DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:894809E1ADF0684644DCCDD97F76BC73", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Russian APT Hackers Used COVID-19 Lures to Target European Diplomats", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEg1htgV20xnZFGHy8xys5a3a8RDOEZB9kzl6RyaRUmt6zE03r6yB_FnqpjR1iu5tj48oBafZq6mQ2iT7IbFULnsgOYBOXm01lnZjwIF1anuI3nLsK7lL87KbyL1UWUYNDmzgkLRurzHi4oYNIEIxTxXzkVXRR89_meOuJ0FAHhdAvY6naUEmPbN4lFS>)\n\nThe Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021.\n\nAccording to ESET's [T3 2021 Threat Report](<https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/>) shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the foothold to drop additional malware for gathering information about the hosts and other machines in the same network.\n\nAlso tracked under the names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group is an infamous cyber-espionage group that has been active for more than a decade, with its attacks targeting Europe and the U.S., before it gained widespread attention for the [supply\u2010chain compromise](<https://thehackernews.com/2022/02/new-malware-used-by-solarwinds.html>) of SolarWinds, leading to further infections in several downstream entities, including U.S. government agencies in 2020.\n\nThe spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file (\"Covid.iso\").\n\nShould the victim opt to open or download the file, \"a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment.\" The disk image file, in turn, includes an HTML application that's executed using [mshta.exe](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>) to run a piece of PowerShell code that ultimately loads the Cobalt Strike Beacon onto the infected system.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEglwgfTakz5tfhTSwDOMYonZpvaHlCIHm8s2Siv7LsnSe0W0dFfpgbBClJWSt9tMLfPmBA10CeMIEH53LnLbqlrg4zv9mKFmIl7GHJ76TVTXmsXgB8kdL4wAXSnI_z-0ph0Mzn4DlYyAAJOJF4XIwYxPtw_NiqMAtsbd7VscqKWz0U20rPFTUjqwiDP>)\n\nESET also characterized APT29's reliance on HTML and ISO disk images (or VHDX files) as an evasion technique orchestrated specifically to evade Mark of the Web ([MOTW](<https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628\\(v=vs.85\\)>)) protections, a security feature introduced by Microsoft to determine the origin of a file.\n\n\"An ISO disk image doesn't propagate the so-called Mark of the Web to the files inside the disk image,\" the researchers said. \"As such, and even if the ISO were downloaded from the internet, no warning would be displayed to the victim when the HTA is opened.\"\n\nUpon successfully gaining initial access, the threat actor delivered a variety of off-the-shelf tools to query the target's Active Directory ([AdFind](<https://www.joeware.net/freetools/tools/adfind/>)), execute commands on a remote machine using SMB protocol ([Sharp-SMBExec](<https://github.com/checkymander/Sharp-SMBExec>)), carry out reconnaissance ([SharpView](<https://github.com/tevora-threat/SharpView>)), and even an exploit for a Windows privilege escalation flaw ([CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)) to carry out follow-on attacks.\n\n\"Recent months have shown that The Dukes are a serious threat to western organizations, especially in the diplomatic sector,\" the researchers noted. \"They are very persistent, have good operational security, and they know how to create convincing phishing messages.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-02-09T10:46:00", "modified": "2022-02-10T03:04:57", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 4.6}, "severity": "MEDIUM", "exploitabilityScore": 3.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-36934"], "immutableFields": [], "lastseen": "2022-05-09T12:37:35", "viewCount": 36, "enchantments": {"backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C"]}, {"type": "avleonov", "idList": ["AVLEONOV:14EA12A691C5CFD8469608EAE2674E5B", "AVLEONOV:C94D71525D4EE3653DAE00D2FB37BBE1"]}, {"type": "cert", "idList": ["VU:506989"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6"]}, {"type": "cve", "idList": ["CVE-2021-36934"]}, {"type": "githubexploit", "idList": ["158640B4-C919-5413-ABA9-DF7D5AE3CC11", "27CF7C36-9804-5585-80B1-749949BF7AD5", "27F005C9-EA16-5734-81D4-8D66FA582FF9", "37A629E7-9341-5873-B641-E06D7998FA58", "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "82FD6A90-EA27-5350-98A4-491B6CA140ED", "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "E1AF9415-BECF-5F8A-9233-786A0F50E149", "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "F58F44AB-5B59-54F5-9E8E-9095AC51C919"]}, {"type": "kaspersky", "idList": ["KLA12239", "KLA12242"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9"]}, {"type": "mscve", "idList": ["MS:CVE-2021-36934"]}, {"type": "nessus", "idList": ["SMB_NT_SERIOUS_SAM_CHECK.NBIN"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "thn", "idList": ["THN:777A53E3DACA2E9D76D60AB889CFD10F", "THN:D45AECD2A3661A45A08377EAEF0B729F"]}, {"type": "threatpost", "idList": ["THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B"]}]}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C"]}, {"type": "avleonov", "idList": ["AVLEONOV:14EA12A691C5CFD8469608EAE2674E5B", "AVLEONOV:C94D71525D4EE3653DAE00D2FB37BBE1"]}, {"type": "cert", "idList": ["VU:506989"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6"]}, {"type": "cve", "idList": ["CVE-2021-36934"]}, {"type": "githubexploit", "idList": ["158640B4-C919-5413-ABA9-DF7D5AE3CC11", "27CF7C36-9804-5585-80B1-749949BF7AD5", "27F005C9-EA16-5734-81D4-8D66FA582FF9", "37A629E7-9341-5873-B641-E06D7998FA58", "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "82FD6A90-EA27-5350-98A4-491B6CA140ED", "943CFE24-FF5E-5BEA-B1DF-3163AED2C847", "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "E1AF9415-BECF-5F8A-9233-786A0F50E149", "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "F289C7E8-209B-5B15-B6D7-8EBFBBC8BDA8", "F58F44AB-5B59-54F5-9E8E-9095AC51C919"]}, {"type": "kaspersky", "idList": ["KLA12239", "KLA12242"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9"]}, {"type": "mscve", "idList": ["MS:CVE-2021-36934"]}, {"type": "nessus", "idList": ["SMB_NT_SERIOUS_SAM_CHECK.NBIN"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "thn", "idList": ["THN:777A53E3DACA2E9D76D60AB889CFD10F", "THN:D45AECD2A3661A45A08377EAEF0B729F"]}, {"type": "threatpost", "idList": ["THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7"]}]}, "exploitation": null, "score": {"value": 0.4, "vector": "NONE"}, "epss": [{"cve": "CVE-2021-36934", "epss": "0.001050000", "percentile": "0.411730000", "modified": "2023-03-17"}], "vulnersScore": 0.4}, "_state": {"dependencies": 1660004461, "score": 1659950454, "epss": 1679178262}, "_internal": {"score_hash": "fa1189bfffe89dfd55d487f4fa5d7819"}}

{"mscve": [{"lastseen": "2023-03-17T02:33:53", "description": "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nAn attacker must have the ability to execute code on a victim system to exploit this vulnerability.\n\nAfter installing this security update, you _must_ manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. **Simply installing this security update will not fully mitigate this vulnerability.** See [KB5005357- Delete Volume Shadow Copies](<https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T07:00:00", "type": "mscve", "title": "Windows Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-12T07:00:00", "id": "MS:CVE-2021-36934", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36934", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-07-13T18:52:49", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell Fix\n\nThis powershell ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:24:24", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T06:47:23", "id": "F58F44AB-5B59-54F5-9E8E-9095AC51C919", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:28", "description": "# CVE-2021-36934\n![Screenshot](https://github...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T08:01:08", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T08:18:37", "id": "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:58", "description": "# Overview #\n\nThis is a Datto RMM component to mitigate CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T18:00:35", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-25T18:10:18", "id": "27F005C9-EA16-5734-81D4-8D66FA582FF9", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:25", "description": "[CVE described on MSRC](https://msrc.microsoft.com/update-guide/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T14:53:09", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-06T14:49:37", "id": "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:51", "description": "# VSSCopy\nSmall and dirty PoC f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:55:23", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T14:35:30", "id": "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:57", "description": "\ufffd\ufffd#\u0000 \u0000C\u0000V\u0000E\u0000-\u00002\u00000\u00002\u00001\u0000-\u00003\u00006\u00009\u00003\u00004\u0000\r\u0000\n\u0000\r\u0000\n\u0000#\u0000#\u0000 \u0000U\u0000s\u0000a\u0000g\u0000e\u0000\r\u0000\n\u0000\r\u0000...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T17:24:44", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-25T06:37:22", "id": "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-15T12:42:04", "description": "# Invoke-HiveNightmare\nPowerShell-based PoC for CVE-2021-36934, ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T03:07:56", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-15T12:11:50", "id": "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:52", "description": "# Oxide Hive\nAn exploit for the HiveNightmare/SeriousSAM vulnera...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:01:21", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-05-01T09:47:57", "id": "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:55", "description": "# CVE-2021-36934\nFix for...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T13:06:51", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-06-18T04:00:43", "id": "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:04", "description": "CVE-2021\u201336934\n\nThe derived hash is used for forgery such as PTH...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T19:39:28", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-09-20T04:02:17", "id": "37A629E7-9341-5873-B641-E06D7998FA58", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T23:54:50", "description": "# CVE-2021-36934\n\nC# implementation of [C...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-24T12:55:05", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-08-13T21:20:25", "id": "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T08:42:24", "description": "# ShadowSteal | CVE-2021-36934\nPure Nim implementation for explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T22:16:49", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-27T07:12:59", "id": "82FD6A90-EA27-5350-98A4-491B6CA140ED", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:33:41", "description": "<p><strong>Windows Elevation of Privilege Vulnerability CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-04T10:37:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T10:47:55", "id": "158640B4-C919-5413-ABA9-DF7D5AE3CC11", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:06:02", "description": "# CVE-2021-36934\nSeriousSAM Auto Exploiter\n\n# Requirements\n- Hiv...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-01T19:54:31", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-04-20T08:36:49", "id": "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:49:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-11-30T06:53:48", "id": "F289C7E8-209B-5B15-B6D7-8EBFBBC8BDA8", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:10", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell scripts\n\n* Detection....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T21:54:45", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-28T01:48:39", "id": "27CF7C36-9804-5585-80B1-749949BF7AD5", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:16", "description": "# CVE-2021-36934\nCVE-2021-36934 HiveNightmare vulnerability chec...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-29T20:35:22", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-30T12:29:18", "id": "E1AF9415-BECF-5F8A-9233-786A0F50E149", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:50", "description": "# PyNightmare\nPoC for CVE-2021-36934 Aka HiveNightmare/SeriousSA...