exploitation More Likely.' This vulnerability affects Windows 7 - 11 and Windows Server 2008 - 2019 and should be a high priority for patching."\n\nFor most Windows home users, applying security updates is not a big deal. By default, Windows checks for available updates and is fairly persistent in asking you to install them and reboot, etc. It's a good idea to get in the habit of patching on a monthly basis, ideally within a few days of patches being released.\n\nBut please do not neglect to backup your important files -- before patching if possible. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. There are also a number of excellent third-party products that make it easy to duplicate your entire hard drive on a regular basis, so that a recent, working image of the system is always available for restore.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience any glitches or problems installing patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may offer useful tips or suggestions.\n\nFurther reading:\n\n**SANS Internet Storm Center **has a [rundown on each of the 55 patches released today](<https://isc.sans.edu/forums/diary/Microsoft+November+2021+Patch+Tuesday/28018/>), indexed by exploitability and severity, with links to each advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T20:39:07", "type": "krebs", "title": "Microsoft Patch Tuesday, November 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2021-11-09T20:39:07", "id": "KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC", "href": "https://krebsonsecurity.com/2021/11/microsoft-patch-tuesday-november-2021-edition/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-11-10T20:20:08", "description": "[Microsoft reported](<https://msrc.microsoft.com/update-guide/vulnerability>) a total of 55 vulnerabilities, six of which are rated critical, with the remaining 49 being rated important. The flaws are found in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.\n\nAll in all, it\u2019s a pretty light month, according to the Zero Day Initiative\u2019s (ZDI\u2019s) Dustin Childs. \u201cHistorically speaking, 55 patches in November is a relatively low number,\u201d he commentd. \u201cEven going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs.\u201d\n\nStill, as always, this Patch Tuesday delivers high-priority fixes, the most urgent of which being the duo that are under attack.\n\n## High-Priority, Actively Exploited Pair of Bugs\n\n[**CVE-2021-42321**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>)**: Microsoft Exchange Server Remote Code Execution Vulnerability.**\n\nThis is a critical remote code execution (RCE) weakness in Exchange Server caused by issues with the validation of command-let (cmdlet) arguments \u2013 i.e., lightweight commands used in the PowerShell environment. They\u2019re invoked by PowerShell runtime within the context of automation scripts that are provided at the command line or invoked programmatically by the PowerShell runtime through APIs. Microsoft said that the vulnerability, rated 8.8 in criticality, has low attack complexity.\n\nIn order to exploit this flaw, an attacker would need to be authenticated, which limits some of the impact, as noted by Satnam Narang, staff research engineer at Tenable. Microsoft says they are aware of \u201climited targeted attacks\u201d using this vulnerability in the wild.\n\nMicrosoft has a[ blog post describing the vulnerabilit](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>)y and how it\u2019s exploited.\n\nMicrosoft Exchange Server has been the subject of several notable vulnerabilities throughout 2021, including [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) and associated vulnerabilities as well as [ProxyShell](<https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/>), Narang pointed out.\n\n[![Threatpost Webinar Promo Uptycs](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nClick to register for our LIVE event!\n\n\u201cThough unconfirmed, this may be similar to an Exchange Server vulnerability that was discovered at the [Tianfu Cup](<https://borncity.com/win/2021/10/17/tifanu-cup-2021-exchange-2019-und-iphone-gehackt/>) hacking competition last month,\u201d Narang suggested.\n\nKevin Breen, director of cyber threat research at Immersive Labs, told Threatpost on Tuesday that federal or government bodies in the United States may be bound by the recent [CISA directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) that puts an emphasis on faster patching of exploits that are actively being used by attackers. \u201cThis vulnerability \u2013 along with CVE-2021-42292 \u2013 would likely fall into that category,\u201d he noted in an email on Tuesday.\n\nIn spite of playing a starring role at the Tianfu Cup, this flaw was actually discovered by the Microsoft Threat Intelligence Center (MSTIC). Microsoft said that it\u2019s been actively used in attacks.\n\n[**CVE-2021-42292**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>)**: Microsoft Excel Security Feature Bypass Vulnerability.**\n\nThis patch fixes a security feature bypass vulnerability \u200b\u200bin Microsoft Excel for both Windows and MacOS computers that could allow code execution when opening a specially crafted file. It too was discovered by MSTIC, which said that it\u2019s also been exploited in the wild as a zero day.\n\nAccording to Trend Micro\u2019s Zero Day Initiative (ZDI) [November Security Update](<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>), \u201cThis is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature.\u201d\n\nMicrosoft doesn\u2019t suggest what effect the vulnerability might have, but its CVSS score of 7.8 gives it a severity rating of high. Immersive Labs\u2019 Breen said that the lack of detail \u201ccan make it hard to prioritize, but anything that is being exploited in the wild should be at the very top of your list to patch.\u201d\n\nMicrosoft said that the Outlook Preview Pane isn\u2019t an attack vector for this weakness, so a target would need to open the file in order for exploitation to occur.\n\nUpdates are available for Windows systems, but updates for Office for Mac aren\u2019t out yet.\n\nBreen suggested that given the lack of description and a lack of updates for a vulnerability being exploited in the wild, \u201cit may be worth telling anyone in your organization using Office for Mac to be more cautious until patches are made available.\u201d\n\n## Other Bugs of Note\n\n[**CVE-2021-42298**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)**: Microsoft Defender Remote Code Execution Vulnerability.**\n\nDefender is designed to scan every file and run with some of the highest levels or privileges in the operating system. This means an attacker could trigger the exploit by simply sending a file \u2013 the victim wouldn\u2019t even need to open or run anything, explained Kevin Breen, director of cyber threat research at Immersive Labs.\n\nBreen told Threatpost on Tuesday that this is the reason that CVE-2021-42298 is marked as \u201cexploitation more likely.\u201d\n\n\u201cAs it\u2019s not being exploited in the wild, it should get updated without any manual intervention from administrators,\u201d he said via email. \u201cThat being said, it\u2019s definitely worth checking to make sure your Defender installations are getting their updates set correctly.\u201d\n\nMicrosoft\u2019s advisory includes steps to verify that users have the latest versions installed.\n\n[**CVE-2021-38666**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)**: Remote Desktop Client Remote Code Execution Vulnerability.**\n\nMicrosoft said that in the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger an RCE on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.\n\nThat\u2019s not the clearest description, Breen noted, but the attack vector suggests that the remote desktop client installed on all supported versions of Windows contains a vulnerability.\n\n\u201cTo exploit it, an attacker would have to create their own server and convince a user to connect to the attacker,\u201d Breen explained. \u201cThere are several ways an attacker could do this, one of which could be to send the target an RDP shortcut file, either via email or a download. If the target opens this file, which in itself is not malicious, they could be giving the attacker access to their system.\u201d\n\nBreen said in an email that in addition to patching this flaw, a sensible step would be to add detections for RDP files being shared in emails or downloads.\n\n[**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>)** & **[**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>)**: Information Disclosure Vulnerabilities in Microsoft Remote Desktop Protocol (RDP).**\n\nThese flaws were previously publicly disclosed by security researchers. Successful exploitation of would allow an attacker to see RDP passwords for the vulnerable system.\n\nThe issue affects RDP running on Windows 7 \u2013 11 and Windows Server 2008 \u2013 2019. They\u2019re rated \u201cImportant\u201d by Microsoft. Given the interest that cybercriminals (especially ransomware initial access brokers) have in RDP, \u201cit is likely that it will be exploited at some point,\u201d said Allan Liska, senior security architect at Recorded Future.\n\n## Continuous Exchange Vulnerabilities\n\nExchange vulnerabilities have been of particular concern this year, Liska noted, pointing to both Chinese nation state actors and the cybercriminals behind the [DearCry](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) ransomware (also believed to be operating out of China) as having exploited earlier vulnerabilities in Microsoft Exchange ([CVE-2021-26855 and CVE-2021-27065](<https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/>)).\n\n\u201cWhile Microsoft only rates the vulnerability as \u2018Important\u2019 because an attacker has to be authenticated to exploit it, Recorded Future has noted that gaining legitimate credential access to Windows systems has become trivial for both nation state and cybercriminal actors,\u201d Liska said via email. Hence, he recommended prioritizing this flaw for patching.\n\n## Prioritize CVE-2021-42292, Too\n\nMicrosoft wasn\u2019t clear about which security feature is bypassed by this security feature bypass vulnerability for Microsoft Excel for both Windows and MacOS computers, which affects versions 2013 \u2013 2021. But the fact that it\u2019s being exploited in the wild \u201cis concerning,\u201d Liska said and \u201cmeans it should be prioritized for patching.\u201d\n\nMicrosoft Excel is a frequent target of both [nation-state attackers](<https://threatpost.com/spear-phishing-attack-lures-victims-with-hiv-results/153536/>) and cybercriminals, he noted.\n\n110921 17:21 UPDATE: Corrected misattribution of input from Kevin Breen.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com._**](<mailto:becky.bracken@threatpost.com>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T21:41:49", "type": "threatpost", "title": "Microsoft Nov. Patch Tuesday Fixes Six Zero-Days, 55 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42321"], "modified": "2021-11-09T21:41:49", "id": "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "href": "https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-31T20:45:04", "description": "On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.\n\nThe vulnerabilities are tracked as [CVE-2021-3711](<https://www.qnap.com/en-us/security-advisory/QSA-21-39>) \u2013 a high-severity buffer overflow related to SM2 decryption\u2013 and [CVE-2021-3712](<https://www.qnap.com/en-us/security-advisory/QSA-21-40>), a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents.\n\nThese OpenSSL flaws are spreading ripples far and wide. \n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThat\u2019s because [OpenSSL](<https://en.wikipedia.org/wiki/OpenSSL>) is mostly used by network software \u2013 including being widely used by Internet servers and the majority of HTTPS websites \u2013 that use the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.\n\nTLS has replaced SSL, which contained what Sophos\u2019s Paul Ducklin called a \u201chuge\u201d number of cryptographic flaws. But many popular open-source programming libraries that support it \u2013 including OpenSSL, LibreSSL and BoringSSL, \u201chave kept old-school product names for the sake of familiarity,\u201d Ducklin commented in a recent [drilldown](<https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/>) into the OpenSSL bugs.\n\nQNAP on Monday joined a parade of organizations whose products rely on OpenSSL and which are either investigating the flaws (in QNAP\u2019s case) or have already released security advisories, including Linux distributions such as [Red Hat](<https://access.redhat.com/security/cve/cve-2021-3711>) (not affected), [Ubuntu](<https://ubuntu.com/security/CVE-2021-3711>), [SUSE](<https://www.suse.com/security/cve/CVE-2021-3711.html>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2021-3711>) and[ Alpine Linux](<https://www.alpinelinux.org/posts/Alpine-3.14.2-released.html>).\n\n## QNAP Hammers Out Fixes\n\nQNAP said that it\u2019s \u201cthoroughly investigating the case\u201d and that it plans to release security updates and more information ASAP.\n\nSame goes for NAS appliance maker [Synology](<https://www.synology.com/en-global/security/advisory/Synology_SA_21_24>), which told its customers that the OpenSSL vulnerabilities affect its Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server and VPN Server products. On Thursday, Synology assigned \u201cimportant\u201d and \u201cmoderate\u201d severity ratings to the vulnerabilities and said that it\u2019s working on patches.\n\nYet another storage solutions provider, [NetApp](<https://security.netapp.com/advisory/ntap-20210827-0010/>), is now trying to figure out which of its products may be affected. So far, it\u2019s confirmed that Clustered Data ONTAP, E-Series SANtricity OS controller software, the NetApp Manageability SDK, NetApp SANtricity SMI-S Provider, and NetApp Storage Encryption are affected, and it\u2019s investigating dozens more of its products.\n\n[Cisco](<https://tools.cisco.com/security/center/publicationListing.x>) and [Broadcom](<https://support.broadcom.com/security-advisory/security-advisories-list.html?segment=SE>) are also expected to release advisories describing how the latest OpenSSL vulnerabilities will affect their products.\n\n## QNAP\u2019s Advisories\n\nIt turns out that the OpenSSL vulnerabilities affect QNAP NAS devices running the [HBS 3 Hybrid Backup Sync](<https://www.qnap.com/en/how-to/tutorial/article/hybrid-backup-sync>) data backup and disaster recovery tool, the [QTS](<https://www.qnap.com/en-us/qts4/con_show.php?op=showone&cid=1>) GUI, the [QuTS hero](<https://www.qnap.com/quts-hero/en-us/>) operating system, and [QuTScloud](<https://www.qnap.com/solution/qutscloud-overview/en-us/#:~:text=QuTScloud%20is%20the%20operating%20system,at%20a%20predictable%20monthly%20cost.>), which is an operating system for QNAP Cloud NAS virtual appliances.\n\nAccording to Sophos\u2019s Ducklin, the flaws could allow an attacker to trick an application \u201cinto thinking that something succeeded (or failed) when it didn\u2019t, or even to take over the flow of program execution entirely.\n\nIf successfully exploited, the flaws could allow remote attackers to execute arbitrary code with the permissions of the user running the application, QNAP said, which gives CVE-2021-3711 a high severity rating. CVE-2021-3712 allows remote attackers to disclose memory data or execute a DoS attack, making it a medium-security flaw.\n\nMITRE has the technical details here for [CVE-2021-3712](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712>) and [CVE-2021-3711](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711>).\n\nCVE-2021-3711 is a [heap-based buffer overflow](<https://cwe.mitre.org/data/definitions/122.html#:~:text=Description,routine%20such%20as%20malloc\$\$.>). These bugs generally lead to crashes but can also translate into lack of availability, including putting the program into an infinite loop. Such vulnerabilities can also allow attackers to carry out RCE, bypass protection, or to modify memory.\n\nAccording to MITRE, the CVE-2021-3711 bug in OpenSSL allows an attacker who can present SM2 content \u2013 SM2 being a public key cryptographic algorithm based on elliptic curves that\u2019s used to generate and verify digital signatures for decryption \u2013 to send data that overflows the buffer by up to a maximum of 62 bytes, \u201caltering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash.\u201d\n\nAs Sophos\u2019s Ducklin explained when writing about this decryption bug, OpenSSL includes implementations of the SM algorithms: It uses SM2 for key agreement and digital signatures, SM3 for hashing, and SM4 for block encryption. On the plus side, Sophos researchers don\u2019t think that crooks are going to be able to exploit this bug, given that \u201cofficial TLS support for ShangMi was only introduced in [RFC 8998](<https://datatracker.ietf.org/doc/html/rfc8998>), dated March 2021, so it\u2019s a newcomer to the world\u2019s cryptographic stable.\u201d\n\nAs Ducklin wrote, OpenSSL does include implementations of SM2, SM3 and SM4, \u201cit doesn\u2019t yet include the code needed to allow you to choose these algorithms as a ciphersuite for use in TLS connections.\u201d\n\n> \u201cYou can\u2019t ask your TLS client code to request a ShangMi connection to someone else\u2019s server, as far as we can see; and you can\u2019t get your TLS server code to accept a ShangMi connection from someone else\u2019s client.\n> \n> \u201cSo the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don\u2019t think you can open up a session in which the buggy code could be triggered.\n> \n> \u201cIn our opinion, that greatly reduces the likelihood of criminals abusing this flaw to implant malware on your laptop, for example by luring you to a booby-trapped website and presenting you with a rogue certificate during connection setup.\u201d \u2014Sophos\u2019s Paul Ducklin\n\n## Technical Details\n\nThe CVE-2021-3712 flaw is caused by a [read buffer overrun](<https://cwe.mitre.org/data/definitions/119.html>) weakness while processing ASN.1 strings. [MITRE explains](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712>) that [ASN.1](<https://www.ncbi.nlm.nih.gov/Structure/asn1.html#:~:text=1%20file%20format-,ASN.,to%20achieve%20interoperability%20between%20platforms.&text=It%20permits%20computers%20and%20software,the%20data%20structure%20and%20content.>) strings are represented internally within OpenSSL as an ASN1_STRING structure that contains a buffer holding the string data and a field holding the buffer length, as opposed to normal C strings that are represented as a buffer for the string data, which is terminated with a NUL (0) byte. \u201cIf a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit,\u201d according to MITRE. That could lead to a crash, causing DoS or could also lead to disclosure of private memory contents, such as private keys or even sensitive content in plaintext.\n\nBoth of the OpenSSL bugs were [fixed](<https://www.openssl.org/news/vulnerabilities.html>) in OpenSSL 1.1.1l on Tuesday of last week.\n\n## Fix Them If You Can\n\nSophos\u2019s Ducklin recommended upgrading to OpenSSL 1.1.1l if possible. \u201cAlthough most software on Windows, Mac, iOS and Android will not be using OpenSSL, because those platforms have their own alternative TLS implementations, some software may include an OpenSSL build of its own and will need updating independently,\u201d he noted. \u201cIf in doubt, consult your vendor. Most Linux distros will have a system-wide version of OpenSSL, so check with your distro for an update. (Note: Firefox doesn\u2019t use OpenSSL on any platforms.)\u201d\n\nThere\u2019s no shortage of reasons to heed his advice, given that criminal gangs already have NAS devices in their crosshairs. In a [report](<https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/>) published a few weeks ago, Palo Alto Network Unit 42 researchers said that they\u2019d discovered a new variant of the eCh0raix ransomware string that exploited a critical bug, [CVE-2021-28799](<https://nvd.nist.gov/vuln/detail/CVE-2021-28799>) \u2013 an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account \u2013 in the Hybrid Backup Sync (HBS 3) software on QNAP\u2019s NAS devices.\n\nThe nearly year-old eCh0raix ransomware strain has been used to target both QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns, but the new variant is more efficient: It can target either vendors\u2019 devices [in a single campaign](<https://threatpost.com/ech0raix-ransomware-variant-qnap-synology-nas-devices/168516/>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T15:08:46", "type": "threatpost", "title": "QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28799", "CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-08-31T15:08:46", "id": "THREATPOST:703466E6007D5E2783255F53CBE5B433", "href": "https://threatpost.com/qnap-openssl-bugs/169054/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-31T14:18:59", "description": "Customers of Taiwan-based [QNAP Systems](<https://www.qnap.com/pt-pt>) are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has [warned](<https://www.qnap.com/en/security-advisory/QSA-22-06>) affects most of its network-attached storage (NAS) devices. The vulnerability can trigger an infinite loop that creates a denial-of-service (DoS) scenario.\n\nThough the bug \u2013 tracked as [CVE-2022-0778](<https://nvd.nist.gov/vuln/detail/CVE-2022-0778>) and rated 7.5 (high severity) on the CVSS severity-rating scale \u2013 [has been patched](<https://www.openssl.org/news/secadv/20220315.txt>) by OpenSSL, QNAP hasn\u2019t gotten around to applying a fix yet for its NAS devices affected by the vulnerability. The company is telling customers that \u201cthere is no mitigation available\u201d and they \u201cmust check back and install security updates as soon as they become available.\u201d\n\n\u201cQNAP is thoroughly investigating the case,\u201d the company said. \u201cWe will release security updates and provide further information as soon as possible.\u201d\n\nThe vulnerability is in OpenSSL\u2019s BN_mod_sqrt() function, which computes a modular square root. The bug can be triggered by crafting a certificate that has invalid explicit curve parameters, causing the function to loop forever, according to [its listing](<https://nvd.nist.gov/vuln/detail/CVE-2022-0778>) in the NIST National Vulnerability Database. This creates DoS conditions on the device, according to OpenSSL. OpenSSL is a popular cryptography library primarily used by networking software that offers open-source application of the TLS protocol.\n\n\u201cSince certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,\u201d according to the listing. \u201cThe infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.