Looking at Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 shows very little information other than that this is a scripting engine vulnerability which is exploitable across a wide range of Windows OS versions and is exploitable remotely. Further investigation though shows that Cisco Talos at https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html mentions that this vulnerability is a memory corruption vulnerability triggered when opening a maliciously crafted email or visiting a malicious website.
Further examination of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 using the
Download column (which is not enabled by default but can be added) shows several references to
IE Cumulative Update which suggests this is potentially an IE related vulnerability. Further examination of past advisories named in the same way like https://msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0224 shows that IE scripting engine vulnerabilities are also referenced using the same style of language, so it would seem this is a memory corruption vulnerability within IE’s scripting engine.
According to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06 this is a hardcoded password issue in EVlink City / Parking / Smart Wallbox Charging Stations that would grant attackers administrative level control over a EVlink City / Parking / Smart Wallbox Charging Stations web server. These types of devices may not be updated regularly due to the need for them to be running constantly throughout the city, so I can imagine implementing a proper patching strategy will be paramount for ensuring this patch gets applied quickly, as this type of vulnerability could either be used for something simple like just resetting the amount a user has to pay to charge their car, or for gaining further access to city infrastructure, which could be used as a precursor to more targeted attacks.
Interesting bug in Modicon M340, M580 and other models from the Modicon series, and has been named by Armis as
ModiPwn. Bug does require local access to the target’s network so you do have to be on the same network as an affected device, however once you do manage to do this, you can leak hashes from the devices memory via undocumented commands (got to love extra hidden features, they are a real treasure trove of bugs). Once this hash has been leaked the attacker can then take over the encrypted connection between one of the Modicon devices and its managing workstation and reconfigure the Modicon device with a passwordless configuration, then allowing the attack to abuse additional undocumented commands to gain RCE and gain full control over the device.
Whilst there are no reports of in the wild exploitation, the fact that this doesn’t yet have a patch is concerning to say the least given that these types of vulnerabilities have been used in the past such as in the Triton malware, its safe to assume that exploits for this vulnerability may start circulating in the wild soon if they haven’t already been developed. It is highly recommended to prevent access to these devices until a patch is released, and once one is released, to patch as soon as possible.
More info on this vulnerability can be found at https://srcincite.io/blog/2021/07/13/fswa-2021-zero-day-give-away.html where the original author, Steven Steely of Source Insight, shows an example of how this vulnerability could be exploited to leak sensitive credentials from configuration files and combined this with a 0day deserialization vulnerability in Apache Shiro in the
rememberMe cookie to gain RCE. For this reason, given a real world example of how this could be used to gain RCE on a typical deployment, I have elevated the Attacker Value.
Overall this vulnerability in a nutshell allows unauthenticated users to leak the content of files on the target system provided the target file is within the web root (aka the attacker can’t leak the content of files outside of the web root). Provided a user can leak sensitive info (which is not that uncommon), they can utilize this information to then conduct privilege elevation attacks and bypass authentication.
Actors with local access are exploiting this vulnerability to execute code with elevated permission names.
- Vendor Advisory
- Government or Industry Alert
- Personally observed in an environment