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T00:31:11", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-12-31T15:22:31", "id": "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:10:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-01-22T01:53:54", "id": "943CFE24-FF5E-5BEA-B1DF-3163AED2C847", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "thn": [{"lastseen": "2022-05-09T12:39:18", "description": "[](<https://thehackernews.com/images/-2Vh6AhRwNKs/YP6aCnEii6I/AAAAAAAABK0/Sm1Yj72UTWQ0Kh_48L0sq_91GZSVbDq8wCLcBGAsYHQ/s0/SeriousSAM-Vulnerability.jpg>)\n\nMicrosoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.\n\nAs we reported last week, the vulnerability \u2014 [SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) \u2014 allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack. \n\nAttackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.\n\nSeriousSAM vulnerability, tracked as **CVE-2021-36934**, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users.\n\nAs a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.\n\nBecause there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.\n\n## Mitigating SeriousSAM\n\nAccording to Dvir Goren, CTO at CalCom, there are three optional hardening measures:\n\n 1. **Delete all users from the built-in users' group** \u2014 this is a good place to start from, but won't protect you if Administrator credentials are stolen.\n 2. **Restrict SAM files and Registry permissions** \u2014 allow access only for Administrators. This will, again, only solve part of the problem, as if an attacker steals Admin credentials, you will still be vulnerable to this vulnerability.\n 3. **Don't allow the storage of passwords and credentials for network authentication **\u2014 this rule is also recommended in the [CIS benchmarks](<https://www.calcomsoftware.com/cis-hardening-and-configuration-security-guide/>). By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.\n\nWhen using GPOs for implementation, make sure the following UI Path is Enabled:\n\n> Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication\n\n_Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users' hashes locally will fail._\n\n## Mitigating SeriousSAM without risking causing damage to production\n\nThe following are Dvir's recommendations for mitigating without causing downtime:\n\n 1. Set up a test environment that will simulate your production environment. Simulate all possible dependencies of your network as accurately as you can.\n 2. Analyze the impact of this rule on your test environment. In this way, if you have applications that rely on hashes that are stored locally, you'll know in advance and prevent production downtime.\n 3. Push the policy where possible. Make sure new machines are also hardened and that the configuration doesn't drift over time.\n\nThese three tasks are complex and require a lot of resources and in-house expertise. Therefore, Dvir's final recommendation is to [automate the entire hardening process](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) to save the need to perform stages 1, 2 and 3. \n\nHere is what you will gain from a [Hardening Automation Tool](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>):\n\n * Automatically generate the most accurate possible impact analysis report \u2013 hardening automation tools 'learns' your production dependencies and report to you the potential impact of each policy rule. \n * Automatically enforce your policy on your entire production from a single point of control \u2013 using these tools, you won't need to do manual work, such as using GPOs. You can control and be certain all your machines are hardened.\n * Maintain your compliance posture and monitor your machines in real-time \u2013 hardening automation tools will monitor your compliance posture, alert and remediate any unauthorized changes in configurations, therefore preventing configuration drifts. \n\n[Hardening automation tools](<https://www.calcomsoftware.com?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) will learn the dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T11:21:00", "type": "thn", "title": "How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T11:21:00", "id": "THN:777A53E3DACA2E9D76D60AB889CFD10F", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-windows-10-11.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:18", "description": "[](<https://thehackernews.com/images/-KWMyudCGllM/YPe_4G7D-JI/AAAAAAAADRc/c15FBZB4zo8eKdZwApdLeq6oXzYkulE9QCLcBGAsYHQ/s0/windows-linux-hacking.jpg>)\n\nMicrosoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys.\n\nThe vulnerability has been nicknamed \"SeriousSAM.\"\n\n\"Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files,\" CERT Coordination Center (CERT/CC) said in a [vulnerability note](<https://kb.cert.org/vuls/id/506989>) published Monday. \"This can allow for local privilege escalation (LPE).\"\n\nThe operating system configuration files in question are as follows -\n\n * c:\\Windows\\System32\\config\\sam\n * c:\\Windows\\System32\\config\\system\n * c:\\Windows\\System32\\config\\security\n\nMicrosoft, which is tracking the vulnerability under the identifier [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>), acknowledged the issue, but has yet to roll out a patch, or provide a timeline for when the fix will be made available.\n\n\"An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager ([SAM](<https://en.wikipedia.org/wiki/Security_Account_Manager>)) database,\" the Windows makers noted. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\n[](<https://thehackernews.com/images/-RPXOmujuXrY/YPe-L2M8ZII/AAAAAAAADRU/oGSk56V9xQ8d1Mp_bb01h82y-PeBBrHbgCLcBGAsYHQ/s0/Windows-SAM.jpg>)\n\nSuccessful exploitation of the flaw, however, necessitates that the attacker already has a foothold and is in possession of the ability to execute code on the victim system. In the interim, the CERT/CC is recommending that users restrict access to sam, system, and security files and delete [VSS shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) of the system drive.\n\nThe latest disclosure also marks the third publicly disclosed unpatched bug in Windows since the release of [Patch Tuesday updates](<https://thehackernews.com/2021/07/update-your-windows-pcs-to-patch-117.html>) on July 13. Besides CVE-2021-36934, two more [weaknesses](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) affecting the [Print Spooler](<https://thehackernews.com/2021/07/researcher-uncover-yet-another.html>) component have also been discovered, prompting Microsoft to urge all users to stop and disable the service to protect systems against exploitation.\n\n### Linux Distros Suffer from \"Sequoia\" Privilege Escalation Flaw\n\nIt's not just Windows. Remediations have been released for a security shortcoming affecting all [Linux kernel versions](<https://en.wikipedia.org/wiki/Linux_kernel_version_history>) from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges.\n\nDubbed \"Sequoia\" by researchers from cybersecurity firm Qualys, the issue has been assigned the identifier [CVE-2021-33909](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909>) and affects default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Red Hat Enterprise Linux versions 6, 7, and 8 are also [affected](<https://access.redhat.com/security/vulnerabilities/RHSB-2021-006>) by the vulnerability.\n\nSpecifically, the flaw concerns a size_t-to-int type conversion vulnerability in the Linux Kernel's \"seq_file\" file system interface, permitting an unprivileged local attacker to create, mount, and delete a deep directory structure whose total path length exceeds 1GB, resulting in privilege escalation on the vulnerable host.\n\nSeparately, Qualys also disclosed a stack exhaustion denial-of-service vulnerability in [systemd](<https://en.wikipedia.org/wiki/Systemd>) ([CVE-2021-33910](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1>)) that could be exploited by unprivileged attackers to crash the software suite and trigger a [kernel panic](<https://en.wikipedia.org/wiki/Kernel_panic>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T06:37:00", "type": "thn", "title": "New Windows and Linux Flaws Give Attackers Highest System Privileges", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33909", "CVE-2021-33910", "CVE-2021-36934"], "modified": "2021-07-22T03:36:46", "id": "THN:D45AECD2A3661A45A08377EAEF0B729F", "href": "https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-07-31T08:36:55", "description": "Users with low privileges can access sensitive Registry database files on Windows 10 and Windows 11, leaving them vulnerable to a local elevation of privilege vulnerability known as SeriousSAM or HiveNightmare.\n\nDoesn&#x27;t sound serious? Reassured that users must already have access to the system and be able to execute code on said system to use this vulnerability? Don&#x27;t be.\n\nUsing SeriousSAM, a user can access multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. The attacker would then have full control, which means they can install programs, view, change, or delete data, and create new accounts with full user rights. Which is exactly what an attacker wants.\n\n### My mama said\n\nSAM stands for Security Accounts Manager and it is supposed to be a protected database that can only be accessed by users with Adminstrator privileges. This was designed as such because the database contains the hashed passwords for all users on a system.\n\nNow, I\u2019ve always been taught that anyone with physical access to your system, and enough knowledge, can take it over. One of the reasons why this is true is that the \u201cholder\u201d of the system can dump those sensitive Registry database files _when Windows is not running_. \n\nWhen Windows is not running the registry is not \u201cmounted\u201d and the &quot;access violation&quot; protection is inactive, since to another operating system (OS) they are just files like any other. You can see the caveat there. You need to look at the files from an external OS to pull this off. (I will leave the \u201chow to\u201d do that to your imagination.)\n\nWhile dumping a registry hive from an inactive Windows machine like that may sound daunting to some, and difficult for malware to pull off, SeriousSAM makes it much easier. SeriousSAM removes the need for that external OS, and for Windows to be off, making it a much more achievable trick. It allows users (or malicious programs inadvertently run by those users) to bypass the &quot;access violation&quot; protection on the computer they&#x27;re using, while it&#x27;s running.\n\n### Pass the hash\n\n&quot;But the passwords are hashed!&quot;, I heard you thinking. In that case, meet pass-the-hash attacks. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client\u2019s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that \u201cmathematical operation\u201d required to gain access. The authentication process does not require the plaintext password. The hash is enough. \n\nSo, _pass the hash_ is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user&#x27;s password, instead of requiring the associated plaintext password as is normally the case.\n\n### Made easy\n\nThe vulnerability we have been referring to as SeriousSAM is listed as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and while it is unclear exactly which versions of Windows are vulnerable, it looks as if some versions of Windows 10 and all versions of Windows 11 are affected, as long as System Protection, aka Shadow Volumes, is enabled. The Microsoft advisory says &quot;\u2026we can confirm that this issue affects Windows 10 version 1809 and newer operating systems&quot;. The company is researching the issue and we will update this post once we know more.\n\nThe vulnerability got its other name, HiveNightmare, because it affects registry hives, and as a reference to the recently discovered [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) vulnerabilities in the Windows Print Spooler service. I think it&#x27;s a better name for this vulnerability because SAM is not the only sensitive Registry database that&#x27;s affected. Others are all stored in the `%windir%\\system32 \\config` folder, as is SAM. They are SYSTEM, SECURITY, DEFAULT, and SOFTWARE. Which means there might be more options for hackers with limited access to raise privileges or achieve remote code execution waiting to be found.\n\nThe underlying problem is, in Microsoft&#x27;s own words &quot;overly permissive Access Control Lists (ACLs) on multiple system files&quot;. Those lax permissions are carried over into the Shadow copies where the files are unmounted and as unprotected as the files on the dormant computer my mother warned me about. So, any user can dump the database from the Shadow copy and as such create a readable database.\n\nShadow Volumes are enabled by default so that doesn\u2019t bring the number of systems at risk down a lot. It is a useful option, but in this case it is also what enables this vulnerability. \n\n### Mitigation\n\nWhile Microsoft is expected to come up with an out-of-band patch for this vulnerability, there are some things you can do to defeat the vulnerability. Whatever you do to address problem, note that fixing the cause does not necessarily fix broken permissions in shadow copies you have already taken.