\u201d\n\nVulnerable scenarios on devices using OpenSSL include:\n\n * TLS clients consuming server certificates,\n * TLS servers consuming client certificates,\n * Hosting providers taking certificates or private keys from customers,\n * Certificate authorities parsing certification requests from subscribers, or\n * Anything else that parses ASN.1 elliptic curve parameters.\n\nQNAP devices affected by the bug are:\n\n * QTS 5.0.x and later\n * QTS 4.5.4 and later\n * QTS 4.3.6 and later\n * QTS 4.3.4 and later\n * QTS 4.3.3 and later\n * QTS 4.2.6 and later\n * QuTS hero h5.0.x and later\n * QuTS hero h4.5.4 and later\n * QuTScloud c5.0.x\n\nThough QNAP said it\u2019s not aware of any exploits for the bug, [a security advisory](<https://www.csirt.gov.it/contenuti/rilevata-vulnerabilita-in-openssl-al02-220316-csirt-ita>) issued by Italy\u2019s national cybersecurity agency, CSIRT, suggests that it already is being exploited in the wild.\n\n## **QNAP Under Fire**\n\nQNAP devices have indeed had their share of cybersecurity woes in the past several months, a number of which are ongoing.\n\nAs the company readies a fix for the OpenSSL flaw, it\u2019s also working on another patch for the so-called [Dirty Pipe Linux kernel flaw](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/linux-dirty-pipe-vulnerability-gives-unprivileged-users-root-access/>) discovered earlier this month, which also currently has no mitigation on QNAP NAS devices. The flaw, a local privilege-escalation vulnerability, affects the Linux kernel on [QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x](<https://threatpost.com/most-qnap-nas-devices-affected-by-dirty-pipe-linux-flaw/178920/>).\n\nAttackers also have been pummeling QNAP devices with both ransomware and brute-force attacks since the beginning of the year, the [latter of which](<https://threatpost.com/qnap-nas-devices-ransomware-attacks/177452/>) prompted the vendor to urge customers to get their internet-exposed NAS devices off the internet.\n\nIn late January, QNAP forced out an unexpected and not entirely welcome update to its customers\u2019 NAS devices after [warning them](<https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet-and-fight-against-ransomware-together>) that [the DeadBolt ransomware](<https://threatpost.com/conti-deadbolt-delta-qnap-ransomware/178083/>) was mounting an offensive against them. And just last week, reports surfaced that [DeadBolt was at it](<https://threatpost.com/deadbolt-ransomware-qnap-again/179057/>) again in a new wave of attacks against QNAP.\n\nThe current OpenSSL scenario also is not the first time the vendor\u2019s devices were rattled by a flaw in the cryptography library. Last August, [two vulnerabilities](<https://threatpost.com/qnap-openssl-bugs/169054/>) tracked as [CVE-2021-3711](<https://www.qnap.com/en-us/security-advisory/QSA-21-39>) and [CVE-2021-3712](<https://www.qnap.com/en-us/security-advisory/QSA-21-40>) that respectively could cause remote-code execution (RCE) and DoS also prompted a security advisory and eventually emergency patches by QNAP.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:22:49", "type": "threatpost", "title": "QNAP Customers Adrift, Waiting on Fix for OpenSSL Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712", "CVE-2021-44228", "CVE-2022-0778"], "modified": "2022-03-31T13:22:49", "id": "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "href": "https://threatpost.com/qnap-customers-adrift-fix-openssl-bug/179197/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-23T15:46:12", "description": "NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-41370.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42283", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41367", "CVE-2021-41370", "CVE-2021-42283"], "modified": "2022-05-23T17:42:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:*", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909"], "id": "CVE-2021-42283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42283", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*"]}, {"lastseen": "2023-05-23T15:44:42", "description": "NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-42283.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41370", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41367", "CVE-2021-41370", "CVE-2021-42283"], "modified": "2021-11-12T17:15:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-41370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41370", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:44:40", "description": "NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41370, CVE-2021-42283.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41367", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41367", "CVE-2021-41370", "CVE-2021-42283"], "modified": "2021-11-12T18:57:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-41367", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41367", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:47:43", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43208.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-43209", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-17T02:32:00", "cpe": [], "id": "CVE-2021-43209", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43209", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-23T15:47:43", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43209.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-43208", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-15T19:39:00", "cpe": [], "id": "CVE-2021-43208", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43208", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-23T15:39:07", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41371.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-10T01:18:00", "type": "cve", "title": "CVE-2021-38631", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-12T18:59:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-38631", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38631", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:44:41", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-38631.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41371", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-10T21:19:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-41371", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41371", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:31:50", "description": "Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-10T01:16:00", "type": "cve", "title": "CVE-2021-26443", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443"], "modified": "2021-11-10T16:01:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:21h1"], "id": "CVE-2021-26443", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26443", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*"]}, {"lastseen": "2023-05-23T15:35:40", "description": "Windows Desktop Bridge Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:17:00", "type": "cve", "title": "CVE-2021-36957", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36957"], "modified": "2021-11-10T15:44:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-36957", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36957", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:46:15", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42298", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2021-11-17T19:34:00", "cpe": [], "id": "CVE-2021-42298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42298", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-05-23T15:46:13", "description": "Windows Kernel Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42285", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42285"], "modified": "2022-05-23T17:42:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:*", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909"], "id": "CVE-2021-42285", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42285", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*"]}, {"lastseen": "2023-05-23T15:44:41", "description": "Windows Fast FAT File System Driver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41377", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41377"], "modified": "2021-11-12T20:37:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-41377", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41377", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:46:11", "description": "Chakra Scripting Engine Memory Corruption Vulnerability", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42279", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42279"], "modified": "2021-11-12T18:56:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-42279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42279", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:46:19", "description": "Visual Studio Code Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42322", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42322"], "modified": "2021-11-15T21:49:00", "cpe": [], "id": "CVE-2021-42322", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42322", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-23T15:46:13", "description": "Microsoft Excel Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42292", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42292"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office_long_term_servicing_channel:2021", "cpe:/a:microsoft:office:2016", "cpe:/a:microsoft:365_apps:-", "cpe:/a:microsoft:excel:2013", "cpe:/a:microsoft:office:2019"], "id": "CVE-2021-42292", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42292", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:-:*:*"]}, {"lastseen": "2023-05-23T15:39:13", "description": "Remote Desktop Client Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T01:18:00", "type": "cve", "title": "CVE-2021-38666", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38666"], "modified": "2021-11-10T16:38:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-38666", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38666", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:46:21", "description": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42316", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-15T19:46:00", "cpe": ["cpe:/a:microsoft:dynamics_365:9.1", "cpe:/a:microsoft:dynamics_365:9.0"], "id": "CVE-2021-42316", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42316", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:dynamics_365:9.1:*:*:*:on-premises:*:*:*", "cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"]}, {"lastseen": "2023-05-23T15:46:18", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42321", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-08-29T18:59:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-42321", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:36:05", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-24T15:15:00", "type": "cve", "title": "CVE-2021-3711", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711"], "modified": "2022-12-06T21:23:00", "cpe": ["cpe:/a:netapp:oncommand_insight:-", "cpe:/a:oracle:zfs_storage_appliance_kit:8.8", "cpe:/a:oracle:enterprise_communications_broker:3.2.0", "cpe:/a:oracle:mysql_connectors:8.0.27", "cpe:/a:tenable:nessus_network_monitor:5.13.1", "cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0", "cpe:/a:oracle:communications_session_border_controller:9.0", "cpe:/a:oracle:health_sciences_inform_publisher:6.2.1.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:netapp:e-series_santricity_os_controller:11.50.2", "cpe:/a:tenable:tenable.sc:5.19.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:oracle:enterprise_communications_broker:3.3.0", "cpe:/a:netapp:hci_management_node:-", "cpe:/a:netapp:clustered_data_ontap_antivirus_connector:-", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:oracle:health_sciences_inform_publisher:6.3.1.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58", "cpe:/a:netapp:manageability_software_development_kit:-", "cpe:/o:debian:debian_linux:11.0", "cpe:/a:netapp:snapcenter:-", "cpe:/a:oracle:enterprise_session_border_controller:9.0", "cpe:/a:oracle:communications_unified_session_manager:8.4.5", "cpe:/a:netapp:storage_encryption:-", "cpe:/a:oracle:communications_session_border_controller:8.4", "cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0", "cpe:/a:oracle:mysql_enterprise_monitor:8.0.25", "cpe:/a:oracle:enterprise_session_border_controller:8.4", "cpe:/a:oracle:mysql_server:8.0.26", "cpe:/a:oracle:jd_edwards_world_security:a9.4", "cpe:/a:netapp:santricity_smi-s_provider:-", "cpe:/a:netapp:clustered_data_ontap:-", "cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/a:oracle:mysql_server:5.7.35", "cpe:/a:netapp:solidfire:-", "cpe:/a:oracle:communications_unified_session_manager:8.2.5"], "id": "CVE-2021-3711", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3711", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_server:5.7.35:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:tenable:nessus_network_monitor:5.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_connectors:8.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_server:8.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "cpe:2.3:a:tenable:tenable.sc:5.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_session_manager:8.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_inform_publisher:6.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_encryption:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*"]}], "mscve": [{"lastseen": "2023-05-23T16:35:33", "description": "NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-42283.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "NTFS Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41367", "CVE-2021-41370", "CVE-2021-42283"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-41370", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41370", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:35", "description": "NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41370, CVE-2021-42283.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "NTFS Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41367", "CVE-2021-41370", "CVE-2021-42283"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-41367", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41367", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:32", "description": "NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-41370.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "NTFS Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41367", "CVE-2021-41370", "CVE-2021-42283"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-42283", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42283", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43208.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "3D Viewer Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-43209", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43209", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43209.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "3D Viewer Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-43208", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43208", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:35", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-38631.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-41371", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41371", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-23T16:35:35", "description": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41371.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-41371"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-38631", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38631", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T14:46:18", "description": "Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443"], "modified": "2021-11-12T08:00:00", "id": "MS:CVE-2021-26443", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26443", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:35:35", "description": "Windows Desktop Bridge Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Desktop Bridge Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36957"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-36957", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36957", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:31", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Defender Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-42298", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42298", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:35:32", "description": "Windows Kernel Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42285"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-42285", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42285", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:35:35", "description": "Windows Fast FAT File System Driver Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Fast FAT File System Driver Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41377"], "modified": "2021-11-15T08:00:00", "id": "MS:CVE-2021-41377", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41377", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:34", "description": "Chakra Scripting Engine Memory Corruption Vulnerability", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Chakra Scripting Engine Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42279"], "modified": "2022-08-03T07:00:00", "id": "MS:CVE-2021-42279", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42279", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "Visual Studio Code Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Visual Studio Code Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42322"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-42322", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42322", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:31", "description": "Microsoft Excel Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Excel Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42292"], "modified": "2021-11-16T08:00:00", "id": "MS:CVE-2021-42292", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "Remote Desktop Client Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Remote Desktop Client Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38666"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-38666", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:33", "description": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-12T08:00:00", "id": "MS:CVE-2021-42316", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42316", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:31", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-06-21T07:00:00", "id": "MS:CVE-2021-42321", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:35", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711"], "modified": "2022-03-08T08:00:00", "id": "MS:CVE-2021-3711", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:35:38", "description": "The Windows installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007207: Windows 10 LTS 1507 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007207.NASL", "href": "https://www.tenable.com/plugins/nessus/154987", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154987);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSFT\", value:\"MS21-5007207\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007207: Windows 10 LTS 1507 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component\n to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive\n information.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007207\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-11';\nkbs = make_list(\n '5007207'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007207])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:54", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42276, CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007215: Windows 11 Security Updates (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-11-21T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007215.NASL", "href": "https://www.tenable.com/plugins/nessus/154997", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154997);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSKB\", value:\"5007215\");\n script_xref(name:\"MSFT\", value:\"MS21-5007215\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007215: Windows 11 Security Updates (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42276,\n CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007215\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007215 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007215');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n rollup_date:'11_2021',\n os_build:'22000',\n bulletin:bulletin,\n rollup_kb_list:[5007215])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007233 or cumulative update 5007236. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007233: Windows 7 and Windows Server 2008 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007233.NASL", "href": "https://www.tenable.com/plugins/nessus/154984", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154984);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007233\");\n script_xref(name:\"MSKB\", value:\"5007236\");\n script_xref(name:\"MSFT\", value:\"MS21-5007233\");\n script_xref(name:\"MSFT\", value:\"MS21-5007236\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007233: Windows 7 and Windows Server 2008 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007233\nor cumulative update 5007236. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42285, CVE-2021-42287,\n CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007233\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007233 or Cumulative Update KB5007236.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007233', '5007236');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007233, 5007236])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007246 or cumulative update 5007263. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007246: Windows Server 2008 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007246.NASL", "href": "https://www.tenable.com/plugins/nessus/154983", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154983);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007246\");\n script_xref(name:\"MSKB\", value:\"5007263\");\n script_xref(name:\"MSFT\", value:\"MS21-5007246\");\n script_xref(name:\"MSFT\", value:\"MS21-5007263\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007246: Windows Server 2008 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007246\nor cumulative update 5007263. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007246\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007246 or Cumulative Update KB5007263.