\n\nYou can find some useful commands for discovering if your systems have Shadow copies enabled, and whether they are vulnerable in the [CERT advisory](<https://www.kb.cert.org/vuls/id/506989>). The advisory notes that &quot;simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.&quot;\n\nMicrosoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.\n\n**Restrict access to the contents of `%windir%\\system32\\config`**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command: icacls %windir%\\system32\\config\\\\*.* /inheritance:e\n\n**Delete Volume Shadow Copy Service (VSS) shadow copies**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point (if desired).\n\n**Note: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.**\n\nThe post [HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-07-21T14:31:50", "type": "malwarebytes", "title": "HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T14:31:50", "id": "MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-02-08T15:45:27", "description": "### *Detect date*:\n07/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to gain privileges.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36934](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-36934>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows Server](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-36934](<https://vulners.com/cve/CVE-2021-36934>)4.6Warning\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "kaspersky", "title": "KLA12239 PE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T00:00:00", "id": "KLA12239", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12239/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T15:45:22", "description": "### *Detect date*:\n07/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn elevation of privilege vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to gain privileges.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36934](<https://nvd.nist.gov/vuln/detail/CVE-2021-36934>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-36934](<https://vulners.com/cve/CVE-2021-36934>)4.6Warning", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "kaspersky", "title": "KLA12242 PE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T00:00:00", "id": "KLA12242", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12242/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2021-11-26T17:51:09", "description": "### Overview\n\nMultiple versions of Windows 10 grant non-administrative users read access to files in the `%windir%\\system32\\config` directory. This can allow for local privilege escalation (LPE).\n\n### Description\n\nWith multiple versions of Windows 10, the `BUILTIN\\Users` group is given `RX` permissions to files in the `%windir%\\system32\\config` directory.\n\nIf a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\nNote that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be [automatically created](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information>). To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:\n\n`vssadmin list shadows`\n\nA system with VSS shadow copies will report details of at least one shadow copy that specifies `Original Volume: (C:)`, such as the following:\n \n \n vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n (C) Copyright 2001-2013 Microsoft Corp.\n \n Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}\n Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM\n Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}\n Original Volume: (C:)\\\\?\\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\\\n Shadow Copy Volume: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n Originating Machine: DESKTOP-PAPIHMA\n Service Machine: DESKTOP-PAPIHMA\n Provider: 'Microsoft Software Shadow Copy provider 1.0'\n Type: ClientAccessibleWriters\n Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered\n \n\nA system **without** VSS shadow copies will produce output like the following:\n \n \n vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n (C) Copyright 2001-2013 Microsoft Corp.\n \n No items found that satisfy the query.\n \n\nTo check if a system is vulnerable, the following command can be used from a non-privileged command prompt: `icacls %windir%\\system32\\config\\sam`\n\nA vulnerable system will report `BUILTIN\\Users:(I)(RX)` in the output like this:\n \n \n C:\\Windows\\system32\\config\\sam BUILTIN\\Administrators:(I)(F)\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Users:(I)(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n \n Successfully processed 1 files; Failed processing 0 files\n \n\nA system that is not vulnerable will report output like this:\n \n \n C:\\Windows\\system32\\config\\sam: Access is denied.\n Successfully processed 0 files; Failed processing 1 files\n \n\nThis vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability.\n\n### Impact\n\nBy accessing files in the Windows `%windir%\\system32\\config` directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.\n\n### Solution\n\nPlease see the [Microsoft bulletin for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>), which contains a workaround. Specifically:\n\n#### Restrict access to %windir%\\system32\\config and remove VSS shadow copies\n\nVulnerable systems can enable ACL inheritance for files in the `%windir%\\system32\\config` directory by running the following command from an elevated prompt:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\nOnce the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:\n \n \n vssadmin delete shadows /for=%systemdrive% /Quiet\n \n\nConfirm that VSS shadow copies were deleted by running `vssadmin list shadows` again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see [KB5005357](<https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>) for more details.\n\n### Acknowledgements\n\nThis vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n506989\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2021-07-20 Updated: 2021-07-20 **CVE-2021-36934**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>\n\n \n\n\n### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>\n * <https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>\n * <https://twitter.com/jonasLyk/status/1417205166172950531>\n * <https://twitter.com/gentilkiwi/status/1417467063883476992>\n * <https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>\n * <https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information>\n * <https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-36934 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-36934>) \n---|--- \n**Date Public:** | 2021-07-20 \n**Date First Published:** | 2021-07-20 \n**Date Last Updated: ** | 2021-07-29 16:29 UTC \n**Document Revision: ** | 11 \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "cert", "title": "Microsoft Windows 10 gives unprivileged user access to system32\\config files", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T16:29:00", "id": "VU:506989", "href": "https://www.kb.cert.org/vuls/id/506989", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-07-22T20:05:59", "description": "A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wednesday to prevent attackers from accessing data and creating new accounts on compromised systems.\n\nThe bug, dubbed SeriousSAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers. A prerequisite for abuse of the bug is an adversary needs either remote or local access to the vulnerable Windows 10 system.\n\nTracked as CVE-2021-36934, Microsoft said the vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the (SAM) database. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d the [Microsoft bulletin explains](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). \n[](<https://threatpost.com/newsletter-sign/>)Simply stated, an attacker could leverage the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline and used to bypass Windows 10 user access controls.\n\n## Proof-of-Concept Available\n\nThe bug is rated important in severity by Microsoft. The flaw was revealed to Microsoft by researchers Jonas Lyk over the weekend and made public Monday. [Proof-of-concept code](<https://github.com/GossiTheDog/HiveNightmare>) was published by researcher Kevin Beaumont to help network admins identify exposure to the bug.\n\nIn a Tweet by Lyk, the researcher said the bug also impacts pre-production versions of Windows 11 (slated to be released in October, 2021). \u201cFor some reason on win11 the SAM file now is READ for users. So if you have shadowvolumes enabled you can read the sam file,\u201d [he tweeted](<https://twitter.com/jonasLyk/status/1417205166172950531>).\n\nThe researcher said the bug was discovered while tinkering with Windows 11. He explains that SAM database content, while not accessible on the OS, can be accessed when part of a Windows Shadow Volume Copy (VSS) backup. VSS is a service that allows automatic or manual real-time backups of system files (preserved in their current state) tied to a particular drive letter (volume).\n\nHe later identified the same issue is present on Windows 10 systems dating back to 2018 (v1809).\n\n## **No Patch Available: Workaround Fix Recommended**\n\nFor this reason, Microsoft is recommending sysadmin delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, rather a simple workaround.\n\nMicrosoft explains the two step process as: \u201cDelete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\\system32\\config\u201d and \u201ccreate a new System Restore point (if desired).\u201d\n\nIt also cautions that deleting VSS shadow copies \u201ccould impact restore operations, including the ability to restore data with third-party backup applications.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-22T12:57:11", "type": "threatpost", "title": "Microsoft Issues Windows 10 Workaround Fix for \u2018SeriousSAM\u2019 Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-22T12:57:11", "id": "THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "href": "https://threatpost.com/win-10-serioussam/168034/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-30T01:39:23", "description": "An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug \u2013 but a micropatch has been rolled out as a stop-gap measure.\n\nSecurity researcher Abdelhamid Naceri [originally reported](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) the vulnerability as an information-disclosure issue in October 2020, via Trend Micro\u2019s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.\n\nThen, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it\u2019s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.\n\n> I mean this is still unpatched and allow LPE if shadow volume copies are enabled; \nBut I noticed that it doesn't work on windows 11 <https://t.co/HJcZ6ew8PO>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [November 15, 2021](<https://twitter.com/KLINIX5/status/1460338968780804098?ref_src=twsrc%5Etfw>)\n\nThe process for doing so is very similar to the [LPE exploitation approach](<https://www.hackingarticles.in/windows-privilege-escalation-hivenightmare/>) for the HiveNightmare bug, [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)**,** which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers.\n\n\u201cAs [HiveNightmare/SeriousSAM](<https://threatpost.com/win-10-serioussam/168034/>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\u201d Mitja Kolsek, head of the 0patch team, noted in a [recent posting](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>). \u201cWe confirmed this [for the zero-day and were] able to run code as local administrator.\u201d\n\n> It's still hilarious that this bug is still unpatched and fully functional on a windows 10 21H1 with october patch. <https://t.co/HO4Kwbql9z>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [November 2, 2021](<https://twitter.com/KLINIX5/status/1455500874596356098?ref_src=twsrc%5Etfw>)\n\n## **Windows 10 Bug Exploitation Details**\n\nSpecifically, the vulnerable functionality exists under the \u201caccess work or school\u201d settings, according to the opatch writeup. A normal user can make use of the \u201cexport your management log files\u201d function, which triggers the Device Management Enrollment Service.\n\n\u201cThis service first copies some log files to the C:\\ProgramData\\Microsoft\\MDMDiagnostics folder, and then packages them into a .CAB file whereby they\u2019re temporarily copied to C:\\Windows\\Temp folder,\u201d explained Kolsek. \u201cThe resulting .CAB file is then stored in the C:\\Users\\Public\\Public Documents\\MDMDiagnostics folder, where the user can freely access it.