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38666\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007246', '5007263');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007246, 5007263])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007189: Windows 10 Version 1909 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42288"], "modified": "2022-11-21T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007189.NASL", "href": "https://www.tenable.com/plugins/nessus/154989", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154989);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42288\"\n );\n script_xref(name:\"MSKB\", value:\"5007189\");\n script_xref(name:\"MSFT\", value:\"MS21-5007189\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007189: Windows 10 Version 1909 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007189\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007189.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007189');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007189])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:38", "description": "The remote Windows host is missing security update 5007245 or cumulative update 5007245. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007245: Windows Server 2012 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007245.NASL", "href": "https://www.tenable.com/plugins/nessus/154995", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154995);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007245\");\n script_xref(name:\"MSKB\", value:\"5007260\");\n script_xref(name:\"MSFT\", value:\"MS21-5007245\");\n script_xref(name:\"MSFT\", value:\"MS21-5007260\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007245: Windows Server 2012 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007245\nor cumulative update 5007245. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007260\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007245 or Cumulative Update 5007260.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-11\";\nvar kbs = make_list('5007245', '5007260');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nvar productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007245, 5007260])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:53", "description": "The remote Windows host is missing security update 5007255 or cumulative update 5007247. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007255: Windows Server 2012 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007255.NASL", "href": "https://www.tenable.com/plugins/nessus/154996", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154996);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007255\");\n script_xref(name:\"MSKB\", value:\"5007247\");\n script_xref(name:\"MSFT\", value:\"MS21-5007255\");\n script_xref(name:\"MSFT\", value:\"MS21-5007247\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007255: Windows Server 2012 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007255\nor cumulative update 5007247. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007247\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007255 or Cumulative Update 5007247.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007255', '5007247');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007255, 5007247])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:47", "description": "The remote Windows host is missing security update. See Vendor Advisory for KB5007205", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007205: Windows 2022 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007205.NASL", "href": "https://www.tenable.com/plugins/nessus/154994", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154994);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007205\");\n script_xref(name:\"MSFT\", value:\"MS21-5007205\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007205: Windows 2022 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update. See\nVendor Advisory for KB5007205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007205\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007205.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007205');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007205])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The version of the Microsoft 3D Viewer app installed on the remote host is prior to 7.2107.7012.0. It is, therefore, affected by multiple remote code execution vulnerabilities. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Microsoft 3D Viewer Multiple Vulnerabilities (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-18T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOVEMBER_3DVIEWER.NASL", "href": "https://www.tenable.com/plugins/nessus/154988", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154988);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/18\");\n\n script_cve_id(\"CVE-2021-43208\", \"CVE-2021-43209\");\n\n script_name(english:\"Microsoft 3D Viewer Multiple Vulnerabilities (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows app installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Microsoft 3D Viewer app installed on the remote host is prior to 7.2107.7012.0. It is, therefore,\naffected by multiple remote code execution vulnerabilities. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to app version 7.2107.7012.0., or later via the Microsoft Store.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-43209\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"wmi_enum_windows_app_store.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"WMI/Windows App Store/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar apps = ['Microsoft.Microsoft3DViewer'];\n\nvar app_info = vcf::microsoft_appstore::get_app_info(app_list:apps);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'fixed_version' : '7.2107.7012.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007192.NASL", "href": "https://www.tenable.com/plugins/nessus/154990", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154990);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007192\");\n script_xref(name:\"MSFT\", value:\"MS21-5007192\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007192\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007192.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007192');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007192])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:47", "description": "The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007206.NASL", "href": "https://www.tenable.com/plugins/nessus/154993", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154993);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007206\");\n script_xref(name:\"MSFT\", value:\"MS21-5007206\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007206\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007206.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007206');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007206])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007186.NASL", "href": "https://www.tenable.com/plugins/nessus/154986", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154986);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42286\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007186\");\n script_xref(name:\"MSFT\", value:\"MS21-5007186\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007186\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007186.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007186');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19041',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186])\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-31T14:37:52", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is equal or prior to 1.1.18700.3. It is, therefore, affected by a remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Windows Defender (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-42298"], "modified": "2022-01-14T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_NOV_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/154991", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154991);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/14\");\n\n script_cve_id(\"CVE-2021-42298\");\n script_xref(name:\"IAVA\", value:\"2022-A-0005\");\n\n script_name(english:\"Security Updates for Windows Defender (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is equal or\nprior to 1.1.18700.3. It is, therefore, affected by a remote code execution vulnerability. An attacker can exploit this\nto bypass authentication and execute unauthorized arbitrary commands.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298\");\n # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3bed4ba6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42298\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"installed_sw/Windows Defender\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'Windows Defender';\n\nvar app_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got the Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nvar constraints = [{'fixed_version':'1.1.18700.3'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The version of Microsoft Visual Studio Code installed on the remote host is prior to 1.62.1. It is, therefore, affected by an elevation of privilege vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Update for Microsoft Visual Studio Code (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-42322"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio_code"], "id": "MICROSOFT_VISUAL_STUDIO_CODE_1_62_1.NASL", "href": "https://www.tenable.com/plugins/nessus/154992", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154992);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-42322\");\n script_xref(name:\"IAVA\", value:\"2021-A-0537-S\");\n\n script_name(english:\"Security Update for Microsoft Visual Studio Code (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Visual Studio Code installed on the remote host is prior to 1.62.1. It is, therefore, affected\nby an elevation of privilege vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://code.visualstudio.com/updates/v1_62\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Visual Studio Code 1.62.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42322\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio_code\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"microsoft_visual_studio_code_installed.nbin\", \"microsoft_visual_studio_code_win_user_installed.nbin\", \"microsoft_visual_studio_code_linux_installed.nbin\", \"macosx_microsoft_visual_studio_code_installed.nbin\");\n script_require_ports(\"installed_sw/Microsoft Visual Studio Code\", \"installed_sw/Visual Studio Code\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar os = get_kb_item_or_exit('Host/OS');\nvar app_info;\n\nif (tolower(os) =~ 'windows')\n{\n get_kb_item_or_exit('SMB/Registry/Enumerated');\n app_info = vcf::get_app_info(app:'Microsoft Visual Studio Code', win_local:TRUE);\n}\nelse if (tolower(os) =~ 'linux|mac os')\n{\n get_kb_item_or_exit('Host/local_checks_enabled');\n app_info = vcf::get_app_info(app:'Visual Studio Code');\n}\nelse\n{\n audit(AUDIT_OS_NOT,'affected');\n}\n\nvar constraints = [\n { 'fixed_version' : '1.62.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:43", "description": "The Microsoft Dynamics 365 (on-premises) is missing a security update. It is, therefore, affected by the following vulnerability:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42316)", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Dynamics 365 (on-premises) (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-18T00:00:00", "cpe": ["cpe:/a:microsoft:dynamics_365"], "id": "SMB_NT_MS21_NOV_MICROSOFT_DYNAMICS.NASL", "href": "https://www.tenable.com/plugins/nessus/155174", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155174);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/18\");\n\n script_cve_id(\"CVE-2021-42316\");\n script_xref(name:\"IAVA\", value:\"2021-A-0540\");\n script_xref(name:\"MSKB\", value:\"5008478\");\n script_xref(name:\"MSKB\", value:\"5008479\");\n script_xref(name:\"MSFT\", value:\"MS21-5008478\");\n script_xref(name:\"MSFT\", value:\"MS21-5008479\");\n\n script_name(english:\"Security Updates for Microsoft Dynamics 365 (on-premises) (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Dynamics 365 (on-premises) is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Dynamics 365 (on-premises) is missing a security update. It is, therefore, affected by the following\nvulnerability:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42316)\");\n # https://support.microsoft.com/en-us/topic/service-update-1-6-for-microsoft-dynamics-crm-on-premises-9-1-8a8401c0-b8c8-4288-8c01-59d15692f2ed\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98abf18c\");\n # https://support.microsoft.com/en-us/topic/service-update-034-for-microsoft-dynamics-crm-on-premises-90-bd536c34-0357-4576-818f-03d80fe4f5db\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70225975\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5008478\n -KB5008479\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42316\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:dynamics_365\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_dynamics_365_detect.nbin\");\n script_require_keys(\"installed_sw/Microsoft Dynamics 365 Server\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app = 'Microsoft Dynamics 365 Server';\nvar app_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nvar constraints = [\n { 'min_version' : '9.0', 'fixed_version' : '9.0.34.5', 'fixed_display' : 'Update v9.0 (on-premises) Update 0.34' },\n { 'min_version' : '9.1', 'fixed_version' : '9.1.6.3', 'fixed_display' : 'Update v9.1 (on-premises) Update 1.6' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:31:19", "description": "The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-41368)", "cvss3": {}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office Products C2R (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41368", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "SMB_NT_MS21_NOV_OFFICE_C2R.NASL", "href": "https://www.tenable.com/plugins/nessus/161754", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161754);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-41368\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"IAVA\", value:\"2021-A-0546-S\");\n\n script_name(english:\"Security Updates for Microsoft Office Products C2R (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and\n execute unauthorized arbitrary commands. (CVE-2021-41368)\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42ab6861\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd4508ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"For Office 365, Office 2016 C2R, or Office 2019, ensure automatic\nupdates are enabled or open any office app and manually perform an\nupdate.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-41368\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\nvar app_info = vcf::microsoft::office::get_app_info(app:'Microsoft Office');\n\nvar constraints = [\n {'product' : 'Microsoft Office 2016', 'channel':'Deferred', 'channel_version':'2102', 'file':'graph.exe', 'fixed_version': '16.0.13801.21050'},\n {'product' : 'Microsoft Office 2016', 'channel':'Deferred', 'file':'graph.exe', 'fixed_version': '16.0.13127.21820'},\n {'product' : 'Microsoft Office 2016', 'channel':'Microsoft 365 Apps on Windows 7', 'file':'graph.exe', 'fixed_version': '16.0.12527.22060'},\n {'product' : 'Microsoft Office 2016', 'channel':'Enterprise Deferred', 'channel_version':'2109', 'file':'graph.exe', 'fixed_version': '16.0.14430.20342'},\n {'product' : 'Microsoft Office 2016', 'channel':'Enterprise Deferred', 'file':'graph.exe', 'fixed_version': '16.0.14326.20600'},\n {'product' : 'Microsoft Office 2016', 'channel':'First Release for Deferred', 'file':'graph.exe', 'fixed_version': '16.0.14326.20600'},\n {'product' : 'Microsoft Office 2016', 'channel':'2016 Retail', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'},\n {'product' : 'Microsoft Office 2016', 'channel':'Current', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'},\n {'product' : 'Microsoft Office 2019', 'channel':'2019 Volume', 'file':'graph.exe', 'fixed_version': '16.0.10380.20037'},\n {'product' : 'Microsoft Office 2019', 'channel':'2019 Retail', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'},\n {'product' : 'Microsoft Office 2021', 'channel':'LTSC 2021', 'file':'graph.exe', 'fixed_version': '16.0.14332.20176'},\n {'product' : 'Microsoft Office 2021', 'channel':'2021 Retail', 'file':'graph.exe', 'fixed_version': '16.0.14527.20276'}\n];\n\nvcf::microsoft::office::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:23", "description": "The Microsoft Office product installed on the remote host is affected by multiple vulnerabilities, as follows:\n\n - A remote code execution vulnerability in Excel that can be exploited by an unauthenticated, local attacker. (CVE-2021-40442)\n\n - A security feature bypass vulnerability in Excel that can be exploited by an unauthenticated, local attacker. (CVE-2021-42292)\n\n Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office (November 2021) (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:office", "cpe:/a:microsoft:excel"], "id": "MACOS_MS21_NOV_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/155448", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155448);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-42292\");\n script_xref(name:\"IAVA\", value:\"2021-A-0541\");\n script_xref(name:\"IAVA\", value:\"2021-A-0546-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Security Updates for Microsoft Office (November 2021) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office product installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office product installed on the remote host is affected by multiple vulnerabilities, as follows:\n\n - A remote code execution vulnerability in Excel that can be exploited by an unauthenticated, local\n attacker. (CVE-2021-40442)\n\n - A security feature bypass vulnerability in Excel that can be exploited by an unauthenticated, local\n attacker. (CVE-2021-42292)\n\n \nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43ed1b90\");\n # https://docs.microsoft.com/en-us/officeupdates/release-notes-office-for-mac#november-16-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?945bbaf2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Office for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_office_installed.nbin\");\n script_require_keys(\"Host/MacOSX/Version\", \"installed_sw/Microsoft Excel\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar os = get_kb_item_or_exit('Host/MacOSX/Version');\nvar apps = make_list('Microsoft Excel');\nvar report = '';\n\n#2019\nvar min_ver_19 = '16.17.0';\nvar fix_ver_19 = '16.55';\nvar fix_disp_19 = '16.55 (21111400)';\n\nforeach var app (apps)\n{\n var installs = get_installs(app_name:app);\n if (isnull(installs[1]))\n continue;\n\n foreach var install (installs[1])\n {\n var version = install['version'];\n\n if (ver_compare(ver:version, minver:min_ver_19, fix:fix_ver_19, strict:FALSE) < 0)\n {\n var app_label = app + ' for Mac 2019';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_disp_19;\n }\n }\n}\nif (empty(report))\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (os =~ \"^Mac OS X 10\\.([0-9]([^0-9]|$)|1[0-4])\")\n report += '\\n Note : Update will require macOS 10.15.0 or later.\\n';\n\nsecurity_report_v4(severity:SECURITY_WARNING, port:0, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:54", "description": "The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-40442)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Excel Products (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:excel"], "id": "SMB_NT_MS21_NOV_EXCEL.NASL", "href": "https://www.tenable.com/plugins/nessus/154982", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154982);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-42292\");\n script_xref(name:\"MSKB\", value:\"5002056\");\n script_xref(name:\"MSKB\", value:\"5002072\");\n script_xref(name:\"MSFT\", value:\"MS21-5002056\");\n script_xref(name:\"MSFT\", value:\"MS21-5002072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Security Updates for Microsoft Excel Products (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Excel Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-40442)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002056\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002072\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5002056\n -KB5002072\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_office_compatibility_pack_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\nvar kbs = make_list(\n '5002072',\n '5002056'\n);\n\nvar constraints = [\n { 'kb':'5002072', 'fixed_version': '15.0.5397.1001', 'sp' : 1},\n { 'kb':'5002056', 'channel':'MSI', 'fixed_version': '16.0.5239.1001', 'sp' : 0}\n];\n\nvcf::microsoft::office_product::check_version_and_report(\n kbs:kbs,\n constraints:constraints,\n severity:SECURITY_WARNING,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:57", "description": "The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-40442)", "cvss3": {}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Excel Products C2R (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:excel"], "id": "SMB_NT_MS21_NOV_EXCEL_C2R.NASL", "href": "https://www.tenable.com/plugins/nessus/161757", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161757);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-42292\");\n script_xref(name:\"IAVA\", value:\"2021-A-0541\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Security Updates for Microsoft Excel Products C2R (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Excel Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Excel Products are missing security updates.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42292)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-40442)\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42ab6861\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd4508ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"For Office 365, Office 2016 C2R, or Office 2019, ensure automatic\nupdates are enabled or open any office app and manually perform an\nupdate.