\u201d\n\nHowever, when the .CAB file is copied into the Windows Temp folder, a local attacker can pounce. The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.\n\n\u201cSince the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can\u2019t,\u201d Kolsek said.\n\nThere are two pre-requisites for achieving LPE, Kolsek noted.\n\n\u201cSystem protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters,\u201d he said. And, \u201cat least one local administrator account must be enabled on the computer, or at least one \u2018administrators\u2019 group member\u2019s credentials cached.\u201d\n\nTo address the issue, the free micropatch simply checks for the presence of short-cut links during the .CAB file creation.\n\n\u201cThe function we patched is CollectFileEntry inside mdmdiagnostics.dll. This is the function that copies files from C:\\Windows\\Temp folder into the .CAB file, and can be tricked into reading some other files instead,\u201d Kolsek explained. \u201cOur patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn\u2019t actually reside in C:\\Windows\\Temp.\u201d\n\nVulnerable versions of Windows include:\n\n * Windows 10 v21H1 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 &amp; 64 bit) updated with May 2021 Updates\n\nWindows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.\n\nMicrosoft did not immediately return a request for comment on the timeline for an official patch.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T17:47:10", "type": "threatpost", "title": "Unpatched Windows 10 Zero-Day Allows Privileged File Access", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-36934"], "modified": "2021-11-29T17:47:10", "id": "THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7", "href": "https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}], "attackerkb": [{"lastseen": "2023-03-31T02:20:16", "description": "Windows Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**Dviros** at July 25, 2021 9:35am UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\n**ccondon-r7** at July 21, 2021 4:24pm UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:00:00", "type": "attackerkb", "title": "CVE-2021-36934 Windows Elevation of Privilege", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-31T00:00:00", "id": "AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C", "href": "https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-07-31T08:56:21", "description": "\n\nOn Monday, July 19, 2021, community security researchers began [reporting](<https://twitter.com/jonasLyk/status/1417205166172950531>) that the Security Account Manager (SAM) file on Windows 10 and 11 systems was READ-enabled for all local users. The SAM file is used to store sensitive security information, such as hashed user and admin passwords. READ enablement means attackers with a foothold on the system can use this security-related information to escalate privileges or access other data in the target environment.\n\nOn Tuesday, July 20, Microsoft issued an out-of-band advisory for this vulnerability, which is now tracked as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). As of July 22, 2021, the vulnerability has been confirmed to affect Windows 10 version 1809 and later. A public proof-of-concept is available that allows non-admin users to retrieve all registry hives. Researcher Kevin Beaumont has also [released a demo](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>) that confirms CVE-2021-36934 can be used to obtain local hashes and pass them to a remote machine, achieving remote code execution as SYSTEM on arbitrary targets (in addition to privilege escalation). The security community has christened this vulnerability \u201cHiveNightmare\u201d and \u201cSeriousSAM.\u201d\n\nCERT/CC [published in-depth vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>) on CVE-2021-36934, which we highly recommend reading. Their analysis reveals that starting with Windows 10 build 1809, the BUILTIN\\Users group is given RX permissions to files in the `%windir%\\system32\\config` directory. If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\n**There is no patch for CVE-2021-36934 as of July 21, 2021.** Microsoft has released workarounds for Windows 10 and 11 customers that mitigate the risk of immediate exploitation\u2014we have reproduced these workarounds in the `Mitigation Guidance` section below. Please note that Windows customers must **BOTH** restrict access and delete shadow copies to prevent exploitation of CVE-2021-36934. We recommend applying the workarounds on an emergency basis.\n\n## Mitigation Guidance\n\n**1\\. Restrict access to the contents of `%windir%\\system32\\config`:**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\n**2\\. Delete Volume Shadow Copy Service (VSS) shadow copies:**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point if desired.\n\n**Windows 10 and 11 users must apply both workarounds to mitigate the risk of exploitation.** Microsoft has noted that deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications.\n\nThis story is developing quickly. We will update this blog with new information as it becomes available.\n\n## Updates\n\n**July 27, 2021:** Microsoft has **removed Windows Server 2019 and Windows Server 20H2** from the list of versions affected by CVE-2021-36934.\n\n**July 22, 2021:** Microsoft added Windows Server 2019 and Windows Server 20H2 to the [list of affected versions](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>).\n\n## Resources\n\n * [Microsoft advisory for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)\n * [CERT/CC vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>)\n * [Public PoC for CVE-2021-36934](<https://github.com/GossiTheDog/HiveNightmare>)\n * [Additional demo and analysis of CVE-2021-36934](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)", "cvss3": {}, "published": "2021-07-21T16:01:19", "type": "rapid7blog", "title": "Microsoft SAM File Readability CVE-2021-36934: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T16:01:19", "id": "RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "href": "https://blog.rapid7.com/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T21:03:37", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41379 | [Microsoft Advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) | [AttackerKB](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=blog>) | Scheduled (when patched) | ASAP (when released) | December 3, 2021 3:00 PM ET \n\n\n_See the Updates section at the end of this post for new information._\n\n## Description\n\nOn November 9, 2021, as part of Patch Tuesday, Microsoft released an update to address [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), a \u201cWindows Installer Elevation of Privilege Vulnerability\u201d that had a modest CVSS score (5.5), without much fanfare. The original CVE allows an attacker to delete files on a system using elevated privileges.\n\nFast-forward to November 22, 2021, when after investigating the patch, the researcher that discovered the vulnerability, Abdelhamid Naceri, found that it did not fully remediate the issue and published proof-of-concept (PoC) code on [GitHub](<https://github.com/klinix5/InstallerFileTakeOver>) proving exploitation of the vulnerability is still possible on patched versions of Windows allowing for SYSTEM-level privileges. The working PoC \u201coverwrites Microsoft Edge elevation service 'DACL' and copies itself to the service location, then executes it to gain elevated privileges.\u201d\n\nWith a zero-day exploit available, attackers have been chipping away at ways to utilize the vulnerability, especially in [malware](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>).\n\nAs of November 30, 2021, there is not an official patch from Microsoft to fully and effectively remediate this vulnerability. Community researchers and security practitioners have noted that other Microsoft zero-day vulnerabilities this year, such as [CVE-2021-36934](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) (\u201cHiveNightmare\u201d/\u201dSeriousSAM\u201d), were not fixed until typical Patch Tuesday release cycles even if public exploit code had already made an appearance. We expect that this vulnerability will follow that same pattern and that we won\u2019t see a new patch (and/or a new CVE, if Microsoft does indeed classify this as a patch bypass) until December 2021\u2019s Patch Tuesday.\n\n## Affected versions\n\nAccording to the researcher, all supported versions of Windows, including Windows 11 and Server 2022, are vulnerable to the exploit.\n\n## Guidance\n\nWith no official patch at this time, we recommend that organizations prepare to patch this as soon as the official fix is released. Meanwhile, Rapid7 researchers have confirmed that [a number of antimalware programs](<https://www.virustotal.com/gui/file/a43bafb2af2a1adcd1371ab3810b2908b591bc32798f3ad35ad662cf967b12fd/detection>) have added detection of Naceri's exploit, so as usual, keep those programs up to date. Lastly, organizations can detect previous exploitation of this PoC by monitoring for EventID 1033 and \u201ctest pkg\u201d (keeping in mind that the \u201ctest pkg\u201d will only find this exact PoC and may be modified by more enterprising attackers). \n**(Please see the Updates section regarding the latest on AV detection of this exploit).**\n\n\n\n## Rapid7 customers\n\nFor Rapid7 InsightVM customers, we will be releasing vulnerability checks if and when Microsoft publishes patch information for the new vulnerability.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find Windows assets by creating the following query: `os.family` `contains` `windows`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `OS` `contains` `windows`.\n\n## Updates\n\n[December 3, 2021] \nRapid7 has published an in-depth technical analysis on [AttackerKB](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=blog>) that includes a streamlined, more functional PoC. Also, of note, is our research shows that attackers using this exploit can easily evade detection by AV.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T19:03:28", "type": "rapid7blog", "title": "Ongoing Exploitation of Windows Installer CVE-2021-41379", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934", "CVE-2021-41379"], "modified": "2021-11-30T19:03:28", "id": "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "href": "https://blog.rapid7.com/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T19:00:15", "description": "## New Olympic Discipline: Hive Hunting\n\n\n\nThis week, community contributor [Hakyac](<https://github.com/Hakyac>) added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers [@jonasLyk](<https://twitter.com/jonasLyk/status/1417205166172950531>) and [Kevin Beaumont](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.\n\nNote that Microsoft issued an out-of-band [advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and tracked this vulnerability as [CVE-2021-36934](<https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege?referrer=blog>). You can find more information about the rules in this blog [post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>). Happy Hive hunting!\n\n## Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow\n\nOur own [Grant Willcox](<https://github.com/gwillcox-r7>) added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in `genie.cgi?backup.cgi` page of Netgear R7000 routers to enable a telnet server and easily got code execution as the `root` user. Note that, whereas firmware versions `1.0.11.116` and prior are vulnerable, this module can only be used with versions `1.0.11.116` at the moment. The `check` method can still be used to detect if older devices are vulnerable. This module is based on research done by [@colorlight2019](<https://twitter.com/colorlight2019>). A new gold medal for the Metasploit team, great job!\n\n## New module content (5)\n\n * [Netgear R7000 backup.cgi Heap Overflow RCE](<https://github.com/rapid7/metasploit-framework/pull/15163>) by [Grant Willcox](<https://github.com/gwillcox-r7>), SSD Disclosure, and colorlight2019, which exploits [CVE-2021-31802](<https://attackerkb.com/topics/KwzVhOiykj/cve-2021-31802?referrer=blog>) \\- This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.\n * [Pi-Hole Remove Commands Linux Priv Esc](<https://github.com/rapid7/metasploit-framework/pull/15279>) by [Emanuele Barbeno](<https://ch.linkedin.com/in/emanuele-barbeno-b53a4990>) and [h00die](<https://github.com/h00die>), which exploits [CVE-2021-29449](<https://attackerkb.com/topics/0HUT2niFGw/cve-2021-29449?referrer=blog>) \\- This adds a local privilege escalation module that targets Pi-Hole versions &gt;= `3.0` and &lt;= `5.2.4`. In vulnerable versions of the software, a user with `sudo` privileges can escalate to `root` by passing shell commands to either the `removecustomcname`, `removecustomdns`, or `removestaticdhcp` function. The functions have minimal sanitization, and they pass the input to the `sed` command. By default, the `www-data` user is permitted to run `sudo` without supplying a password as configured in the `sudoers.d/pihole` file.