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_office_compatibility_pack_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\n\nvar constraints = [\n { 'channel':'Deferred', 'channel_version':'2102', 'fixed_version': '16.0.13801.21050'},\n { 'channel':'Deferred', 'fixed_version': '16.0.13127.21820'},\n { 'channel':'Microsoft 365 Apps on Windows 7', 'fixed_version': '16.0.12527.22060'},\n { 'channel':'Enterprise Deferred', 'channel_version':'2109', 'fixed_version': '16.0.14430.20342'},\n { 'channel':'Enterprise Deferred', 'fixed_version': '16.0.14326.20600'},\n { 'channel':'First Release for Deferred', 'fixed_version': '16.0.14326.20600'},\n { 'channel':'2016 Retail', 'fixed_version': '16.0.14527.20276'},\n { 'channel':'Current', 'fixed_version': '16.0.14527.20276'},\n { 'channel':'2019 Volume', 'fixed_version': '16.0.10380.20037'},\n { 'channel':'2019 Retail', 'fixed_version': '16.0.14527.20276'},\n { 'channel':'LTSC 2021', 'fixed_version': '16.0.14332.20176'},\n { 'channel':'2021 Retail', 'fixed_version': '16.0.14527.20276'}\n];\n\nvcf::microsoft::office_product::check_version_and_report(\n constraints:constraints,\n severity:SECURITY_WARNING,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:54", "description": "The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-40442, CVE-2021-41368)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office Products (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40442", "CVE-2021-41368", "CVE-2021-42292"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "SMB_NT_MS21_NOV_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/155000", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155000);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-40442\", \"CVE-2021-41368\", \"CVE-2021-42292\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5002038\");\n script_xref(name:\"MSKB\", value:\"4486670\");\n script_xref(name:\"MSKB\", value:\"5002035\");\n script_xref(name:\"MSKB\", value:\"5002032\");\n script_xref(name:\"MSFT\", value:\"MS21-5002038\");\n script_xref(name:\"MSFT\", value:\"MS21-4486670\");\n script_xref(name:\"MSFT\", value:\"MS21-5002035\");\n script_xref(name:\"MSFT\", value:\"MS21-5002032\");\n script_xref(name:\"IAVA\", value:\"2021-A-0546-S\");\n\n script_name(english:\"Security Updates for Microsoft Office Products (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42292)\n\n - Two remote code execution vulnerabilities. An attacker can exploit this to bypass authentication and\n execute unauthorized arbitrary commands. (CVE-2021-40442, CVE-2021-41368)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4486670\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002035\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002038\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4486670\n -KB5002032\n -KB5002038\n -KB5002035\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42292\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS21-11';\nvar kbs = make_list(\n '4886670',\n '5002032',\n '5002035',\n '5002038'\n);\nvar severity = SECURITY_WARNING;\n\nvar app_info = vcf::microsoft::office::get_app_info(app:'Microsoft Office', kbs:kbs, bulletin:bulletin, severity:severity);\n\nvar constraints = [\n {'product' : 'Microsoft Office 2013 SP1', 'kb':'5002038', 'file':'acecore.dll', 'fixed_version': '15.0.5397.1000'},\n {'product' : 'Microsoft Office 2013 SP1', 'kb':'5002035', 'file':'mso.dll', 'fixed_version': '15.0.5397.1001'},\n {'product' : 'Microsoft Office 2016', 'kb':'4886670', 'file':'mso99lwin32client.dll', 'fixed_version': '16.0.5239.1001'},\n {'product' : 'Microsoft Office 2016', 'kb':'5002032', 'file':'acecore.dll', 'fixed_version': '16.0.5239.1000'}\n];\n\nvcf::microsoft::office::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:severity,\n bulletin:bulletin,\n subproduct:'Excel'\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:46", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : openssl (EulerOS-SA-2021-2733)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-2733.NASL", "href": "https://www.tenable.com/plugins/nessus/155478", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155478);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : openssl (EulerOS-SA-2021-2733)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2733\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d11351d1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:16:37", "description": "According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2692)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2692.NASL", "href": "https://www.tenable.com/plugins/nessus/155238", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155238);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2692)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2692\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c43bb2e9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:47", "description": "An update of the openssl package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Photon OS 4.0: Openssl PHSA-2021-4.0-0094", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openssl", "cpe:/o:vmware:photonos:4.0"], "id": "PHOTONOS_PHSA-2021-4_0-0094_OPENSSL.NASL", "href": "https://www.tenable.com/plugins/nessus/153044", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-4.0-0094. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153044);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Photon OS 4.0: Openssl PHSA-2021-4.0-0094\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openssl package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-4.0-94.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:4.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 4\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 4.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nvar flag = 0;\n\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-c_rehash-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-devel-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-docs-1.1.1l-1.ph4')) flag++;\nif (rpm_check(release:'PhotonOS-4.0', cpu:'x86_64', reference:'openssl-perl-1.1.1l-1.ph4')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssl');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:44", "description": "The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2833-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2021:2833-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel", "p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel-32bit", "p-cpe:/a:novell:suse_linux:libopenssl1_1", "p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit", "p-cpe:/a:novell:suse_linux:openssl-1_1", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-2833-1.NASL", "href": "https://www.tenable.com/plugins/nessus/152808", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:2833-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152808);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:2833-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2021:2833-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:2833-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-August/009346.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b313f12a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-2.36.2', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'libopenssl1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'openssl-1_1-1.1.1d-2.36.2', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl-1_1-devel-32bit / libopenssl1_1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:12", "description": "According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-02T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : openssl (EulerOS-SA-2021-2639)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-devel", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2639.NASL", "href": "https://www.tenable.com/plugins/nessus/154790", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154790);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP8 : openssl (EulerOS-SA-2021-2639)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2639\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ca17e004\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-devel-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-libs-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-perl-1.1.1-3.h18.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:30", "description": "According to the versions of the openssl111d packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : openssl111d (EulerOS-SA-2021-2668)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl111d", "p-cpe:/a:huawei:euleros:openssl111d-devel", "p-cpe:/a:huawei:euleros:openssl111d-libs", "p-cpe:/a:huawei:euleros:openssl111d-static", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2668.NASL", "href": "https://www.tenable.com/plugins/nessus/155287", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155287);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP5 : openssl111d (EulerOS-SA-2021-2668)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl111d packages installed, the EulerOS installation on the remote host is affected\nby the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2668\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b17cd4b1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl111d packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl111d-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl111d-1.1.1d-2.h11.eulerosv2r7\",\n \"openssl111d-devel-1.1.1d-2.h11.eulerosv2r7\",\n \"openssl111d-libs-1.1.1d-2.h11.eulerosv2r7\",\n \"openssl111d-static-1.1.1d-2.h11.eulerosv2r7\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl111d\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:34", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : openssl (EulerOS-SA-2021-2770)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-2770.NASL", "href": "https://www.tenable.com/plugins/nessus/155533", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155533);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : openssl (EulerOS-SA-2021-2770)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2770\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5602d657\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:05", "description": "According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2717)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2717.NASL", "href": "https://www.tenable.com/plugins/nessus/155249", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155249);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : openssl (EulerOS-SA-2021-2717)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2717\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9e00996\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-libs-1.1.1f-7.h17.eulerosv2r9\",\n \"openssl-perl-1.1.1f-7.h17.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:42", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5051-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-24T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 21.04 : OpenSSL vulnerabilities (USN-5051-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:libssl-dev", "p-cpe:/a:canonical:ubuntu_linux:libssl1.1", "p-cpe:/a:canonical:ubuntu_linux:openssl"], "id": "UBUNTU_USN-5051-1.NASL", "href": "https://www.tenable.com/plugins/nessus/152784", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5051-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152784);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"USN\", value:\"5051-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 21.04 : OpenSSL vulnerabilities (USN-5051-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-5051-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5051-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libssl-dev, libssl1.1 and / or openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl1.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssl\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'libssl-dev', 'pkgver': '1.1.1-1ubuntu2.1~18.04.13'},\n {'osver': '18.04', 'pkgname': 'libssl1.1', 'pkgver': '1.1.1-1ubuntu2.1~18.04.13'},\n {'osver': '18.04', 'pkgname': 'openssl', 'pkgver': '1.1.1-1ubuntu2.1~18.04.13'},\n {'osver': '20.04', 'pkgname': 'libssl-dev', 'pkgver': '1.1.1f-1ubuntu2.8'},\n {'osver': '20.04', 'pkgname': 'libssl1.1', 'pkgver': '1.1.1f-1ubuntu2.8'},\n {'osver': '20.04', 'pkgname': 'openssl', 'pkgver': '1.1.1f-1ubuntu2.8'},\n {'osver': '21.04', 'pkgname': 'libssl-dev', 'pkgver': '1.1.1j-1ubuntu3.5'},\n {'osver': '21.04', 'pkgname': 'libssl1.1', 'pkgver': '1.1.1j-1ubuntu3.5'},\n {'osver': '21.04', 'pkgname': 'openssl', 'pkgver': '1.1.1j-1ubuntu3.5'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libssl-dev / libssl1.1 / openssl');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:56", "description": "An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-27T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Nxtgn PHSA-2021-2.0-0383", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:nxtgn", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0383_NXTGN.NASL", "href": "https://www.tenable.com/plugins/nessus/152882", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0383. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152882);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Photon OS 2.0: Nxtgn PHSA-2021-2.0-0383\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-383.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:nxtgn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nvar flag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-1.1.1l-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-c_rehash-1.1.1l-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-devel-1.1.1l-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'nxtgn-openssl-perl-1.1.1l-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nxtgn');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:54", "description": "The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4963 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-24T00:00:00", "type": "nessus", "title": "Debian DSA-4963-1 : openssl - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libcrypto1.1-udeb", "p-cpe:/a:debian:debian_linux:libssl-dev", "p-cpe:/a:debian:debian_linux:libssl-doc", "p-cpe:/a:debian:debian_linux:libssl1.1", "p-cpe:/a:debian:debian_linux:libssl1.1-udeb", "p-cpe:/a:debian:debian_linux:openssl", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-4963.NASL", "href": "https://www.tenable.com/plugins/nessus/152783", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-4963. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152783);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Debian DSA-4963-1 : openssl - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-4963 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/openssl\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2021/dsa-4963\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3712\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/openssl\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/openssl\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the openssl packages.\n\nFor the stable distribution (bullseye), these problems have been fixed in version 1.1.1k-1+deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcrypto1.1-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl1.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl1.1-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(10)\\.[0-9]+|^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0 / 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'libcrypto1.1-udeb', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl-dev', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl-doc', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl1.1', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'libssl1.1-udeb', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '10.0', 'prefix': 'openssl', 'reference': '1.1.1d-0+deb10u7'},\n {'release': '11.0', 'prefix': 'libcrypto1.1-udeb', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl-dev', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl-doc', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl1.1', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'libssl1.1-udeb', 'reference': '1.1.1k-1+deb11u1'},\n {'release': '11.0', 'prefix': 'openssl', 'reference': '1.1.1k-1+deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libcrypto1.1-udeb / libssl-dev / libssl-doc / libssl1.1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:08", "description": "According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is missing the security patch SC-202109.1, therefore affected by multiple vulnerabilities as referenced in the 1.1.1l advisory:\n\n - A heap-based buffer overflow condition exists due to the implementation of the SM2 decryption. An unauthenticated, remote attacker can exploit this, via specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2021-3711)\n\n - An out-of-bounds read error exists in due to improper handling of ASN.1 strings. An unauthenticated, remote attacker can exploit this, via a specially crafted ASN1_STRING structure, to cause a denial of service condition or disclosure of sensitive information. (CVE-2021-3712)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported patching information.", "cvss3": {}, "published": "2021-09-23T00:00:00", "type": "nessus", "title": "Tenable SecurityCenter OpenSSL < 1.1.1l Multiple Vulnerabilities (TNS-2021-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-09-24T00:00:00", "cpe": ["cpe:/a:tenable:securitycenter"], "id": "SECURITYCENTER_OPENSSL_1_1_1L_TNS_2021_16.NASL", "href": "https://www.tenable.com/plugins/nessus/153589", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153589);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/24\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n\n script_name(english:\"Tenable SecurityCenter OpenSSL < 1.1.1l Multiple Vulnerabilities (TNS-2021-16)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is missing\nthe security patch SC-202109.1, therefore affected by multiple vulnerabilities as referenced in the 1.1.1l advisory:\n\n - A heap-based buffer overflow condition exists due to the implementation of the SM2 decryption. An\n unauthenticated, remote attacker can exploit this, via specially crafted request, to cause a denial of\n service condition or the execution of arbitrary code. (CVE-2021-3711)\n\n - An out-of-bounds read error exists in due to improper handling of ASN.1 strings. An unauthenticated, remote\n attacker can exploit this, via a specially crafted ASN1_STRING structure, to cause a denial of service\n condition or disclosure of sensitive information. (CVE-2021-3712)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported patching\ninformation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2021-16\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20210824.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the security patch referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\");\n script_require_ports(\"installed_sw/Tenable SecurityCenter\");\n\n exit(0);\n}\n\ninclude('vcf_extras.inc');\n\nvar patches = make_list('SC-202109.1');\nvar app_info = vcf::tenable_sc::get_app_info();\n\nvcf::tenable_sc::check_for_patch(app_info:app_info, patches:patches);\n\nvar constraints = [\n { 'min_version' : '5.16.0', 'max_version' : '5.19.1', 'fixed_display' : 'Apply Patch SC-202109.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:41", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-18T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.1 : openssl (EulerOS-SA-2022-1391)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.10.1"], "id": "EULEROS_SA-2022-1391.NASL", "href": "https://www.tenable.com/plugins/nessus/159859", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159859);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n script_xref(name:\"IAVA\", value:\"2022-A-0035\");\n\n script_name(english:\"EulerOS Virtualization 2.10.1 : openssl (EulerOS-SA-2022-1391)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1391\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1e4c41d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-libs-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-perl-1.1.1f-8.h14.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:47", "description": "The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.0. It is, therefore, affected by multiple vulnerabilities:\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-06T00:00:00", "type": "nessus", "title": "Nessus Network Monitor < 6.0.0 Multiple Vulnerabilities (TNS-2022-02)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/a:tenable:nnm"], "id": "NNM_6_0_0.NASL", "href": "https://www.tenable.com/plugins/nessus/160640", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160640);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n\n script_name(english:\"Nessus Network Monitor < 6.0.0 Multiple Vulnerabilities (TNS-2022-02)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A vulnerability scanner installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.0. It is, therefore, affected\nby multiple vulnerabilities:\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer \n holding the string data and a field holding the buffer length. This contrasts with normal C strings which \n are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict \n requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing \n functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally \n NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly \n construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data \n and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. \n Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array \n will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. \n Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains \n ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, \n then a read buffer overrun can occur. The same thing can also occur during name constraints processing of \n certificates (for example if a certificate has been directly constructed by the application instead of \n loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING\n structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() \n functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then \n process it through one of the affected OpenSSL functions then this issue could be hit. This might result \n in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory \n contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). \n Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).\n \n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). \n Typically an application will call this function twice. The first time, on entry, the out parameter can be \n NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted \n plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, \n but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 \n decryption code means that the calculation of the buffer size required to hold the plaintext returned by the\n first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can \n lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer \n that is too small. A malicious attacker who is able present SM2 content for decryption to an application \n could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents \n of other data held after the buffer, possibly changing application behaviour or causing the application to \n crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in \n OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported \n version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2022-02\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Nessus Network Monitor version 6.0.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:nnm\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nnm_installed_win.nbin\", \"nnm_installed_nix.nbin\");\n script_require_keys(\"installed_sw/Tenable NNM\", \"Host/nnm_installed\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Tenable NNM';\n\nvar app_info = vcf::get_app_info(app:app_name);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'max_version': '5.13.1', 'fixed_version' : '6.0.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:57", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-18T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-04-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:2.10.0"], "id": "EULEROS_SA-2022-1417.NASL", "href": "https://www.tenable.com/plugins/nessus/159838", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159838);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/18\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n script_xref(name:\"IAVA\", value:\"2022-A-0035\");\n\n script_name(english:\"EulerOS Virtualization 2.10.0 : openssl (EulerOS-SA-2022-1417)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1417\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68d1651a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-libs-1.1.1f-8.h14.eulerosv2r10\",\n \"openssl-perl-1.1.1f-8.h14.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:02", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1188-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-26T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:1188-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libopenssl-1_1-devel", "p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1", "p-cpe:/a:novell:opensuse:libopenssl1_1-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit", "p-cpe:/a:novell:opensuse:openssl-1_1", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1188.NASL", "href": "https://www.tenable.com/plugins/nessus/152841", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1188-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152841);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:1188-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:1188-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YXBKWFNVQ5GSDMIZHMMOGHRWWUOWZMJE/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2aa29c89\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'libopenssl-1_1-devel-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-lp152.7.21.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-32bit-1.1.1d-lp152.7.21.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-lp152.7.21.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'openssl-1_1-1.1.1d-lp152.7.21.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl-1_1-devel-32bit / libopenssl1_1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:02", "description": "The OpenSSL project reports :\n\nSM2 Decryption Buffer Overflow (CVE-2021-3711: High)\n\nRead buffer overruns processing ASN.1 strings (CVE-2021-3712 :\nModerate)", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "FreeBSD : OpenSSL -- multiple vulnerabilities (96811d4a-04ec-11ec-9b84-d4c9ef517024)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:openssl", "p-cpe:/a:freebsd:freebsd:openssl-devel", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_96811D4A04EC11EC9B84D4C9EF517024.NASL", "href": "https://www.tenable.com/plugins/nessus/152818", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152818);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"FreeBSD\", value:\"SA-21:16.openssl\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"FreeBSD : OpenSSL -- multiple vulnerabilities (96811d4a-04ec-11ec-9b84-d4c9ef517024)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The OpenSSL project reports :\n\nSM2 Decryption Buffer Overflow (CVE-2021-3711: High)\n\nRead buffer overruns processing ASN.1 strings (CVE-2021-3712 :\nModerate)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20210824.txt\");\n # https://vuxml.freebsd.org/freebsd/96811d4a-04ec-11ec-9b84-d4c9ef517024.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?00e2f428\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"openssl<1.1.1l,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openssl-devel<3.0.0.b3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:54", "description": "An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-27T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Nxtgn PHSA-2021-3.0-0290", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:nxtgn", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2021-3_0-0290_NXTGN.NASL", "href": "https://www.tenable.com/plugins/nessus/152885", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0290. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152885);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"Photon OS 3.0: Nxtgn PHSA-2021-3.0-0290\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the nxtgn package has been released.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-290.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:nxtgn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nvar flag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-1.1.1l-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-c_rehash-1.1.1l-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-devel-1.1.1l-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'nxtgn-openssl-perl-1.1.1l-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nxtgn');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:40", "description": "According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-02-12T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.0 : openssl (EulerOS-SA-2022-1088)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-02-12T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl", "p-cpe:/a:huawei:euleros:openssl-devel", "p-cpe:/a:huawei:euleros:openssl-libs", "p-cpe:/a:huawei:euleros:openssl-perl", "cpe:/o:huawei:euleros:uvp:3.0.6.0"], "id": "EULEROS_SA-2022-1088.NASL", "href": "https://www.tenable.com/plugins/nessus/157944", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157944);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/12\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : openssl (EulerOS-SA-2022-1088)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n 'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own 'd2i' functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the 'data' and 'length' fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the 'data' field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1088\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f271cae4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"openssl-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-devel-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-libs-1.1.1-3.h18.eulerosv2r8\",\n \"openssl-perl-1.1.1-3.h18.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:23", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:2830-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libopenssl-1_1-devel", "p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1", "p-cpe:/a:novell:opensuse:libopenssl1_1-32bit", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac", "p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit", "p-cpe:/a:novell:opensuse:openssl-1_1", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-2830.NASL", "href": "https://www.tenable.com/plugins/nessus/152798", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:2830-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152798);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"openSUSE 15 Security Update : openssl-1_1 (openSUSE-SU-2021:2830-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YOUNRN5SCBRRVEIYDG3G3PFLGVRXKDPG/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89577fdb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl-1_1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libopenssl1_1-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl-1_1-devel-32bit-1.1.1d-11.27.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl-1_1-devel-32bit / libopenssl1_1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:42", "description": "The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-25T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2021:2830-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel", "p-cpe:/a:novell:suse_linux:libopenssl1_1", "p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit", "p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac", "p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac-32bit", "p-cpe:/a:novell:suse_linux:openssl-1_1", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-2830-1.NASL", "href": "https://www.tenable.com/plugins/nessus/152800", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:2830-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152800);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:2830-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2021:2830-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:2830-1 advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189520\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189521\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-August/009341.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e418e41e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl-1_1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_1-hmac-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl-1_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2/3\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl-1_1-devel-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'libopenssl1_1-hmac-32bit-1.1.1d-11.27.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'openssl-1_1-1.1.1d-11.27.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libopenssl-1_1-devel / libopenssl1_1 / libopenssl1_1-32bit / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:23", "description": "The version of OpenSSL installed on the remote host is prior to 1.1.1l. It is, therefore, affected by a vulnerability as referenced in the 1.1.1l advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-24T00:00:00", "type": "nessus", "title": "OpenSSL 1.1.1 < 1.1.1l Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712"], "modified": "2021-12-30T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_1_1_1L.NASL", "href": "https://www.tenable.com/plugins/nessus/152782", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152782);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/30\");\n\n script_cve_id(\"CVE-2021-3711\", \"CVE-2021-3712\");\n script_xref(name:\"IAVA\", value:\"2021-A-0395-S\");\n\n script_name(english:\"OpenSSL 1.1.1 < 1.1.1l Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of OpenSSL installed on the remote host is prior to 1.1.1l. It is, therefore, affected by a vulnerability as\nreferenced in the 1.1.1l advisory.\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0bda7eab\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20210824.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL version 1.1.1l or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"openssl_version.nasl\");\n script_require_keys(\"openssl/port\");\n\n exit(0);\n}\n\ninclude('openssl_version.inc');\n\nopenssl_check_version(fixed:'1.1.1l', min:'1.1.1', severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:53", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42321)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_NOV_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/154999", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154999);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\"CVE-2021-41349\", \"CVE-2021-42305\", \"CVE-2021-42321\");\n script_xref(name:\"IAVA\", value:\"2021-A-0543-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5007409\");\n script_xref(name:\"MSFT\", value:\"MS21-5007409\");\n\n script_name(english:\"Security Updates for Exchange (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42321)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007409\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007409 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42321\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server ChainedSerializationBinder RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013', \n 'unsupported_cu' : 22, \n 'min_version': '15.0.1497.0', \n 'fixed_version': '15.0.1497.26'\n },\n {\n 'product' : '2016', \n 'unsupported_cu' : 20, \n 'min_version': '15.1.2308.0', \n 'fixed_version': '15.1.2308.20'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 20,\n 'min_version': '15.1.2375.0',\n 'fixed_version': '15.1.2375.17'\n },\n {\n 'product' : '2019', \n 'unsupported_cu' : 9,\n 'min_version': '15.2.922.0',\n 'fixed_version': '15.2.922.19'\n },\n {\n 'product' : '2019', \n 'unsupported' : 9,\n 'min_version': '15.2.986.0',\n 'fixed_version': '15.2.986.14'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report(\n app_info:app_info, \n bulletin:'MS21-11',\n constraints:constraints, \n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:08", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42321)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-09T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (November 2021) (Remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_NOV_EXCHANGE_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/155962", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155962);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\"CVE-2021-41349\", \"CVE-2021-42305\", \"CVE-2021-42321\");\n script_xref(name:\"IAVA\", value:\"2021-A-0543-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5007409\");\n script_xref(name:\"MSFT\", value:\"MS21-5007409\");\n\n script_name(english:\"Security Updates for Exchange (November 2021) (Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42321)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007409\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007409 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42321\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server ChainedSerializationBinder RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"exchange_detect.nbin\");\n script_require_keys(\"installed_sw/Exchange Server\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app = 'Exchange Server';\nvar app_info = vcf::get_app_info(app:app, port:port);\n\nif (report_paranoia < 2)\n vcf::check_granularity(app_info:app_info, sig_segments:4);\n\nvar constraints = [\n {'min_version' : '15.0.1497', 'fixed_version':'15.0.1497.26'},\n {'min_version' : '15.1.2375', 'fixed_version':'15.1.2375.17'},\n {'min_version' : '15.1.2308', 'fixed_version':'15.1.2308.20'},\n {'min_version' : '15.2.986', 'fixed_version':'15.2.986.14'},\n {'min_version' : '15.2.922', 'fixed_version':'15.2.922.19'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:18", "description": "The version of MySQL running on the remote host is 5.7.x prior to 5.7.36. It is, therefore, affected by multiple vulnerabilities, including the following, as noted in the October 2021 Critical Patch Update advisory:\n\n - A vulnerability in the OpenSSL component that can result in a takeover of the MySQL server.\n (CVE-2021-3711)\n\n - An easily exploitable vulnerability in the InnoDB component that allows a high privileged attacker to affect the integrity and availability of the MySQL Server. (CVE-2021-35604)\n\n - An easily exploitable vulnerability in the cURL component that allows an unauthenticated, remote attacker to affect the availability of the MySQL Server. (CVE-2021-22926)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-20T00:00:00", "type": "nessus", "title": "MySQL 5.7.x < 5.7.36 Multiple Vulnerabilities (Oct 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22926", "CVE-2021-35604", "CVE-2021-35624", "CVE-2021-3711"], "modified": "2021-10-22T00:00:00", "cpe": ["cpe:/a:oracle:mysql"], "id": "MYSQL_5_7_36.NASL", "href": "https://www.tenable.com/plugins/nessus/154259", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154259);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/22\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-22926\",\n \"CVE-2021-35604\",\n \"CVE-2021-35624\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n\n script_name(english:\"MySQL 5.7.x < 5.7.36 Multiple Vulnerabilities (Oct 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MySQL running on the remote host is 5.7.x prior to 5.7.36. It is, therefore, affected by multiple\nvulnerabilities, including the following, as noted in the October 2021 Critical Patch Update advisory:\n\n - A vulnerability in the OpenSSL component that can result in a takeover of the MySQL server.\n (CVE-2021-3711)\n\n - An easily exploitable vulnerability in the InnoDB component that allows a high privileged attacker to\n affect the integrity and availability of the MySQL Server. (CVE-2021-35604)\n\n - An easily exploitable vulnerability in the cURL component that allows an unauthenticated, remote attacker\n to affect the availability of the MySQL Server. (CVE-2021-22926)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuoct2021cvrf.xml\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL version 5.7.36 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_version.nasl\", \"mysql_login.nasl\", \"mysql_version_local.nasl\", \"mysql_win_installed.nbin\", \"macosx_mysql_installed.nbin\");\n script_require_keys(\"installed_sw/MySQL Server\");\n\n exit(0);\n}\n\ninclude('vcf_extras_mysql.inc');\n\nvar app_info = vcf::mysql::combined_get_app_info();\n\nvar constraints = [{ 'min_version' : '5.7.0', 'fixed_version' : '5.7.36'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:58", "description": "The remote host is affected by the vulnerability described in GLSA-202209-02 (IBM Spectrum Protect: Multiple Vulnerabilities)\n\n - IBM Spectrum Protect Client 8.1.0.0-8 through 1.11.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing the current locale settings. A local attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash. IBM X-Force ID: 199479 (CVE-2021-29672)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the data field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). (CVE-2021-3712)\n\n - IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM X-Force ID: 214438. (CVE-2021-39048)\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-07T00:00:00", "type": "nessus", "title": "GLSA-202209-02 : IBM Spectrum Protect: Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-29672", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-39048", "CVE-2021-4104", "CVE-2021-44228"], "modified": "2022-09-07T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:tsm", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202209-02.NASL", "href": "https://www.tenable.com/plugins/nessus/164805", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202209-02.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike\n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164805);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/07\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-3712\",\n \"CVE-2021-4104\",\n \"CVE-2021-29672\",\n \"CVE-2021-39048\"\n );\n\n script_name(english:\"GLSA-202209-02 : IBM Spectrum Protect: Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-202209-02 (IBM Spectrum Protect: Multiple\nVulnerabilities)\n\n - IBM Spectrum Protect Client 8.1.0.0-8 through 1.11.0 is vulnerable to a stack-based buffer overflow,\n caused by improper bounds checking when processing the current locale settings. A local attacker could\n overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the\n application to crash. IBM X-Force ID: 199479 (CVE-2021-29672)\n\n - In order to decrypt SM2 encrypted data an application is expected to call the API function\n EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the\n out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size\n required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer\n and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug\n in the implementation of the SM2 decryption code means that the calculation of the buffer size required to\n hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size\n required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the\n application a second time with a buffer that is too small. A malicious attacker who is able present SM2\n content for decryption to an application could cause attacker chosen data to overflow the buffer by up to\n a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing\n application behaviour or causing the application to crash. The location of the buffer is application\n dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).\n (CVE-2021-3711)\n\n - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a\n buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings\n which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not\n a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar\n parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will\n additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for\n applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array\n by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using\n the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to\n assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for\n strings that have been directly constructed. Where an application requests an ASN.1 structure to be\n printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the\n application without NUL terminating the data field, then a read buffer overrun can occur. The same thing\n can also occur during name constraints processing of certificates (for example if a certificate has been\n directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the\n certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the\n X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an\n application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL\n functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).