\n * [Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15418>) by Nguyen Van Khanh, [Ron Jost](<https://github.com/Hacker5preme>), and [Yann Castel](<https://github.com/Hakyac>), which exploits [CVE-2021-24145](<https://attackerkb.com/topics/TWCON6tk7O/cve-2021-24145?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin known as Modern Events Calendar. For versions before `5.16.5`, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to `text/csv`. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.\n * [Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15408>) by [Ron Jost](<https://github.com/Hacker5preme>) and [Yann Castel](<https://github.com/Hakyac>), which exploits [CVE-2021-24347](<https://attackerkb.com/topics/gechd9yh12/cve-2021-24347?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, SP Project and Document Manager. For versions below `4.22`, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a `.php` extension, meaning that uploading a file with a `.pHp` extension is allowed. Once uploaded, requesting the file will result in code execution as the `www-data` user.\n * [Windows SAM secrets leak - HiveNightmare](<https://github.com/rapid7/metasploit-framework/pull/15462>) by [Kevin Beaumont](<https://twitter.com/GossiTheDog>), [Yann Castel](<https://github.com/Hakyac>), and [romarroca](<https://github.com/romarroca>), which exploits [CVE-2021-36934](<https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege?referrer=blog>) \\- This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.\n\n## Enhancements and features\n\n * [#15444](<https://github.com/rapid7/metasploit-framework/pull/15444>) from [pingport80](<https://github.com/pingport80>) \\- This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.\n * [#15465](<https://github.com/rapid7/metasploit-framework/pull/15465>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information\n\n## Bugs fixed\n\n * [#15359](<https://github.com/rapid7/metasploit-framework/pull/15359>) from [stephenbradshaw](<https://github.com/stephenbradshaw>) \\- Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db\n * [#15460](<https://github.com/rapid7/metasploit-framework/pull/15460>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the File libraries `copy_file` method caused by it searching for a word in the output to determine success.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.54...6.0.55](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-22T11%3A58%3A03-05%3A00..2021-07-29T12%3A01%3A27-05%3A00%22>)\n * [Full diff 6.0.54...6.0.55](<https://github.com/rapid7/metasploit-framework/compare/6.0.54...6.0.55>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-30T18:04:33", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145", "CVE-2021-24347", "CVE-2021-29449", "CVE-2021-31802", "CVE-2021-36934"], "modified": "2021-07-30T18:04:33", "id": "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED", "href": "https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-08T15:44:47", "description": "\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server &amp; Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:04:19", "description": "\n\nNow that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure \u2014 even in the face of [some of the most difficult threats](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) the security community has dealt with in recent memory. Here's a rundown of some of our biggest moments in that effort from 2021.\n\n## Emergent threats and vulnerability disclosures\n\nAs always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let's revisit some of the highlights.\n\n### Emergent threat reports\n\n * [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)\n * [CVE-2021-34527 (PrintNightmare): What You Need to Know](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\n * [GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n * [Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>)\n\n### Vulnerability disclosures\n\n * [CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)](<https://www.rapid7.com/blog/post/2021/09/07/cve-2021-3546-78-akkadian-console-server-vulnerabilities-fixed/>)\n * [Fortinet FortiWeb OS Command Injection](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)\n * [CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>)\n\n## Research and policy highlights\n\nThat's not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.\n\n * We published several reports on the state of cybersecurity, including:\n * Our [2020 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2021/03/11/introducing-the-vulnerability-intelligence-report-50-cves-that-made-headlines-in-2020/>)\n * Our latest [Industry Cyber-Exposure Report (ICER)](<https://www.rapid7.com/blog/post/2021/05/05/rapid7-releases-new-industry-cyber-exposure-report-icer-asx-200/>)\n * Our [2021 Cloud Misconfigurations Report](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>)\n * We tackled the [hot-button topic of hack back](<https://www.rapid7.com/blog/post/2021/08/10/hack-back-is-still-wack/>) and discussed whether or not the practice is, in fact, wack. (Spoiler: It is.)\n * We unpacked the implications for [cybersecurity in the US Infrastructure Bill](<https://www.rapid7.com/blog/post/2021/08/31/cybersecurity-in-the-infrastructure-bill/>).\n * We highlighted the reasons why we think the [UK's Computer Misuse Act](<https://www.rapid7.com/blog/post/2021/08/12/reforming-the-uks-computer-misuse-act/>) needs some revising.\n * We launched [Project Doppler](<https://www.rapid7.com/research/project-doppler/>), a free tool for Rapid7 customers, developed by our Research team to help organizations get better insight into their public internet exposure.\n\n## The Rapid7 family keeps growing\n\nThroughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>) the one-stop shop for your security program.\n\n * [We acquired IntSights](<https://www.rapid7.com/blog/post/2021/07/19/rapid7-acquires-intsights/>) to help organizations obtain holistic threat intelligence.\n * [We teamed up with open-source platform Velociraptor](<https://www.rapid7.com/blog/post/2021/04/21/rapid7-and-velociraptor-join-forces/>) to provide teams with better endpoint visibility.\n * [We brought Kubernetes security provider Alcide](<https://www.rapid7.com/blog/post/2021/02/01/rapid7-acquires-leading-kubernetes-security-provider-alcide/>) under the Rapid7 umbrella to add more robust cloud security capabilities to InsightCloudSec.\n\n## Industry accolades\n\nWe're always thrilled to get industry recognition for the work we do helping protectors secure their organizations \u2014 and we had a few big nods to celebrate in 2021.\n\n * Gartner once again [named us a Leader](<https://www.rapid7.com/blog/post/2021/08/23/rapid7-mdr-named-a-market-leader-again/>) in its Magic Quadrant for Managed Detection and Response (MDR).\n * We also earned recognition as a Strong Performer in the [inaugural Forrester Wave for MDR](<https://www.rapid7.com/blog/post/2021/03/24/rapid7-recognized-as-a-strong-performer-in-the-inaugural-forrester-wave-for-mdr-q1-2021/>).\n * InsightIDR was recognized by Gartner us as a [Leader in SIEM](<https://www.rapid7.com/blog/post/2021/07/06/once-again-rapid7-named-a-leader-in-2021-gartner-magic-quadrant-for-siem/>) for the second time in a row.\n * For its 2021 Dynamic Application Security Testing (DAST) Magic Quadrant, Gartner [named us a Visionary](<https://www.rapid7.com/blog/post/2021/06/01/rapid7-named-a-visionary-in-2021-gartner-magic-quadrant-for-application-security-testing/>).\n\n## Keeping in touch\n\nClearly, we had a pretty busy 2021 \u2014 and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.\n\n * Listen to the [latest season of Security Nation](<https://www.rapid7.com/blog/series/security-nation/security-nation-season-4/>), our podcast where we chat with amazing guests from all corners of the security community. Season 5 launches later this month!\n * Put the finishing touches on your cybersecurity program for the coming year with insights from our [2022 Planning series](<https://www.rapid7.com/blog/tag/2022-planning/>).\n * Get better acquainted with the latest application security threats with our series on the [OWASP Top 10 for 2021](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>).\n * Read up on why [InsightIDR was XDR before it was cool to be XDR](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>).\n\nStay tuned for more great content, research, and much more in 2022!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-01-05T18:52:41", "type": "rapid7blog", "title": "Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2021-1675", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-34527", "CVE-2021-3546", "CVE-2021-36934", "CVE-2021-44228"], "modified": "2022-01-05T18:52:41", "id": "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "href": "https://blog.rapid7.com/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-21T10:49:33", "description": "\n\nHot off the press, it\u2019s another issue of the Patch Tuesday blog! While the number of vulnerabilities is low this month, there are a number of high risk items administrators will want to patch right away including a few that will require additional remediation steps. This Patch Tuesday also includes updates for three vulnerabilities that were publicly disclosed earlier this month. Let\u2019s jump in.\n\n## Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934> \nWith a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users' backups, but the trade-off is that customers will need to do the chore themselves. We've updated [our blog post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) with this additional information.\n\n## Windows LSA Spoofing Vulnerability aka ADV210003\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942> \nAnother high priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see [our blog post](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for more information.\n\n## Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26432> \nWhile Microsoft has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that \u201cExploitation [is] more likely\u201d. Put this update near the top of your TODO list.\n\n## Windows TCP/IP Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26424> \nLast on our list is a vulnerability that can result in remote execution on a Hyper-V host via the IPv6 networking stack. If Hyper-V is used in your environment this should be first on your list this month. \n\n## Summary Graphs\n\n\n\n## Summary Tables\n\n## Azure Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36949>) | Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | No | No | 7.1 | Yes \n[CVE-2021-26428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26428>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n[CVE-2021-26429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26429>) | Azure Sphere Elevation of Privilege Vulnerability | No | No | 7.7 | Yes \n[CVE-2021-26430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26430>) | Azure Sphere Denial of Service Vulnerability | No | No | 6 | Yes \n[CVE-2021-33762](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33762>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36943>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 4 | No \n \n## Browser Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-30597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30597>) | Chromium: CVE-2021-30597 Use after free in Browser UI | No | No | | Yes \n[CVE-2021-30596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30596>) | Chromium: CVE-2021-30596 Incorrect security UI in Navigation | No | No | | Yes \n[CVE-2021-30594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30594>) | Chromium: CVE-2021-30594 Use after free in Page Info UI | No | No | | Yes \n[CVE-2021-30593](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30593>) | Chromium: CVE-2021-30593 Out of bounds read in Tab Strip | No | No | | Yes \n[CVE-2021-30592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30592>) | Chromium: CVE-2021-30592 Out of bounds write in Tab Groups | No | No | | Yes \n[CVE-2021-30591](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30591>) | Chromium: CVE-2021-30591 Use after free in File System API | No | No | | Yes \n[CVE-2021-30590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30590>) | Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks | No | No | | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34532>) | ASP.NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34485>) | .NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-26423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 5.4 | No \n[CVE-2021-34524](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34524>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.1 | No \n[CVE-2021-36950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36950>) | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | No | No | 5.4 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36941>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-36940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36940>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-34478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34478>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34471>) | Microsoft Windows Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26426>) | Windows User Account Profile Picture Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36948>) | Windows Update Medic Service Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-26432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26432>) | Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability | No | No | 9.8 | No \n[CVE-2021-26433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26433>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36926>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36932>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36933>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26431](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26431>) | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34534>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34530>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34486>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34487](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34487>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36938>) | Windows Cryptographic Primitives Library Information Disclosure Vulnerability | No | No | 5.5 | No \n[CVE-2021-36945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36945>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-34536](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34536>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34484>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26424>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-36936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36936>) | Windows Print Spooler Remote Code Execution Vulnerability | No | Yes | 8.8 | No \n[CVE-2021-36947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36947>) | Windows Print Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-34483](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34483>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36937>) | Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-36942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942>) | Windows LSA Spoofing Vulnerability | No | Yes | 7.5 | Yes \n[CVE-2021-34533](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34533>) | Windows Graphics Component Font Parsing Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-26425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26425>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36927>) | Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34537](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34537>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34480](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34480>) | Scripting Engine Memory Corruption Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34535](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes", "cvss3": {}, "published": "2021-08-11T03:19:33", "type": "rapid7blog", "title": "Patch Tuesday - August 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26428", "CVE-2021-26429", "CVE-2021-26430", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-30590", "CVE-2021-30591", "CVE-2021-30592", "CVE-2021-30593", "CVE-2021-30594", "CVE-2021-30596", "CVE-2021-30597", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34524", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949", "CVE-2021-36950"], "modified": "2021-08-11T03:19:33", "id": "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "href": "https://blog.rapid7.com/2021/08/11/patch-tuesday-august-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veeam": [{"lastseen": "2023-02-14T15:24:44", "description": "This article documents Veeam's position on Windows Elevation of Privilege Vulnerability CVE-2021-36934. Specifically regarding the listed mitigation steps involving removal of all shadow copies, and the \"Impact of workaround\" mentioned in the Workarounds section of CVE-2021-36934.", "cvss3": {}, "published": "2021-11-01T00:00:00", "type": "veeam", "title": "Veeam Best Practices regarding CVE-2021-36934", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-11-01T00:00:00", "id": "VEEAM:KB4231", "href": "https://www.veeam.com/kb4231", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows SAM Local Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2021-36934", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-11-05T11:04:41", "description": "Microsoft Windows is an operating system for personal devices from Microsoft Corporation (USA). Microsoft Windows is vulnerable to an access control error, which stems from an elevation of privilege vulnerability because the system has an overly loose access control list for multiple system files. An attacker could exploit this vulnerability to run arbitrary code using SYSTEM privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-23T00:00:00", "type": "cnvd", "title": "Microsoft Windows Access Control Error Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-01T00:00:00", "id": "CNVD-2021-57182", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-57182", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-03-24T15:24:49", "description": "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-27T00:00:00", "type": "nessus", "title": "Windows SeriousSAM HiveNightmare Registry Read Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_SERIOUS_SAM_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/152100", "sourceData": "Binary data smb_nt_serious_sam_check.nbin", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:26:35", "description": "Windows Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:15:00", "type": "cve", "title": "CVE-2021-36934", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:20h2"], "id": "CVE-2021-36934", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36934", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*"]}], "avleonov": [{"lastseen": "2021-08-02T08:54:10", "description": "Hello everyone! After 4 episodes of the Last Week&#x27;s Security news, I decided to change the format. I will no longer try to cover all the important news, because it takes a long time to prepare such reviews. So, from now on, I will focus only on a few news of the past week, which I subjectively consider the most interesting.\n\nSo, the last week, July 19 - July 25. In my opinion, the most interesting news was the scandal related to the iPhone Pegasus spyware and two Elevations of Privileges: SeriousSAM for Windows and Sequoia for Linux.\n\n## NSO Group&#x27;s Pegasus\n\nLet&#x27;s start with Pegasus. \n\n_&quot;[An investigation finds Israeli _NSO Group&#x27;s_ Pegasus spyware](<https://www.darkreading.com/attacks-breaches/nso-group-spyware-used-on-journalists-and-activists-worldwide/d/d-id/1341551>), intended for use on criminals and terrorists, has been used in targeted campaigns against journalists, human rights groups, politicians, and attorneys. Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones.&quot;_\n\nThe news itself is not particularly interesting. The spyware was used to spy on people. Well, ok. But the following public discussion deserves some attention. Some famous people have even called for a ban on such Offensive Security businesses.\n\nWhat do I think about it. First of all, I don&#x27;t share the surprise that the software that was supposed to be used against the bad guys was being used against other guys. The vendor cannot control this, even if they wanted to. And, of course, another question is who decide who the bad guys are.\n\nSecondly, I don&#x27;t think the public Offensive Security businesses should be banned. They provide some insights into what is technically doable right now. Without them, the visibility will decrease. And highly qualified professionals will have to look for work in the secret services or criminal organizations. It will only get worse.\n\nLast but not least, if you really think about privacy, the iPhone is an odd choice. This platform is too centralized, popular, trendy. This is the perfect target. If you want more privacy, try something more exotic like Jolla Sailfish. But something custom based on the Raspberry Pi would be even better. Yes, it may be uncomfortable and strange, but such is the reality of the modern world.\n\n## SeriousSAM\n\nNow let&#x27;s see the nice Windows EoP **SeriousSAM** (CVE-2021-36934):\n\n_&quot;[Multiple versions of Windows](<https://kb.cert.org/vuls/id/506989>) grant non-administrative users read access to files in the `%windir%\\system32\\config` directory. [\u2026] If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to: \nExtract and leverage account password hashes. \nDiscover the original Windows installation password. \nObtain DPAPI computer keys, which can be used to decrypt all computer private keys. \nObtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).&quot;_\n\nIt looks very simple and impressive. So what can you do about it? Firstly, [the patches are already available](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) (**upd. 02.08** Patches are NOT available, only lists of vulnerable systems; Sorry my mistake), in addition, you can **Restrict access to the contents of %windir%\\system32\\config** and **Delete Volume Shadow Copy Service (VSS) shadow copies**.\n\n## Sequoia\n\nAnd finally, EoP for Linux, which the guys from Qualys found (CVE-2021-33909). They named it **Sequoia**.\n\n_&quot;[The Qualys Research Team has discovered](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909>)_ _a size_t-to-int type conversion vulnerability in the Linux Kernel\u2019s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. [\u2026] Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.&quot;_\n\nWhen I see vulnerabilities like these that have gone unnoticed for years, I think about the certification procedures. Many Linux distributions have been certified to be free of undeclared features. If such vulnerabilities are not found in the certification process, then what does this mean?\n\n", "cvss3": {}, "published": "2021-07-26T16:46:10", "type": "avleonov", "title": "Last Week\u2019s Security news: Pegasus, SeriousSAM, Sequoia", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-33909", "CVE-2021-36934"], "modified": "2021-07-26T16:46:10", "id": "AVLEONOV:C94D71525D4EE3653DAE00D2FB37BBE1", "href": "http://feedproxy.google.com/~r/avleonov/~3/Ii5ndTxVr8Y/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:43:30", "description": "Hello everyone! Last Week&#x27;s Security News, July 26 - August 1.\n\n## Serious Sam in Metasploit\n\n[Last week I talked about the Serious Sam](<https://avleonov.com/2021/07/26/last-weeks-security-news-pegasus-serioussam-sequoia/>) vulnerability (CVE-2021-36934), also known as HiveNightmare. The name HiveNightmare comes from the fact that Windows stores its registry data in a small number of [proprietary database files called hives](<https://nakedsecurity.sophos.com/2021/07/21/windows-hivenightmare-bug-could-leak-passwords-heres-what-to-do/>). Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged user to read those files and then, for example, extract the account password hashes. An exploit for this vulnerability [is now available in Metasploit](<https://vulners.com/metasploit/MSF:POST/WINDOWS/GATHER/CREDENTIALS/WINDOWS_SAM_HIVENIGHTMARE/>) and it will be much easier for attackers to exploit this vulnerability. The issues is still under investigation by Microsoft and a patch is not currently available, [only the list of vulnerable OS versions](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>), however a workaround has been provided.\n\n## PetitPotam\n\nAt the beginning of last week, [PetitPotam (Little Hippo) attack](<https://threatpost.com/microsoft-petitpotam-poc/168163/>) made a lot of noise. It could force remote Windows systems to reveal password hashes that could then be easily cracked.\n\n> &quot;The PetitPotam bug is tied to the Windows operating system and the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies. [\u2026] \nThe PetitPotam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. Next, an attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system\u2019s MS-EFSRPC interface. According to [security researcher Gilles Lionel], this forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM.\n> \n> In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services.&quot;\n\nBut there won&#x27;t be any special fix. Microsoft: &quot;[PetitPotam is a classic NTLM Relay Attack](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>), and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.&quot;\n\nSo, I can only repeat Kevin Beaumont&#x27;s [tweet](<https://twitter.com/GossiTheDog/status/1418990195169497099?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1418990195169497099%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Favleonov.com%2Fwp-admin%2Fpost.php%3Fpost%3D5818action%3Dedit>): \n\n> &quot;Microsoft are no fixing this, so you have an out of the box no auth to Domain Admin path on default config Active Directory environments now, attackers.&quot;\n\n> Microsoft are no fixing this, so you have an out of the box no auth to Domain Admin path on default config Active Directory environments now, attackers. [pic.twitter.com/t9pOvCKbmT](<https://t.co/t9pOvCKbmT>)\n> \n> -- Kevin Beaumont (@GossiTheDog) [July 24, 2021](<https://twitter.com/GossiTheDog/status/1418990195169497099?ref_src=twsrc%5Etfw>)\n\n## Zimbra Hijack\n\n[Stored XSS (CVE-2021-35208) and Proxy Servlet Open Redirect (CVE-2021-35209) vulnerabilities](<https://thehackernews.com/2021/07/new-bug-could-let-attackers-hijack.html>) in Zimbra. \n\n> &quot;Zimbra is a cloud-based email, calendar, and collaboration suite for enterprises and is available both as an open-source version and a commercially supported version with additional features such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, among others. It&#x27;s used by over 200,000 businesses across 160 countries.&quot; &quot;A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization. [\u2026] As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.&quot;\n\nThere are no public exploits yet for this vulnerability, but if you are using Zimbra in your organization, be sure to update it.\n\n## Joint Advisory TOP30 CVEs\n\nCybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [released the Joint Cybersecurity Advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) providing details on the top 30 vulnerabilities\u2014primarily Common Vulnerabilities and Exposures (CVEs) \u2014 routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021. \n\nThis is not the first such advisory. The previous one was in April, but there were fewer vulnerabilities. I think this is a very good initiative that really helps prioritize vulnerabilities. But, of course, there are questions about the structure and content [of the report](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>). For example, there is no complete list of these TOP 30 vulnerabilities. I think a detailed review of vulnerabilities is a topic for a separate episode. This can be done quite simply with [Vulristics](<https://github.com/leonov-av/vulristics>). Write in the comments if you want to see it.\n\nHere I can only say that the vulnerabilities are related to a wide variety of vendors: Microsoft, Telerik, Drupal, Atlassian, MobileIron, F5-Big IP, Fortinet, Pulse, Citrix, Accellion, VMware. I also liked that among the recommendations for fixing there was &quot;To further assist remediation, automatic software updates should be enabled whenever possible&quot;. Of course, updates can sometimes break something, but automated patching is the right goal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-02T19:48:50", "type": "avleonov", "title": "Last Week\u2019s Security news: Serious Sam in Metasploit, PetitPotam, Zimbra Hijack, Joint Advisory TOP30 CVEs", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35208", "CVE-2021-35209", "CVE-2021-36934"], "modified": "2021-08-02T19:48:50", "id": "AVLEONOV:14EA12A691C5CFD8469608EAE2674E5B", "href": "https://avleonov.com/2021/08/02/last-weeks-security-news-serious-sam-in-metasploit-petitpotam-zimbra-hijack-joint-advisory-top30-cves/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-02-11T11:32:58", "description": "CISA has added 15 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Remediation Due Date** \n---|---|--- \n \nCVE-2021-36934\n\n| \n\nMicrosoft Windows SAM Local Privilege Escalation Vulnerability\n\n| \n\n2/24/2022 \n \nCVE-2020-0796\n\n| \n\nMicrosoft SMBv3 Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2018-1000861\n\n| \n\nJenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-9791\n\n| \n\nApache Struts 1 Improper Input Validation Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-8464\n\n| \n\nMicrosoft Windows Shell (.lnk) Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-10271\n\n| \n\nOracle Corporation WebLogic Server Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0263\n\n| \n\nMicrosoft Win32k Privilege Escalation Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0262\n\n| \n\nMicrosoft Office Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0145\n\n| \n\nMicrosoft SMBv1 Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2017-0144\n\n| \n\nMicrosoft SMBv1 Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2016-3088 \n\n| \n\nApache ActiveMQ Improper Input Validation Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2015-2051\n\n| \n\nD-Link DIR-645 Router Remote Code Execution\n\n| \n\n8/10/2022 \n \nCVE-2015-1635\n\n| \n\nMicrosoft HTTP.sys Remote Code Execution Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2015-1130\n\n| \n\nApple OS X Authentication Bypass Vulnerability\n\n| \n\n8/10/2022 \n \nCVE-2014-4404\n\n| \n\nApple OS X Heap-Based Buffer Overflow Vulnerability\n\n| \n\n8/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-10T00:00:00", "type": "cisa", "title": "CISA Adds 15 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4404", "CVE-2015-1130", "CVE-2015-1635", "CVE-2015-2051", "CVE-2016-3088", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-8464", "CVE-2017-9791", "CVE-2018-1000861", "CVE-2020-0796", "CVE-2021-36934"], "modified": "2022-02-10T00:00:00", "id": "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-11-26T12:37:38", "description": "\n\n * [IT threat evolution Q3 2021](<https://securelist.com/it-threat-evolution-q3-2021/104876/>)\n * **IT threat evolution in Q3 2021. PC statistics**\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2021:\n\n * Kaspersky solutions blocked 1,098,968,315 attacks from online resources across the globe.\n * Web Anti-Virus recognized 289,196,912 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 104,257 unique users.\n * Ransomware attacks were defeated on the computers of 108,323 unique users.\n * Our File Anti-Virus detected 62,577,326 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q3 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 104,257 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150303/01-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150355/02-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.4 \n2 | Tajikistan | 3.7 \n3 | Afghanistan | 3.5 \n4 | Uzbekistan | 3.0 \n5 | Yemen | 1.9 \n6 | Kazakhstan | 1.6 \n7 | Paraguay | 1.6 \n8 | Sudan | 1.6 \n9 | Zimbabwe | 1.4 \n10 | Belarus | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.7 \n2 | SpyEye | Trojan-Spy.Win32.SpyEye | 17.5 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.6 \n4 | Trickster | Trojan.Win32.Trickster | 4.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.6 \n6 | Nimnul | Virus.Win32.Nimnul | 3.0 \n7 | Gozi | Trojan-Banker.Win32.Gozi | 2.7 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 2.4 \n9 | Tinba | Trojan-Banker.Win32.Tinba | 1.5 \n10 | Cridex | Backdoor.Win32.Cridex | 1.3 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nIn Q3, the family ZeuS/Zbot (17.7%), as usual, became the most widespread family of bankers. Next came the SpyEye (17.5%) family, whose share doubled from 8.8% in the previous quarter. The Top 3 was rounded out by the CliptoShuffler family (9.6%) \u2014 one position and just 0.3 p.p. down. The families Trojan-Banker.Win32.Gozi (2.7%) and Trojan-Banker.Win32.Tinba (1.5%) have made it back into the Top 10 in Q3 \u2014 seventh and ninth places, respectively.\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Kaseya and the REvil story\n\nIn early July, the group REvil/Sodinokibi [attempted an attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) on the remote administration software Kaseya VSA, compromising several managed services providers (MSP) who used this system. Thanks to this onslaught on the supply chain, the attackers were able to infect over one thousand of the compromised MSPs&#x27; client businesses. REvil&#x27;s original $70 million ransom demand in exchange for decryption of all the users hit by the attack was soon moderated to 50 million.\n\nFollowing this massive attack, law enforcement agencies stepped up their attention to REvil, so by mid-July the gang turned off their Trojan infrastructure, suspended new infections and dropped out of sight. Meanwhile, Kaseya got a universal decryptor for all those affected by the attack. [According to](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-August-4th-2021>) Kaseya, it &quot;did not pay a ransom \u2014 either directly or indirectly through a third party&quot;. Later [it emerged](<https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html>) that the company got the decryptor and the key from the FBI.\n\nBut already in the first half of September, REvil was up and running again. [According to](<https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/>) the hacking forum XSS, the group&#x27;s former public representative known as UNKN &quot;disappeared&quot;, and the malware developers, failing to find him, waited awhile and restored the Trojan infrastructure from backups.\n\n#### The arrival of BlackMatter: DarkSide restored?\n\nAs we already wrote in our Q2 report, the group DarkSide folded its operations after their &quot;too high-profile&quot; attack on Colonial Pipeline. And now there is a &quot;new&quot; arrival known as BlackMatter, which, as its members [claim](<https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil>), represents the &quot;best&quot; of DarkSide, REvil and LockBit.\n\nFrom our analysis of the BlackMatter Trojan&#x27;s executable we conclude that most likely it was built using DarkSide&#x27;s source codes.\n\n#### Q3 closures\n\n * Europol and the Ukrainian police have [arrested](<https://www.europol.europa.eu/newsroom/news/ransomware-gang-arrested-in-ukraine-europol's-support>) two members of an unnamed ransomware gang. The only detail made known is that the ransom demands amounted to \u20ac5 to \u20ac70 million.\n * Following its attack on Washington DC&#x27;s Metropolitan Police Department, the group Babuk folded (or just suspended) its operations and published an archive containing the Trojan&#x27;s source code, build tools and keys for some of the victims.\n * At the end of August, Ragnarok (not to be confused with RagnarLocker) suddenly called it a day, deleted all their victims&#x27; info from their portal and published the master key for decryption. The group gave no reasons for this course of action.\n\n#### Exploitation of vulnerabilities and new attack methods\n\n * The group HelloKitty used to distribute its ransomware by exploiting the vulnerability CVE-2019-7481 in SonicWall gateways.\n * Magniber and Vice Society penetrated the target systems by exploiting the vulnerabilities from the PrintNightmare family (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958).\n * The group LockFile exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to penetrate the victim&#x27;s network; for lateral expansion they relied on the new PetitPotam attack that gained control of the domain controller.\n * The group Conti also used ProxyShell exploits for its attacks.\n\n### Number of new ransomware modifications\n\nIn Q3 2021, we detected 11 new ransomware families and 2,486 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q3 2020 \u2014 Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150433/03-en-ru-es-malware-report-q3-2021-pc-graphs.png>))_\n\n## Number of users attacked by ransomware Trojans\n\nIn Q3 2021, Kaspersky products and technologies protected 108,323 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150459/04-en-malware-report-q3-2021-pc-graphs.png>))_\n\n## Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150535/05-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.98 \n2 | Uzbekistan | 0.59 \n3 | Bolivia | 0.55 \n4 | Pakistan | 0.52 \n5 | Myanmar | 0.51 \n6 | China | 0.51 \n7 | Mozambique | 0.51 \n8 | Nepal | 0.48 \n9 | Indonesia | 0.47 \n10 | Egypt | 0.45 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n## Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 27.67% \n2 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 17.37% \n3 | WannaCry | Trojan-Ransom.Win32.Wanna | 11.84% \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.78% \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.58% \n6 | (generic verdict) | Trojan-Ransom.Win32.Phny | 5.57% \n7 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.65% \n8 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.04% \n9 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.07% \n10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.04% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2021, Kaspersky solutions detected 46,097 new modifications of miners.