\n It could also result in the disclosure of private memory contents (such as private keys, or sensitive\n plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected\n 1.0.2-1.0.2y). (CVE-2021-3712)\n\n - IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper\n bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM\n X-Force ID: 214438. (CVE-2021-39048)\n\n - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write\n access to the Log4j configuration. The attacker can provide TopicBindingName and\n TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result\n in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2\n when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2021-4104)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/202209-02\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=788115\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=829189\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=831509\");\n script_set_attribute(attribute:\"solution\", value:\n\"All IBM Spectrum Protect users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=app-backup/tsm-8.1.13.3\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tsm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar flag = 0;\n\nvar packages = [\n {\n 'name' : \"app-backup/tsm\",\n 'unaffected' : make_list(\"ge 8.1.13.3\", \"lt 8.0.0\"),\n 'vulnerable' : make_list(\"lt 8.1.13.3\")\n }\n];\n\nforeach package( packages ) {\n if (isnull(package['unaffected'])) package['unaffected'] = make_list();\n if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();\n if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;\n}\n\n# This plugin has a different number of unaffected and vulnerable versions for\n# one or more packages. To ensure proper detection, a separate line should be \n# used for each fixed/vulnerable version pair.\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : qpkg_report_get()\n );\n exit(0);\n}\nelse\n{\n qpkg_tests = list_uniq(qpkg_tests);\n var tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"IBM Spectrum Protect\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:52", "description": "The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.1. It is, therefore, affected by multiple vulnerabilities in third-party software.\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "nessus", "title": "Nessus Network Monitor < 6.0.1 Multiple Vulnerabilities (TNS-2022-10)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3711", "CVE-2021-3712", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2022-0778"], "modified": "2022-06-03T00:00:00", "cpe": ["cpe:/a:tenable:nnm"], "id": "NNM_6_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/161211", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161211);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/03\");\n\n script_cve_id(\n \"CVE-2021-3711\",\n \"CVE-2021-3712\",\n \"CVE-2021-4160\",\n \"CVE-2021-41182\",\n \"CVE-2021-41183\",\n \"CVE-2021-41184\",\n \"CVE-2022-0778\"\n );\n\n script_name(english:\"Nessus Network Monitor < 6.0.1 Multiple Vulnerabilities (TNS-2022-10)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A vulnerability scanner installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Nessus Network Monitor (NNM) installed on the remote host is prior to 6.0.1. It is, therefore, affected\nby multiple vulnerabilities in third-party software.\n\n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported \n version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2022-10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Nessus Network Monitor version 6.0.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3711\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:nnm\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nnm_installed_win.nbin\", \"nnm_installed_nix.nbin\");\n script_require_keys(\"installed_sw/Tenable NNM\", \"Host/nnm_installed\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Tenable NNM';\n\nvar app_info = vcf::get_app_info(app:app_name);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'fixed_version' : '6.0.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-05-23T16:29:57", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nRemote Desktop client for Windows Desktop \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://vulners.com/cve/CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://vulners.com/cve/CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://vulners.com/cve/CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://vulners.com/cve/CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://vulners.com/cve/CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://vulners.com/cve/CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://vulners.com/cve/CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://vulners.com/cve/CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://vulners.com/cve/CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://vulners.com/cve/CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://vulners.com/cve/CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://vulners.com/cve/CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://vulners.com/cve/CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://vulners.com/cve/CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://vulners.com/cve/CVE-2021-42287>)6.5High\n\n### *KB list*:\n[5007233](<http://support.microsoft.com/kb/5007233>) \n[5007236](<http://support.microsoft.com/kb/5007236>) \n[5007263](<http://support.microsoft.com/kb/5007263>) \n[5007246](<http://support.microsoft.com/kb/5007246>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12341 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-01-18T00:00:00", "id": "KLA12341", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12341/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:29:58", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nRemote code execution vulnerabilities were found in Microsoft Apps. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\n3D Viewer\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-43208](<https://nvd.nist.gov/vuln/detail/CVE-2021-43208>) \n[CVE-2021-43209](<https://nvd.nist.gov/vuln/detail/CVE-2021-43209>) \n\n\n### *Impacts*:\nACE", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12340 RCE vulnerabilities in Microsoft Apps", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-25T00:00:00", "id": "KLA12340", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12340/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:55:11", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-26443](<https://nvd.nist.gov/vuln/detail/CVE-2021-26443>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42280](<https://nvd.nist.gov/vuln/detail/CVE-2021-42280>) \n[CVE-2021-42288](<https://nvd.nist.gov/vuln/detail/CVE-2021-42288>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-42276](<https://nvd.nist.gov/vuln/detail/CVE-2021-42276>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-36957](<https://nvd.nist.gov/vuln/detail/CVE-2021-36957>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42279](<https://nvd.nist.gov/vuln/detail/CVE-2021-42279>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n[CVE-2021-42284](<https://nvd.nist.gov/vuln/detail/CVE-2021-42284>) \n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-42286](<https://nvd.nist.gov/vuln/detail/CVE-2021-42286>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-42274](<https://nvd.nist.gov/vuln/detail/CVE-2021-42274>) \n[CVE-2021-42277](<https://nvd.nist.gov/vuln/detail/CVE-2021-42277>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-41378](<https://nvd.nist.gov/vuln/detail/CVE-2021-41378>) \n[CVE-2021-41356](<https://nvd.nist.gov/vuln/detail/CVE-2021-41356>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-41366](<https://nvd.nist.gov/vuln/detail/CVE-2021-41366>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://vulners.com/cve/CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://vulners.com/cve/CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://vulners.com/cve/CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://vulners.com/cve/CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://vulners.com/cve/CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://vulners.com/cve/CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://vulners.com/cve/CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://vulners.com/cve/CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://vulners.com/cve/CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://vulners.com/cve/CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://vulners.com/cve/CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://vulners.com/cve/CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://vulners.com/cve/CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://vulners.com/cve/CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://vulners.com/cve/CVE-2021-42287>)6.5High \n[CVE-2021-26443](<https://vulners.com/cve/CVE-2021-26443>)7.7Critical \n[CVE-2021-42280](<https://vulners.com/cve/CVE-2021-42280>)4.6Warning \n[CVE-2021-42288](<https://vulners.com/cve/CVE-2021-42288>)3.6Warning \n[CVE-2021-42276](<https://vulners.com/cve/CVE-2021-42276>)6.8High \n[CVE-2021-36957](<https://vulners.com/cve/CVE-2021-36957>)4.6Warning \n[CVE-2021-42279](<https://vulners.com/cve/CVE-2021-42279>)5.1High \n[CVE-2021-42284](<https://vulners.com/cve/CVE-2021-42284>)7.1High \n[CVE-2021-42286](<https://vulners.com/cve/CVE-2021-42286>)4.6Warning \n[CVE-2021-42274](<https://vulners.com/cve/CVE-2021-42274>)2.1Warning \n[CVE-2021-42277](<https://vulners.com/cve/CVE-2021-42277>)4.6Warning \n[CVE-2021-41378](<https://vulners.com/cve/CVE-2021-41378>)6.5High \n[CVE-2021-41356](<https://vulners.com/cve/CVE-2021-41356>)5.0Critical \n[CVE-2021-41366](<https://vulners.com/cve/CVE-2021-41366>)4.6Warning\n\n### *KB list*:\n[5007260](<http://support.microsoft.com/kb/5007260>) \n[5007255](<http://support.microsoft.com/kb/5007255>) \n[5007206](<http://support.microsoft.com/kb/5007206>) \n[5007207](<http://support.microsoft.com/kb/5007207>) \n[5007186](<http://support.microsoft.com/kb/5007186>) \n[5007192](<http://support.microsoft.com/kb/5007192>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5007205](<http://support.microsoft.com/kb/5007205>) \n[5007245](<http://support.microsoft.com/kb/5007245>) \n[5007247](<http://support.microsoft.com/kb/5007247>) \n[5007189](<http://support.microsoft.com/kb/5007189>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12345 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-01-18T00:00:00", "id": "KLA12345", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12345/", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:29:52", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code.\n\n### *Affected products*:\nVisual Studio Code \nMicrosoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) \nMicrosoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6) \nMicrosoft Visual Studio 2015 Update 3 \nMicrosoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42277](<https://nvd.nist.gov/vuln/detail/CVE-2021-42277>) \n[CVE-2021-42322](<https://nvd.nist.gov/vuln/detail/CVE-2021-42322>) \n[CVE-2021-42319](<https://nvd.nist.gov/vuln/detail/CVE-2021-42319>) \n[CVE-2021-3711](<https://nvd.nist.gov/vuln/detail/CVE-2021-3711>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *KB list*:\n[5007275](<http://support.microsoft.com/kb/5007275>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12346 Multiple vulnerabilities in Microsoft Developer Tools", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3711", "CVE-2021-42277", "CVE-2021-42319", "CVE-2021-42322"], "modified": "2021-11-25T00:00:00", "id": "KLA12346", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12346/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:29:59", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nRemote code execution vulnerability was found in Microsoft System Center. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Malware Protection Engine\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42298](<https://nvd.nist.gov/vuln/detail/CVE-2021-42298>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Windows Defender](<https://threats.kaspersky.com/en/product/Windows-Defender/>)\n\n### *CVE-IDS*:\n[CVE-2021-42298](<https://vulners.com/cve/CVE-2021-42298>)9.3Critical\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12339 RCE vulnerability in Microsoft System Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2022-01-18T00:00:00", "id": "KLA12339", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12339/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:29:55", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Dynamics. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Dynamics 365 (on-premises) version 9.0 \nMicrosoft Dynamics 365 (on-premises) version 9.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42316](<https://nvd.nist.gov/vuln/detail/CVE-2021-42316>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Dynamics 365](<https://threats.kaspersky.com/en/product/Microsoft-Dynamics-365/>)\n\n### *KB list*:\n[5008478](<http://support.microsoft.com/kb/5008478>) \n[5008479](<http://support.microsoft.com/kb/5008479>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12343 RCE vulnerability in Microsoft Dynamics", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42316"], "modified": "2021-11-25T00:00:00", "id": "KLA12343", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12343/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:29:49", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based) in IE Mode \nChakraCore\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41351](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41351>) \n[CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *KB list*:\n[5007206](<http://support.microsoft.com/kb/5007206>) \n[5007186](<http://support.microsoft.com/kb/5007186>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5007189](<http://support.microsoft.com/kb/5007189>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12349 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41351", "CVE-2021-42279"], "modified": "2022-08-04T00:00:00", "id": "KLA12349", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12349/", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:29:56", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to perform cross-site scripting attack, execute arbitrary code, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Exchange Server 2019 Cumulative Update 10 \nMicrosoft Exchange Server 2019 Cumulative Update 11 \nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 22 \nMicrosoft Exchange Server 2016 Cumulative Update 21\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41349](<https://nvd.nist.gov/vuln/detail/CVE-2021-41349>) \n[CVE-2021-42321](<https://nvd.nist.gov/vuln/detail/CVE-2021-42321>) \n[CVE-2021-42305](<https://nvd.nist.gov/vuln/detail/CVE-2021-42305>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-41349](<https://vulners.com/cve/CVE-2021-41349>)4.3Warning \n[CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321>)6.5High \n[CVE-2021-42305](<https://vulners.com/cve/CVE-2021-42305>)4.3Warning\n\n### *KB list*:\n[5007409](<http://support.microsoft.com/kb/5007409>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12342 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2022-01-18T00:00:00", "id": "KLA12342", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12342/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:30:01", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nMicrosoft Office Online Server \nMicrosoft Office 2019 for Mac \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Excel 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2019 for 32-bit editions \nMicrosoft 365 Apps for Enterprise for 32-bit Systems \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2016 (32-bit edition) \nMicrosoft 365 Apps for Enterprise for 64-bit Systems \nMicrosoft Office Web Apps Server 2013 Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Excel 2016 (64-bit edition) \nMicrosoft Excel 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2013 RT Service Pack 1 \nMicrosoft Office LTSC 2021 for 32-bit editions \nMicrosoft Office LTSC for Mac 2021 \nMicrosoft Office 2019 for 64-bit editions \nMicrosoft SharePoint Enterprise Server 2013 Service Pack 1 \nMicrosoft Office LTSC 2021 for 64-bit editions\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42292](<https://nvd.nist.gov/vuln/detail/CVE-2021-42292>) \n[CVE-2021-40442](<https://nvd.nist.gov/vuln/detail/CVE-2021-40442>) \n[CVE-2021-42296](<https://nvd.nist.gov/vuln/detail/CVE-2021-42296>) \n[CVE-2021-41368](<https://nvd.nist.gov/vuln/detail/CVE-2021-41368>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2021-42292](<https://vulners.com/cve/CVE-2021-42292>)6.8High \n[CVE-2021-40442](<https://vulners.com/cve/CVE-2021-40442>)6.8High \n[CVE-2021-42296](<https://vulners.com/cve/CVE-2021-42296>)6.9High \n[CVE-2021-41368](<https://vulners.com/cve/CVE-2021-41368>)6.8High\n\n### *KB list*:\n[5002072](<http://support.microsoft.com/kb/5002072>) \n[5002056](<http://support.microsoft.com/kb/5002056>) \n[4486670](<http://support.microsoft.com/kb/4486670>) \n[5002032](<http://support.microsoft.com/kb/5002032>) \n[5002065](<http://support.microsoft.com/kb/5002065>) \n[5002035](<http://support.microsoft.com/kb/5002035>) \n[5002038](<http://support.microsoft.com/kb/5002038>) \n[5002063](<http://support.microsoft.com/kb/5002063>) \n[5002053](<http://support.microsoft.com/kb/5002053>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12337 Multiple vulnerabilities in Microsoft Office", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40442", "CVE-2021-41368", "CVE-2021-42292", "CVE-2021-42296"], "modified": "2023-03-21T00:00:00", "id": "KLA12337", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12337/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-11-18T19:06:32", "description": "On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated \u201cCritical\u201d and two of them actively exploited spoils the Zen factor somewhat.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let\u2019s have a look at the most interesting ones that were patched in this Patch Tuesday [update](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov>).\n\n### Exchange Server (again)\n\n[CVE-2021-42321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321>): A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the [Tianfu International Cybersecurity Contest](<http://www.tianfucup.com/en>) and requires an authenticated user to run arbitrary code on an on-premise Exchange Server.\n\nTwo other Exchange Server vulnerabilities, rated as \u201cImportant\u201d are listed under [CVE-2021-42305](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42305>) and [CVE-2021-41349](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41349>). Both are Microsoft Exchange Server Spoofing vulnerabilities. The exploitation appears to be easy as the attack can be initiated remotely and no form of authentication is required for a successful exploitation. However, successful exploitation does require user interaction by the victim.\n\n### Excel\n\n[CVE-2021-42292](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42292>): A Microsoft Excel Security Feature Bypass vulnerability which is also being exploited in the wild. Microsoft doesn\u2019t suggest what effect the vulnerability might have, but its [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 7.8 out of 10 is worrying Two interesting notes in the [Microsoft FAQ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) about this vulnerability:\n\n * No, the Preview Pane is not an attack vector.\n * The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.\n\n### Remote Desktop Protocol (RDP)\n\nAs if RDP wasn\u2019t [a big enough problem](<https://blog.malwarebytes.com/malwarebytes-news/2021/02/rdp-the-ransomware-problem-that-wont-go-away/>) already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed under [CVE-2021-38666](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38666>) is a \u201cCritical\u201d RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim\u2019s interaction.\n\n### 3D Viewer\n\nThe Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two \u201cImportant\u201d RCE vulnerabilities in this utility have been patched in this update. They are listed under [CVE-2021-43208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43208>) and [CVE-2021-43209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43209>). The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update [immediately](<https://support.microsoft.com/en-us/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f>). App package versions 7.2107.7012.0 and later contain this update.\n\n### Microsoft Defender\n\n[CVE-2021-42298](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42298>) is a Microsoft Defender Remote Code Execution vulnerability that is rated \u201cCritical.\u201d Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.\n\n### Other patches\n\nIt's not just Microsoft who has issued patches recently, so check you're using the most up to date version of the below, too.\n\n[Siemens](<https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf>) issued updates to patch vulnerabilities in in the Nucleus RTOS (realtime operating system) versions Nucleus 4 and Nucleus ReadyStart (Nucleus 3). The vulnerabilities [CVE-2021-31886](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31886>), [CVE-2021-31887](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31887>) and [CVE-2021-31888](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31888>) have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.\n\n[Citrix](<https://support.citrix.com/article/CTX330728>) published information about vulnerabilities that have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.\n\n[Adobe](<https://helpx.adobe.com/security.html>) made security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.\n\n[An](<https://source.android.com/security/bulletin/2021-11-01>)[droid](<https://source.android.com/security/bulletin/2021-11-01>) published a security bulletin last week, which we [discussed in detail](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/google-patches-zero-day-vulnerability-and-others-in-android/>) here.\n\n[Cisco](<https://tools.cisco.com/security/center/publicationListing.x>) published a security advisory that mentions two \u201cCritical\u201d issues. One in Cisco Policy Suite Static SSH Keys, and one concerning Cisco Catalyst PON Series Switches Optical Network Terminal.\n\n[SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864>) has its own Patch Day Security Notes. One vulnerability listed under [CVE-2021-40501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40501>) has a CVSS score of 9.6 out of 10 and the description Missing Authorization check in ABAP Platform Kernel.\n\n[VMWare](<https://www.vmware.com/security/advisories.html>)\u2019s security advisory includes one critical update for VMware vCenter Server which addresses multiple security vulnerabilities.\n\n[Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>) also issued several security advisories, which are fixes or workarounds for vulnerabilities identified in Intel products.\n\nIn case you have no idea where to start, maybe our post about [the CISA directive to reduce the risk of known exploited vulnerabilities](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) will help you on your way.\n\n## Update Novermber 17, 2021\n\nMicrosoft has released a patch for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 to tackle the possible security feature bypass listed as [CVE-2021-42294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>). Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action.\n\nThe same patch includes a solution for [CVE-2021-40442](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40442>) a Microsoft Excel Remote Code Execution vulnerability which also affected Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021.\n\nStay safe, everyone!\n\nThe post [[updated] Patch now! Microsoft plugs actively exploited zero-days and other updates](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-11-10T14:30:23", "type": "malwarebytes", "title": "[updated] Patch now! Microsoft plugs actively exploited zero-days and other updates", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-31886", "CVE-2021-31887", "CVE-2021-31888", "CVE-2021-38666", "CVE-2021-40442", "CVE-2021-40501", "CVE-2021-41349", "CVE-2021-42292", "CVE-2021-42294", "CVE-2021-42298", "CVE-2021-42305", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-10T14:30:23", "id": "MALWAREBYTES:459DABFC50E1B6D279EDCFD609D8DD50", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-11-30T22:36:54", "description": "Hello everyone! In this episode I want to highlight the latest changes in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. For those who don't know, this is a utility for prioritizing CVE vulnerabilities based on data from various sources.. Currently Microsoft, NVD, Vulners, AttackerKB.\n\n## Command Line Interface\n\nI started working on the CLI for Vulristics. Of course, it is not normal to edit scripts every time to release a report.\n\n### CVE lists\n\nIf you have a list of CVEs that you want to analyze, you can run Vulristics this way\n \n \n python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"New Project\" --cve-list-path \"analyze_cve_list.txt\" --cve-data-sources \"ms,nvd,vulners,attackerkb\" --rewrite-flag \"True\"\n\nIn **analyze_cve_list.txt** I have one CVE\n \n \n CVE-2021-42284\n\nThe output:\n \n \n Reading existing Patch Tuesday profile...\n Exclude CVEs: 0\n No specified products to analyze set in profile, reporting everything\n All CVEs: 1\n Counting CVE scores...\n Collecting MS CVE data...\n Collecting NVD CVE data...\n Collecting AttackerKB CVE data...\n Collecting Vulners CVE data...\n Counting CVE scores...\n Making vulnerability reports for each reports config...\n Report config: with_comments_ext_img\n Report generated: reports/new_project_report_with_comments_ext_img.html\n\nAnd in the **reports/new_project_report_with_comments_ext_img.html** file we can see a block for this CVE\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image.png)\n\nI can add a file with comments as well. This can be useful if you are analyzing scan results for multiple hosts and you have such data:\n \n \n Vulnerability Scanner|CVE-2021-42284 - detected on testhost1.corporation.com\n\nYou add a key `--cve-comments-path \"analyze_cve_comments.txt\"`\n \n \n python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"New Project\" --cve-list-path \"analyze_cve_list.txt\" --cve-comments-path \"analyze_cve_comments.txt\" --cve-data-sources \"ms,nvd,vulners,attackerkb\" --rewrite-flag \"True\"\n\nAnd you see this comment under the vulnerability block. Quite convenient.\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-1.png)\n\n### Microsoft Patch Truesdays\n\nYou can also make a Microsoft Patch Tuesday report simply by \n \n \n python3.8 vulristics.py --report-type \"ms_patch_tuesday\" --mspt-year 2021 --mspt-month \"November\" --rewrite-flag \"True\"\n\nAnd get a **reports/ms_patch_tuesday_november2021_report_with_comments_ext_img.html**\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-2.png)\n\nBut before discussing the November Patch Tuesday report, of course if someone is still interested in it in the last day of November, I want to talk about the product and vulnerability type detections. \n\n## Improved Product & Vuln. Type Detection\n\nI heavily reworked the part about product and vulnerability type detection. I have simplified and unified the connectors for the sources. Sources now provide text strings for detection. Detection occurs at the time of generation of the report, through the analysis of all available descriptions of vulnerabilities.\n\nAll product detection rules are in **data/classification/products.json**\n\nYou can also manage the priority of software detection. In simple terms, the word "Windows" can indicate that the vulnerability is in the Windows kernel. But only if nothing more specific and rare was detected. For example "Skype for Windows". We can achieve this by setting _detection_priority = -1_ for Windows kernel.\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-3.png)\n\nThe strings for Vulnerability Type and Product are now highlighted in the vulnerability description with blue and orange.\n\n## Microsoft Patch Tuesday November 2021\n\nJust a few words. It was a calm Patch Tuesday. There are 55 vulnerabilities in total. One Urgent level and one Critical level. \n\n**Security Feature Bypass** - Microsoft Excel ([CVE-2021-42292](<https://vulners.com/cve/CVE-2021-42292>))\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-4.png)\n\nit was featured as an Urgent because of exploitation in the wild. And besides, because of a Github exloit on Vulners. However, this is false positive. This is not an exploit, but a detection rule. This happens.\n\n**Remote Code Execution** - Microsoft Exchange ([CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321>)) - Critical [718]\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-5.png)\n\n"This is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution."\n\nFor those interested, there is a link to [the entire report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_november2021_report_with_comments_ext_img.html>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T20:30:48", "type": "avleonov", "title": "Vulristics Command Line Interface, improved Product & Vuln. Type Detections and Microsoft Patch Tuesday November 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42284", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2021-11-30T20:30:48", "id": "AVLEONOV:C2458CFFC4493B2CEDB0D34243DEBE3F", "href": "https://avleonov.com/2021/11/30/vulristics-command-line-interface-improved-product-vuln-type-detections-and-microsoft-patch-tuesday-november-2021/", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:29:28", "description": "CISA has added four new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), which require remediation from federal civilian executive branch (FCEB) agencies by December 1, 2021. CISA has evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. \n\n**CVE Number** | **CVE Title** | **Remediation Due Date** \n---|---|--- \n[CVE-2021-22204](<https://nvd.nist.gov/vuln/detail/CVE-2021-22204>) | Exiftool Remote Code Execution vulnerability | 12/01/2021 \n[CVE-2021-40449](<https://nvd.nist.gov/vuln/detail/CVE-2021-40449>) | Microsoft Win32k Elevation of Privilege | 12/01/2021 \n[CVE-2021-42292](<https://nvd.nist.gov/vuln/detail/CVE-2021-42292>) | Microsoft Excel Security Feature Bypass | 12/01/2021 \n[CVE-2021-42321](<https://nvd.nist.gov/vuln/detail/CVE-2021-42321>) | Microsoft Exchange Server Remote Code Execution | 12/01/2021 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T00:00:00", "type": "cisa", "title": "CISA Adds Four Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-40449", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2022-01-25T00:00:00", "id": "CISA:D12090E3D1C36426271DE8458FFF31E4", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:35", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Defender Remote Code Execution (CVE-2021-42298)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2021-11-09T00:00:00", "id": "CPAI-2021-0802", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:31:36", "description": "A security bypass vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Excel Security Feature Bypass (CVE-2021-42292)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42292"], "modified": "2021-11-09T00:00:00", "id": "CPAI-2021-0803", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:31:36", "description": "A remote code execution vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Remote Desktop Client Remote Code Execution (CVE-2021-38666)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38666"], "modified": "2021-11-09T00:00:00", "id": "CPAI-2021-0853", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:31:04", "description": "A remote code execution vulnerability exists in Microsoft Exchange Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-23T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2021-42321)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2021-11-23T00:00:00", "id": "CPAI-2021-0906", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-05-23T17:13:16", "description": "Microsoft Defender Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-42298", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42298"], "modified": "2021-11-11T00:00:00", "id": "AKB:F8B79754-A4BD-4B7B-ACAF-9C3316FDE8F4", "href": "https://attackerkb.com/topics/Noy5BVZfpG/cve-2021-42298", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T17:19:41", "description": "Microsoft Excel Security Feature Bypass Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-42292", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42292"], "modified": "2021-11-11T00:00:00", "id": "AKB:E0CBBC69-61ED-4D83-81A9-B9CC05150AF0", "href": "https://attackerkb.com/topics/TOT3abhcGK/cve-2021-42292", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T14:48:43", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 21, 2021 5:55pm UTC reported:\n\nA PoC for this vulnerability is now available at <https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398>. There is also a Metasploit module at <https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_chainedserializationbinder_denylist_typo_rce.rb>\n\nWhat follows is my writeup for this that I wrote a while back, containing info on finding the bug from the patches as well as some info on the side effects of exploiting this bug.\n\n# Intro\n\nAlright so looks like this bug, CVE-2021-42321 is a post authentication RCE bug.\n\nOnly affects Exchange 2016 CU 21 and CU 22. Also Exchange 2019 CU 10 and CU 11.\n\nFound bug fix by patch diffing the October 2021 security updates and the November 2021 patches. Aka <https://support.microsoft.com/help/5007409> which applies the November 2021 patch, and KB5007012 aka the October 2021 patch.\n\nPersonally I found that we can use [[7Zip]] to uncompress the MSI files from the patches, then use [[dnSpy]] from <https://github.com/dnSpy/dnSpy> to load all files in the directory we extract the patch contents to a folder. Note that [[ILSpy]] is a nice alternative however unfortunately it does run into issues with decompiling files that [[dnSpy]] can handle fine, so you end up missing lots of files from the export.\n\nOnce decompilation is done use `File->Remove assemblies with load errors` to remove the extra files that couldn\u2019t be decompiled, then use `File -> Save Code` after selecting every single file in the code and it should show us the opportunity to create a new project to save the code to.\n\nFrom here we can create a new directory to save the code into and tell it to save the decompiled code into that.\n\nFrom there we can use [[Meld]] to do a directory diff of the files from the two patch files to see what changed.\n\n# Analyzing the Diff\n\n## Finding the Changed Files\n\nLooking at just the new/removed files we can see the following:\n\n![[Pasted image 20220205113200.png]]\n\nAs we can see here of particular note given this is a serialization bug is the fact that `Microsoft.Exchange.Compliance.dll` had three files removed from it, specifically under the `Microsoft.Exchange.Compliance\\Compliance\\Serialiation\\Formatters` directory for the following files:\n\n * TypedBinaryFormatter.cs \n\n * TypedSerialiationFormatter.cs \n\n * TypedSoapFormatter.cs \n\n\n## Narrowing in on The Vulnerable File \u2013 TypedBinaryFormatter.cs\n\nLooking through these files we can see that `TypedBinaryFormatter.cs` has a function named `Deserialize` with the following prototype:\n \n \n // Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter \n using System.IO; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private static object Deserialize(Stream serializationStream, SerializationBinder binder) \n { \n \u00a0\u00a0\u00a0\u00a0return ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ComplianceFormatter, strictMode: false, allowedTypes, allowedGenerics).Deserialize(serializationStream); \n }\n \n\nWhat is interesting here is that `binder` is a `SerializationBinder`, which is a essentially a class that acts as a controller to tell the program what can be and can\u2019t be serialized and deserialized. Yet this is never passed into the `ExchangeBinaryFormatterFactory.CreateBinaryFormatter()` function, so it never gets this crucial information on what it is meant to be blocking as far as deserialization goes.\n\n## Examining Deserialize() Function Call to CallExchangeBinaryFormatterFactory.CreateBinaryFormatter()\n\nLets see where `ExchangeBinaryFormatterFactory.CreateBinaryFormatter` is defined. Looking for the string `ExchangeBinaryFormatter` in [[dnSpy]] will bring us to `Microsoft.Exchange.Diagnostics.dll` under the `Microsoft.Exchange.Diagnostics` namespace, then the `ExchangeBinaryFormatterFactory` we can see the definition for `ExchangeBinaryFormatterFactory.CreateBinaryFormatter()` as:\n \n \n // Microsoft.Exchange.Diagnostics.ExchangeBinaryFormatterFactory \n using System.Runtime.Serialization.Formatters.Binary; \n \n public static BinaryFormatter CreateBinaryFormatter(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n { \n \u00a0\u00a0\u00a0\u00a0return new BinaryFormatter \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Binder = new ChainedSerializationBinder(usageLocation, strictMode, allowList, allowedGenerics) \n \u00a0\u00a0\u00a0\u00a0}; \n }\n \n\nNote also that in the original call `strictMode` was set to `false` and the `allowList` and `allowedGenerics` were set to `TypedBinaryFormatter.allowedTypes`, and `TypedBinaryFormatter.allowedGenerics` respectively. Meanwhile `useageLocation` was set to `DeserializeLocation.ComplianceFormatter`.\n\nThis will mean that we end up calling `ChainedSerializationBinder` with:\n\n * `strictMode` set to `false`, \n\n * `allowList` set to `TypedBinaryFormatter.allowedTypes` \n\n * `allowedGenerics` set to `TypedBinaryFormatter.allowedGenerics` \n\n * `usageLocation` set to `DeserializeLocation.ComplianceFormatter`. \n\n\n## Examining ChainedSerializationBinder Class Deeper\n\nIf we look at the code we can see that a new `ChainedSerializationBinder` instance is being created so lets take a look at that.\n\nWe can see the definition of the initialization function here:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n using System.Collections.Generic; \n \n public ChainedSerializationBinder(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n { \n \u00a0\u00a0\u00a0\u00a0this.strictMode = strictMode; \n \u00a0\u00a0\u00a0\u00a0allowedTypesForDeserialization = ((allowList != null && allowList.Length != 0) ? new HashSet<string>(allowList) : null); \n \u00a0\u00a0\u00a0\u00a0allowedGenericsForDeserialization = ((allowedGenerics != null && allowedGenerics.Length != 0) ? new HashSet<string>(allowedGenerics) : null); \n \u00a0\u00a0\u00a0\u00a0typeResolver = typeResolver ?? ((Func<string, Type>)((string s) => Type.GetType(s))); \n \u00a0\u00a0\u00a0\u00a0location = usageLocation; \n }\n \n\nHere we can see that `allowedTypesForDeserialization` is set to `TypedBinaryFormatter.allowedTypes` and `allowedGenericsForDeserialization` is set to `TypedBinaryFormatter.allowedGenerics`. Furthermore, `this.strictMode` is set to `false`, and `location` is set to `DeserializeLocation.ComplianceFormatter`.\n\nNext we should know that `BindToType()` is used to validate the class for deserialization. So lets take a look at that logic inside the `ChainedSerializationBinder` class.\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n \n public override Type BindToType(string assemblyName, string typeName) \n { \n \u00a0\u00a0\u00a0\u00a0if (serializationOnly) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException(\"ChainedSerializationBinder was created for serialization only.\u00a0\u00a0This instance cannot be used for deserialization.\"); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0Type type = InternalBindToType(assemblyName, typeName); \n \u00a0\u00a0\u00a0\u00a0if (type != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ValidateTypeToDeserialize(type); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return type; \n }\n \n\nSince `serializationOnly` isn\u2019t set, we will skip this logic and get the type using `InternalBindToType()` which is a simple wrapper around `LoadType()` with no validation:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n \n protected virtual Type InternalBindToType(string assemblyName, string typeName) \n { \n \u00a0\u00a0\u00a0\u00a0return LoadType(assemblyName, typeName); \n }\n \n\nAfter getting the type we then check the type wasn\u2019t `null`, aka we were able to find a valid type, and we call `ValidateTypeToDeserialize(type)` to validate that the type is okay to deserialize.\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n \n protected void ValidateTypeToDeserialize(Type typeToDeserialize) \n { \n \u00a0\u00a0\u00a0\u00a0if (typeToDeserialize == null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0string fullName = typeToDeserialize.FullName; \n \u00a0\u00a0\u00a0\u00a0bool flag = strictMode; \n \u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!strictMode && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName)) && GlobalDisallowedTypesForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException($\"Type {fullName} failed deserialization (BlockList).\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (typeToDeserialize.IsConstructedGenericType) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fullName = typeToDeserialize.GetGenericTypeDefinition().FullName; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (allowedGenericsForDeserialization == null || !allowedGenericsForDeserialization.Contains(fullName) || GlobalDisallowedGenericsForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else if (!AlwaysAllowedPrimitives.Contains(fullName) && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName) || GlobalDisallowedTypesForDeserialization.Contains(fullName)) && !typeToDeserialize.IsArray && !typeToDeserialize.IsEnum && !typeToDeserialize.IsAbstract && !typeToDeserialize.IsInterface) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0catch (BlockedDeserializeTypeException ex) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DeserializationTypeLogger.Singleton.Log(ex.TypeName, ex.Reason, location, (flag || strictMode) ? DeserializationTypeLogger.BlockStatus.TrulyBlocked : DeserializationTypeLogger.BlockStatus.WouldBeBlocked); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (flag) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nHere is where the code gets interesting. You see, there is only one catch statement, which is designed to catch all `BlockedDeserializationTypeException` errors, however `if (!strictMode && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName)) && GlobalDisallowedTypesForDeserialization.Contains(fullName))` will result in an unhandled `InvalidOperationException` being thrown if both `strictMode` isn\u2019t set and the type we are trying to deserialize is within the `GlobalDisallowedTypesForDeserialization` and has not been granted exception via the `allowedTypesForDeserialization` list. Since `strictMode` is not set, there is the very real possibility this exception might be thrown, so this is something we have to watch out for.\n\nOtherwise every other exception thrown will be caught by this `catch (BlockedDeserializeTypeException ex)` code, however it will interestingly log the exception as a `DeserializationTypeLogger.BlockStatus.WouldBeBlocked` error since `strictMode` is set to false as is `flag` which is set as `bool flag = strictMode;` earlier in the code.\n\nAdditionally since `flag` isn\u2019t set since `strictMode` is set to `false`, no error is thrown and the code proceeds normally without any errors.\n\nHowever what is in this blacklist denoted by `GlobalDisallowedTypesForDeserialization`? Lets find out. First we need to find out how `GlobalDisallowedTypesForDeserialization` is defined.\n\n## Looking Deeper at GlobalDisallowedTypesForDeserialization Type Blacklist \u2013 Aka Finding the Bug\n\nLooking at the code for `Microsoft.Exchange.Diagnostics.ChainedSerializationBinder` we can see that `GlobalDisallowedTypesForDeserialization` is actually set to the result of `BuildDisallowedTypesForDeserialization()` when it is initialized:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n using System.Collections.Generic; \n using System.IO; \n using System.Linq; \n using System.Reflection; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n public class ChainedSerializationBinder : SerializationBinder \n { \n \u00a0\u00a0\u00a0\u00a0private const string TypeFormat = \"{0}, {1}\"; \n \n \u00a0\u00a0\u00a0\u00a0private static readonly HashSet<string> AlwaysAllowedPrimitives = new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(string).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(int).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(uint).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(long).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ulong).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(double).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(float).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(bool).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(short).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ushort).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(byte).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(char).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(DateTime).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(TimeSpan).