\n\n_Number of new miner modifications, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150605/06-en-malware-report-q3-2021-pc-graphs.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks using miners on the computers of 322,131 unique users of Kaspersky products worldwide. And while during Q2 the number of attacked users gradually decreased, the trend was reversed in July and August 2021. With slightly over 140,000 unique users attacked by miners in July, the number of potential victims almost reached 150,000 in September.\n\n_Number of unique users attacked by miners, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150635/07-en-malware-report-q3-2021-pc-graphs.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150710/08-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.41 \n2 | Rwanda | 2.26 \n3 | Myanmar | 2.22 \n4 | Uzbekistan | 1.61 \n5 | Ecuador | 1.47 \n6 | Pakistan | 1.43 \n7 | Tanzania | 1.40 \n8 | Mozambique | 1.34 \n9 | Kazakhstan | 1.34 \n10 | Azerbaijan | 1.27 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\n### Quarter highlights\n\nMuch clamor was caused in Q3 by a whole new family of vulnerabilities in Microsoft Windows printing subsystem, one already known to the media as PrintNightmare: [CVE-2021-1640](<https://nvd.nist.gov/vuln/detail/CVE-2021-1640>), [CVE-2021-26878](<https://nvd.nist.gov/vuln/detail/CVE-2021-26878>), [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>), [CVE-2021-36947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947>), [CVE-2021-34483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>). All those vulnerabilities allow for local escalation of privileges or remote execution of commands with system rights and, as they require next to nothing for exploitation, they are often used by popular mass infection tools. To fix them, several Microsoft patches are required.\n\nThe vulnerability known as PetitPotam proved no less troublesome. It allows an unprivileged user to take control of a Windows domain computer \u2014 or even a domain controller \u2014 provided the Active Directory certificate service is present and active.\n\nIn the newest OS Windows 11, even before its official release, the vulnerability [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>) was detected and dubbed HiveNightmare/SeriousSam. It allows an unprivileged user to copy all the registry threads, including SAM, through the shadow copy mechanism, potentially exposing passwords and other critical data.\n\nIn Q3, attackers greatly favored exploits targeting the vulnerabilities ProxyToken, ProxyShell and ProxyOracle ([CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), [CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>), [CVE-2021-31195](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195>), [CVE-2021-31196](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>)). If exploited in combination, these open full control of mail servers managed by Microsoft Exchange Server. We already covered [similar vulnerabilities](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) \u2014 for instance, they were used in a HAFNIUM attack, also targeting Microsoft Exchange Server.\n\nAs before, server attacks relying on brute-forcing of passwords to various network services, such as MS SQL, RDP, etc., stand out among Q3 2021 network threats. Attacks using the exploits EternalBlue, EternalRomance and similar are as popular as ever. Among the new ones is the grim vulnerability enabling remote code execution when processing the Object-Graph Navigation Language in the product Atlassian Confluence Server ([CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>)) often used in various corporate environments. Also, Pulse Connect Secure was found to contain the vulnerability [CVE-2021-22937](<https://nvd.nist.gov/vuln/detail/CVE-2021-22937>), which however requires the administrator password for it to be exploited.\n\n### Statistics\n\nAs before, exploits for Microsoft Office vulnerabilities are still leading the pack in Q3 2021 (60,68%). These are popular due to the large body of users, most of whom still use older versions of the software, thus making the attackers&#x27; job much easier. The share of Microsoft Office exploits increased by almost 5 p.p. from the previous quarter. Among other things, it was due to the fact that the new vulnerability [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>) was discovered in the wild, instantly employed to compromise user machines. The attacker can exploit it by using the standard functionality that allows office documents to download templates, implemented with the help of special ActiveX components. There is no proper validation of the processed data during the operation, so any malicious code can be downloaded. As you are reading this, the relevant security update is already available.\n\nThe way individual Microsoft Office vulnerabilities are ranked by the number of detections does not change much with time: the first positions are still shared by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), with another popular vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) not far behind. We already covered these many times \u2014 all the above-mentioned vulnerabilities execute commands on behalf of the user and infect the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151038/09-en-malware-report-q3-2021-pc-graphs.png>))_\n\nThe share of exploits for the popular browsers fell by 3 p.p. from the previous reporting period to 25.57% in Q3. In the three months covered by the report several vulnerabilities were discovered in Google Chrome browser and its script engine V8 \u2014 some of them in the wild. Among these, the following JavaScript engine vulnerabilities stand out: [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>) (type confusion error corrupting the heap memory), [CVE-2021-30632](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) (out-of-bounds write in V8) and [CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) (use-after-free in Indexed DB). All these can potentially allow remote execution of code. But it should be remembered that for modern browsers a chain of several exploits is often required to leave the sandbox and secure broader privileges in the system. It should also be noted that with Google Chromium codebase (in particular the Blink component and V8) being used in many browsers, any newly detected Google Chrome vulnerability automatically makes other browsers built with its open codebase vulnerable.\n\nThe third place if held by Google Android vulnerabilities (5.36%) \u2014 1 p.p. down from the previous period. They are followed by exploits for Adobe Flash (3.41%), their share gradually decreasing. The platform is no longer supported but is still favored by users, which is reflected in our statistics.\n\nOur ranking is rounded out by vulnerabilities for Java (2.98%), its share also noticeably lower, and Adobe PDF (1.98%).\n\n## Attacks on macOS\n\nWe will remember Q3 2021 for the two interesting revelations. The first one is the use of [malware code targeting macOS](<https://securelist.com/wildpressure-targets-macos/103072/>) as part of the WildPressure campaign. The second is the detailed [review of the previously unknown FinSpy implants](<https://securelist.com/finspy-unseen-findings/104322/>) for macOS.\n\nSpeaking of the most widespread threats detected by Kaspersky security solutions for macOS, most of our Top 20 ranking positions are occupied by various adware apps. Among the noteworthy ones is Monitor.OSX.HistGrabber.b (second place on the list) \u2014 this potentially unwanted software sends user browser history to its owners&#x27; servers.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 13.22 \n2 | Monitor.OSX.HistGrabber.b | 11.19 \n3 | AdWare.OSX.Pirrit.ac | 10.31 \n4 | AdWare.OSX.Pirrit.o | 9.32 \n5 | AdWare.OSX.Bnodlero.at | 7.43 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.22 \n7 | AdWare.OSX.Pirrit.gen | 6.41 \n8 | AdWare.OSX.Cimpli.m | 6.29 \n9 | AdWare.OSX.Bnodlero.bg | 6.13 \n10 | AdWare.OSX.Pirrit.ae | 5.96 \n11 | AdWare.OSX.Agent.gen | 5.65 \n12 | AdWare.OSX.Pirrit.aa | 5.39 \n13 | Trojan-Downloader.OSX.Agent.h | 4.49 \n14 | AdWare.OSX.Bnodlero.ay | 4.18 \n15 | AdWare.OSX.Ketin.gen | 3.56 \n16 | AdWare.OSX.Ketin.h | 3.46 \n17 | Backdoor.OSX.Agent.z | 3.45 \n18 | Trojan-Downloader.OSX.Lador.a | 3.06 \n19 | AdWare.OSX.Bnodlero.t | 2.80 \n20 | AdWare.OSX.Bnodlero.ax | 2.64 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151108/10-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 3.05 \n2 | Spain | 2.85 \n3 | India | 2.70 \n4 | Mexico | 2.59 \n5 | Canada | 2.52 \n6 | Italy | 2.42 \n7 | United States | 2.37 \n8 | Australia | 2.23 \n9 | Brazil | 2.21 \n10 | United Kingdom | 2.12 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q3 2021, France took the lead having the greatest percentage of attacks on users of Kaspersky security solutions (3.05%), with the potentially unwanted software Monitor.OSX.HistGrabber being the prevalent threat there. Spain and India came in second and third, with the Pirrit family adware as their prevalent threat.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2021, most of the devices that attacked Kaspersky honeypots did so using the Telnet protocol. Just less than a quarter of all devices attempted brute-forcing our traps via SSH.\n\nTelnet | 76.55% \n---|--- \nSSH | 23.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2021_\n\nThe statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 84.29% \n---|--- \nSSH | 15.71% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 39.48 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.67 \n3 | Backdoor.Linux.Agent.bc | 10.00 \n4 | Backdoor.Linux.Mirai.ba | 8.65 \n5 | Trojan-Downloader.Shell.Agent.p | 3.50 \n6 | Backdoor.Linux.Gafgyt.a | 2.52 \n7 | RiskTool.Linux.BitCoinMiner.b | 1.69 \n8 | Backdoor.Linux.Ssh.a | 1.23 \n9 | Backdoor.Linux.Mirai.ad | 1.20 \n10 | HackTool.Linux.Sshbru.s | 1.12 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q3 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q3-2021/104796/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2021, Kaspersky solutions blocked 1,098,968,315 attacks launched from online resources located across the globe. Web Anti-Virus recognized 289,196,912 unique URLs as malicious.\n\n_Distribution of web-attack sources by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151328/13-en-malware-report-q3-2021-pc-graphs-1.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Tunisia | 27.15 \n2 | Syria | 17.19 \n3 | Yemen | 17.05 \n4 | Nepal | 15.27 \n5 | Algeria | 15.27 \n6 | Macao | 14.83 \n7 | Belarus | 14.50 \n8 | Moldova | 13.91 \n9 | Madagascar | 13.80 \n10 | Serbia | 13.48 \n11 | Libya | 13.13 \n12 | Mauritania | 13.06 \n13 | Mongolia | 13.06 \n14 | India | 12.89 \n15 | Palestine | 12.79 \n16 | Sri Lanka | 12.76 \n17 | Ukraine | 12.39 \n18 | Estonia | 11.61 \n19 | Tajikistan | 11.44 \n20 | Qatar | 11.14 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 8.72% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151358/14-en-malware-report-q3-2021-pc-graphs.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2021, our File Anti-Virus detected **62,577,326** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Turkmenistan | 47.42 \n2 | Yemen | 44.27 \n3 | Ethiopia | 42.57 \n4 | Tajikistan | 42.51 \n5 | Uzbekistan | 40.41 \n6 | South Sudan | 40.15 \n7 | Afghanistan | 40.07 \n8 | Cuba | 38.20 \n9 | Bangladesh | 36.49 \n10 | Myanmar | 35.96 \n11 | Venezuela | 35.20 \n12 | China | 35.16 \n13 | Syria | 34.64 \n14 | Madagascar | 33.49 \n15 | Rwanda | 33.06 \n16 | Sudan | 33.01 \n17 | Benin | 32.68 \n18 | Burundi | 31.88 \n19 | Laos | 31.70 \n20 | Cameroon | 31.28 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151433/15-en-malware-report-q3-2021-pc-graphs.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.14% of users&#x27; computers at least once during the quarter. Russia scored 14.64% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution in Q3 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2019-7481", "CVE-2021-1640", "CVE-2021-1675", "CVE-2021-22937", "CVE-2021-26084", "CVE-2021-26878", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34483", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "href": "https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection &amp; Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:&quot;true&quot;_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}