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(Guid).FullName \n \u00a0\u00a0\u00a0\u00a0}; \n \n \u00a0\u00a0\u00a0\u00a0private bool strictMode; \n \n \u00a0\u00a0\u00a0\u00a0private DeserializeLocation location; \n \n \u00a0\u00a0\u00a0\u00a0private Func<string, Type> typeResolver; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedTypesForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedGenericsForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private bool serializationOnly; \n \n \u00a0\u00a0\u00a0\u00a0protected static HashSet<string> GlobalDisallowedTypesForDeserialization { get; private set; } = BuildDisallowedTypesForDeserialization();\n \n\nIf we decompile this function we can notice something interesting:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System.Collections.Generic;\n \n private static HashSet<string> BuildDisallowedTypesForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.Data.Schema.SchemaModel.ModelStore\",\n \t\t\t\"Microsoft.FailoverClusters.NotificationViewer.ConfigStore\",\n \t\t\t\"Microsoft.IdentityModel.Claims.WindowsClaimsIdentity\",\n \t\t\t\"Microsoft.Management.UI.Internal.FilterRuleExtensions\",\n \t\t\t\"Microsoft.Management.UI.FilterRuleExtensions\",\n \t\t\t\"Microsoft.Reporting.RdlCompile.ReadStateFile\",\n \t\t\t\"Microsoft.TeamFoundation.VersionControl.Client.PolicyEnvelope\",\n \t\t\t\"Microsoft.VisualStudio.DebuggerVisualizers.VisualizerObjectSource\",\n \t\t\t\"Microsoft.VisualStudio.Editors.PropPageDesigner.PropertyPageSerializationService+PropertyPageSerializationStore\",\n \t\t\t\"Microsoft.VisualStudio.EnterpriseTools.Shell.ModelingPackage\",\n \t\t\t\"Microsoft.VisualStudio.Modeling.Diagnostics.XmlSerialization\",\n \t\t\t\"Microsoft.VisualStudio.Publish.BaseProvider.Util\",\n \t\t\t\"Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\",\n \t\t\t\"Microsoft.VisualStudio.Web.WebForms.ControlDesignerStateCache\",\n \t\t\t\"Microsoft.Web.Design.Remote.ProxyObject\",\n \t\t\t\"System.Activities.Presentation.WorkflowDesigner\",\n \t\t\t\"System.AddIn.Hosting.AddInStore\",\n \t\t\t\"System.AddIn.Hosting.Utils\",\n \t\t\t\"System.CodeDom.Compiler.TempFileCollection\",\n \t\t\t\"System.Collections.Hashtable\",\n \t\t\t\"System.ComponentModel.Design.DesigntimeLicenseContextSerializer\",\n \t\t\t\"System.Configuration.Install.AssemblyInstaller\",\n \t\t\t\"System.Configuration.SettingsPropertyValue\",\n \t\t\t\"System.Data.DataSet\",\n \t\t\t\"System.Data.DataViewManager\",\n \t\t\t\"System.Data.Design.MethodSignatureGenerator\",\n \t\t\t\"System.Data.Design.TypedDataSetGenerator\",\n \t\t\t\"System.Data.Design.TypedDataSetSchemaImporterExtension\",\n \t\t\t\"System.Data.SerializationFormat\",\n \t\t\t\"System.DelegateSerializationHolder\",\n \t\t\t\"System.Drawing.Design.ToolboxItemContainer\",\n \t\t\t\"System.Drawing.Design.ToolboxItemContainer+ToolboxItemSerializer\",\n \t\t\t\"System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler\",\n \t\t\t\"System.IdentityModel.Tokens.SessionSecurityToken\",\n \t\t\t\"System.IdentityModel.Tokens.SessionSecurityTokenHandler\",\n \t\t\t\"System.IO.FileSystemInfo\",\n \t\t\t\"System.Management.Automation.PSObject\",\n \t\t\t\"System.Management.IWbemClassObjectFreeThreaded\",\n \t\t\t\"System.Messaging.BinaryMessageFormatter\",\n \t\t\t\"System.Resources.ResourceReader\",\n \t\t\t\"System.Resources.ResXResourceSet\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryClientFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryServerFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Remoting.Channels.CrossAppDomainSerializer\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapClientFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapClientFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapServerFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\",\n \t\t\t\"System.Runtime.Serialization.Formatters.Soap.SoapFormatter\",\n \t\t\t\"System.Runtime.Serialization.NetDataContractSerializer\",\n \t\t\t\"System.Security.Claims.ClaimsIdentity\",\n \t\t\t\"System.Security.ClaimsPrincipal\",\n \t\t\t\"System.Security.Principal.WindowsIdentity\",\n \t\t\t\"System.Security.Principal.WindowsPrincipal\",\n \t\t\t\"System.Security.SecurityException\",\n \t\t\t\"System.Web.Security.RolePrincipal\",\n \t\t\t\"System.Web.Script.Serialization.JavaScriptSerializer\",\n \t\t\t\"System.Web.Script.Serialization.SimpleTypeResolver\",\n \t\t\t\"System.Web.UI.LosFormatter\",\n \t\t\t\"System.Web.UI.MobileControls.SessionViewState+SessionViewStateHistoryItem\",\n \t\t\t\"System.Web.UI.ObjectStateFormatter\",\n \t\t\t\"System.Windows.Data.ObjectDataProvider\",\n \t\t\t\"System.Windows.Forms.AxHost+State\",\n \t\t\t\"System.Windows.ResourceDictionary\",\n \t\t\t\"System.Workflow.ComponentModel.Activity\",\n \t\t\t\"System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector\",\n \t\t\t\"System.Xml.XmlDataDocument\",\n \t\t\t\"System.Xml.XmlDocument\"\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0}\n \n\nThis is a bit hard to read, so lets take a look at the patch diff from [[Meld]]:\n\n![[Pasted image 20220205130924.png]]\n\nHuh looks like there was a typo in the `Security.System.Claims.ClaimsPrincipal` blacklist entry where it was typed as `Security.System.ClaimsPrincipal` aka we missed an extra `.Claims` in the name.\n\n## Why Security.System.Claims.ClaimsPrincipal Was Blocked \u2013 A Deeper Dive into The Root Issue\n\nLets look at the call chain here. If we decompile the code for `System.Security.Claims.ClaimsPrincipal` we can see mentions of `OnDeserialized` which has a more full explanation at <https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.ondeserializedattribute?view=net-6.0>. Note that it states `When OnDeserializedAttribute class is applied to a method, specifies that the method is called immediately after deserialization of an object in an object graph. The order of deserialization relative to other objects in the graph is non-deterministic.`\n\nOf particular interest is the `OnDeserializedMethod()` method which is called after deserialization takes place. Note that if there was a `OnDeserializingMethod` that would be called _during_ deserialization which would also work.\n\nLooking into the class more we notice the following functions:\n\nInitializer. Note that this is labeled as `[NonSerialized]` so despite it calling the `Deserialize()` method it will not be called upon deserialization as it as explicitly declared itself as something that can\u2019t be deserialized. Thus we can\u2019t use this function to trigger the desired `Deserialize()` method call. Lets keep looking.\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Collections.Generic; \n using System.IO; \n using System.Runtime.Serialization; \n using System.Security.Principal; \n \n [OptionalField(VersionAdded = 2)] \n private string m_version = \"1.0\"; \n [NonSerialized] \n private List<ClaimsIdentity> m_identities = new List<ClaimsIdentity>(); \n [SecurityCritical] \n protected ClaimsPrincipal(SerializationInfo info, StreamingContext context) \n { \n \u00a0\u00a0\u00a0\u00a0if (info == null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new ArgumentNullException(\"info\"); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0Deserialize(info, context); \n }\n \n\nThe next place to look is that weird `OnDeserialized()` method. Lets take a look at its code. We can see that the `[OnDeserialized]` class is applied to this method meaning that `method is called immediately after deserialization of an object in an object graph`. We can also see that it takes in a `StreamingContext` parameter and then proceeds to call `DeserializeIdentities()` with a variable known as `m_serializedClaimIdentities`:\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Runtime.Serialization; \n \n [OnDeserialized] \n [SecurityCritical] \n private void OnDeserializedMethod(StreamingContext context) \n { \n \u00a0\u00a0\u00a0\u00a0if (!(this is ISerializable)) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DeserializeIdentities(m_serializedClaimsIdentities); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0m_serializedClaimsIdentities = null; \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nBut where is `m_serializedClaimsIdentities` set? Well looking at the `OnSerializedMethod()` function we can see this is set when serializing the object, as explained at <https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.ondeserializingattribute?view=net-6.0> in the code examples and as shown below:\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Runtime.Serialization; \n \n [OnSerializing] \n [SecurityCritical] \n private void OnSerializingMethod(StreamingContext context) \n { \n \u00a0\u00a0\u00a0\u00a0if (!(this is ISerializable)) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0m_serializedClaimsIdentities = SerializeIdentities(); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nAlright so now we know how that is set, lets go back to the deserialization shall we? The code for `DeserializeIdentities()` can be seen below. Note that there is a call to `binaryFormatter.Deserialize(serializationStream2, null, fCheck: false);` in this code. `binaryFormatter.Deserialize()` is equivalent to `BinaryFormatter.Deserialize()`, which doesn\u2019t bind a checker to check what types are being deserialized, so this method is easily exploitable if no checks or incorrect checks are being done on the types being deserialized. This is the case here due to the incorrect implementation of the type blacklist.\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Collections.Generic; \n using System.Globalization; \n using System.IO; \n using System.Runtime.Serialization; \n using System.Runtime.Serialization.Formatters.Binary; \n using System.Security.Principal; \n \n [SecurityCritical] \n private void DeserializeIdentities(string identities) \n { \n \u00a0\u00a0\u00a0\u00a0m_identities = new List<ClaimsIdentity>(); \n \u00a0\u00a0\u00a0\u00a0if (string.IsNullOrEmpty(identities)) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0List<string> list = null; \n \u00a0\u00a0\u00a0\u00a0BinaryFormatter binaryFormatter = new BinaryFormatter(); \n \u00a0\u00a0\u00a0\u00a0using MemoryStream serializationStream = new MemoryStream(Convert.FromBase64String(identities)); \n \u00a0\u00a0\u00a0\u00a0list = (List<string>)binaryFormatter.Deserialize(serializationStream, null, fCheck: false); \n \u00a0\u00a0\u00a0\u00a0for (int i = 0; i < list.Count; i += 2) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ClaimsIdentity claimsIdentity = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream2 = new MemoryStream(Convert.FromBase64String(list[i + 1]))) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0claimsIdentity = (ClaimsIdentity)binaryFormatter.Deserialize(serializationStream2, null, fCheck: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!string.IsNullOrEmpty(list[i])) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!long.TryParse(list[i], NumberStyles.Integer, NumberFormatInfo.InvariantInfo, out var result)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new SerializationException(Environment.GetResourceString(\"Serialization_CorruptedStream\")); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0claimsIdentity = new WindowsIdentity(claimsIdentity, new IntPtr(result)); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0m_identities.Add(claimsIdentity); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nSo from this we can confirm that the chain for deserialization looks like this:\n \n \n System.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n BinaryFormatter.Deserialize()\n \n\n# Quick review\n\n## TLDR\n\nWe now have a type, `TypedBinaryFormatter` that has a binder who incorrectly validates the types that `TypedBinaryFormatter` deserializes and which allows the `Security.Systems.Claims.ClaimsPrincipal` to go through which allows for arbitrary type deserialization.\n\n## Longer explanation\n\nAlright so lets quickly review what we know. We know we need to deserialize a `TypedBinaryFormatter` object whose `Deserialize()` method will result in a `ExchangeBinaryFormatterFactory.CreateBinaryFormatter()` call. This results in a new `ChainedSerializationBinder` class object being created whose `BindToType()` method that is used to validate the data that `TypedBinaryFormatter` will deserialize. `BindToType()` will call `ValidateTypeToDeserialize()` within the same class. This uses a blacklist in the variable `GlobalDisallowedTypesForDeserialization` which is set to the result of calling `ChainedSerializationBinder`\u2019s `BuildDisallowedTypesForDeserialization()` method. Unfortunately this method had a typo so the `Security.System.Claims.ClaimsPrincipal` type was allowed though.\n\nIf we then deserialize an object of type `Security.System.Claims.ClaimsPrincipal` we can get it to hit a vulnerable `BinaryFormatter.Deserialize()` call via the call chain, which can deserialize arbitrary classes as this type of formatter doesn\u2019t use a binder to check what types it deserializes.\n \n \n TypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \tTypedBinaryFormatter.Desearialize(Stream)\n \t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t BinaryFormatter.Deserialize()\n \n\n# The Source\n\n## Initial Inspection\n\nLets start at `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.Deserialize(Stream, SerializationBinder)` and work back. We start with this one as its the most common use case. If we look at the other remaining 3 function definition variations for the `Deserialize()` method, we will see that two of them have no callers, and the remaining one is a little more complex (I imagine its still viable but no need to complicate the beast when there are simpler ways!)\n\n![[Pasted image 20220205174401.png]]\n\nAs is shown above we can see that `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.Deserialize(Stream, SerializationBinder)` is called by `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)`, which is turn called by `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)`.\n\nSo deserialization chain is now:\n \n \n Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)\n \tTypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \t\tTypedBinaryFormatter.Desearialize(Stream)\n \t\t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t\t BinaryFormatter.Deserialize()\n \n\n## ILSpy And Interfaces \u2013 Finding Where Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream) is Used\n\nAt this point we hit a snag, as it seems like this isn\u2019t called anywhere. However in [[ILSpy]] and we see we can see an `Implements` field that does not appear in [[dnSpy]] and if we expand this we can see that it has a `Implemented By` and `Used By` field.\n\nWe can see that `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)` implements `Microsoft.Exchange.Data.ApplicationLogic.Extension.IClientExtensionCollectionFormatter.Deserialize` (note the `IClient` not `Client` part here indicating that this is an interface, not a normal class), and that this interface is used by `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)`, which will use this interface to call the `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)` function.\n\n![[Pasted image 20220207195041.png]]\n\nWe can also verify that `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer` is essentially just an interface wrapper around the `ClientExtensionCollectionFormatter` interface:\n \n \n // Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer \n private IClientExtensionCollectionFormatter formatter;\n \n\nSo deserialization chain is now:\n \n \n Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration, out OrgExtensionRetrievalResult, out Exception)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)\n \t\tTypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \t\t\tTypedBinaryFormatter.Desearialize(Stream)\n \t\t\t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t\t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t\t\t BinaryFormatter.Deserialize()\n \n\n## Finding the Expected Data Types for Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize\n\nThe code for `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)` can be seen below:\n \n \n // Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer \n using System; \n using System.Collections; \n using System.IO; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Data.Storage; \n \n public bool TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception) \n { \n \u00a0\u00a0\u00a0\u00a0result = new OrgExtensionRetrievalResult(); \n \u00a0\u00a0\u00a0\u00a0exception = null; \n \u00a0\u00a0\u00a0\u00a0IDictionary dictionary = userConfiguration.GetDictionary(); \n \u00a0\u00a0\u00a0\u00a0if (dictionary.Contains(\"OrgDO\")) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0result.HasDefaultExtensionsWithDefaultStatesOnly = (bool)dictionary[\"OrgDO\"]; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0bool flag = false; \n \u00a0\u00a0\u00a0\u00a0if (!result.HasDefaultExtensionsWithDefaultStatesOnly) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (Stream stream = userConfiguration.GetStream()) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0stream.Position = 0L; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0result.Extensions = formatter.Deserialize(stream); <- DESERIALIZATION HERE\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (SerializationException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Tracer.TraceError(GetHashCode(), \"deserialization failed with {0}\", ex); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = false; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exception = ex; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return flag; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return true; \n }\n \n\nLooking at the code here we can see that we appear to be deserializing a `stream` variable of type `Stream`, which is set to the result of calling `userConfiguration.GetStream()`. Further up in the code we can see `userConfiguration` is defined as an interface to the `UserConfiguration` class via the line `IUserConfiguration userConfiguration` in the parameter list. We can find more details on this class at <https://docs.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.userconfiguration?view=exchange-ews-api> which mentions this is part of the Exchange EWS API.\n\nFurther Googling for `UserConfiguration` turns up <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/userconfiguration> which references it as a EWS XML element that defines a single user configuration object with the following format:\n \n \n <UserConfiguration> \n \t<UserConfigurationName/> \n \t<ItemId/> \n \t<Dictionary/> \n \t<XmlData/> \n \t<BinaryData/> \n </UserConfiguration>\n \n\nWe also see there is a parent object called `CreateUserConfiguration`. Documentation for this object can be found at <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/createuserconfiguration> where it is defined as follows:\n \n \n <CreateUserConfiguration>\n <UserConfiguration/>\n </CreateUserConfiguration>\n \n\nOkay so this is great and all, but this leaves two questions. The first question is \u201cHow do we actually use this data in a web request?\u201d and the second question is \u201cWhat is this data used for normally?\u201d. Further Googling of `CreateUserConfiguration` answers the second question when we find <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/createuserconfiguration-operation> which mentions that `The CreateUserConfiguration operation creates a user configuration object on a folder.` This also provides some data examples on how this might be used as a SOAP request. However it doesn\u2019t specify what endpoint we would have to send this to, leading to another open question. A second open question then becomes \u201cOkay I suppose I might want to debug this later on in the code when developing the exploit, but where is it implemented?\u201d. Lets answer that second question now.\n\n## Identifying CreateUserConfiguration Code\n\nAs it turns out, finding the code that handles `CreateUserConfiguration` takes us down a bit of a winding path. We start with `Microsoft.Exchange.Data.Storage.IUserConfiguration` as the definition of the interface we saw earlier in the `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)` function definition.\n\nHowever once again we quickly realize that `IUserConfiguration` is just an interface class. Searching for `UserConfiguration` with the `Type` filter on eventually leads us to find the `Microsoft.Exchange.Data.Storage.UserConfiguration` type:\n\n![[Pasted image 20220207203836.png]]\n\nLooking inside this leads us to find `Microsoft.Exchange.Data.Storage.UserConfiguration.GetConfiguration`.\n \n \n // Microsoft.Exchange.Data.Storage.UserConfiguration \n using Microsoft.Exchange.Diagnostics; \n using Microsoft.Exchange.Diagnostics.Components.Data.Storage; \n using Microsoft.Exchange.ExchangeSystem; \n \n public static UserConfiguration GetConfiguration(Folder folder, UserConfigurationName configurationName, UserConfigurationTypes type, bool autoCreate) \n { \n \u00a0\u00a0\u00a0\u00a0EnumValidator.ThrowIfInvalid(type, \"type\"); \n \u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return GetIgnoringCache(null, folder, configurationName, type); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0catch (ObjectNotFoundException arg) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (ExTraceGlobals.StorageTracer.IsTraceEnabled(TraceType.ErrorTrace)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExTraceGlobals.StorageTracer.TraceError(0L, \"UserConfiguration::GetConfiguration. User Configuration object not found. Exception = {0}.\", arg); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0if (autoCreate) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return Create(folder, configurationName, type); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n\nAt this point, I knew that there has to be some way to create the user configuration object given the error message and wondered if there was a similarly named `CreateUserConfiguration` function, going off of the naming convention that seemed to be used for these functions. I searched for this and it turns out there was a function under `Microsoft.Exchange.Services.Core.CreateUserConfiguration` named `CreateUserConfiguration()`.\n\n![[Pasted image 20220207204246.png]]\n\nLets look at its code:\n \n \n // Microsoft.Exchange.Services.Core.CreateUserConfiguration \n using Microsoft.Exchange.Services.Core.Types; \n \n public CreateUserConfiguration(ICallContext callContext, CreateUserConfigurationRequest request) : base(callContext, request) \n { \n \u00a0\u00a0\u00a0\u00a0serviceUserConfiguration = request.UserConfiguration; \n \u00a0\u00a0\u00a0\u00a0ServiceCommandBase<ICallContext>.ThrowIfNull(serviceUserConfiguration, \"serviceUserConfiguration\", \"CreateUserConfiguration::ctor\"); \n }\n \n\nAlright so this seems to take in some request object from a HTTP request or similar, and then set the `serviceUserConfiguration` variable to the section in the request named `UserConfiguration` with `request.UserConfiguration`. We seem to be on the right track, so lets look at the `Microsoft.Exchange.Services.Core.Types.CreateUserConfigurationRequest` type of the `request` variable:\n \n \n // Microsoft.Exchange.Services.Core.Types.CreateUserConfigurationRequest \n using System.Runtime.Serialization; \n using System.Xml.Serialization; \n using Microsoft.Exchange.Services; \n using Microsoft.Exchange.Services.Core; \n using Microsoft.Exchange.Services.Core.Types; \n \n [XmlType(\"CreateUserConfigurationRequestType\", Namespace = \"http://schemas.microsoft.com/exchange/services/2006/messages\")] \n [DataContract(Namespace = \"http://schemas.datacontract.org/2004/07/Exchange\")] \n public class CreateUserConfigurationRequest : BaseRequest \n { \n \u00a0\u00a0\u00a0\u00a0[XmlElement] \n \u00a0\u00a0\u00a0\u00a0[DataMember(IsRequired = true)