Activity Feed

2
Ratings
Technical Analysis

Looking at Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 shows very little information other than that this is a scripting engine vulnerability which is exploitable across a wide range of Windows OS versions and is exploitable remotely. Further investigation though shows that Cisco Talos at https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html mentions that this vulnerability is a memory corruption vulnerability triggered when opening a maliciously crafted email or visiting a malicious website.

Further examination of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 using the Download column (which is not enabled by default but can be added) shows several references to IE Cumulative Update which suggests this is potentially an IE related vulnerability. Further examination of past advisories named in the same way like https://msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0224 shows that IE scripting engine vulnerabilities are also referenced using the same style of language, so it would seem this is a memory corruption vulnerability within IE’s scripting engine.

Users should ideally apply patches to fix this issue given it has been exploited in the wild already, however if this is not possible then users should disable JavaScript in their browsers as most scripting engine vulnerabilities rely on taking advantage of flaws in the JavaScript engine of a given browser, which requires the browser to have JavaScript enabled in the first place. Note that this will break the operation of most sites so patching is preferred where possible.

1
Ratings
Technical Analysis

According to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-06 this is a hardcoded password issue in EVlink City / Parking / Smart Wallbox Charging Stations that would grant attackers administrative level control over a EVlink City / Parking / Smart Wallbox Charging Stations web server. These types of devices may not be updated regularly due to the need for them to be running constantly throughout the city, so I can imagine implementing a proper patching strategy will be paramount for ensuring this patch gets applied quickly, as this type of vulnerability could either be used for something simple like just resetting the amount a user has to pay to charge their car, or for gaining further access to city infrastructure, which could be used as a precursor to more targeted attacks.

1
Ratings
Technical Analysis

Interesting bug in Modicon M340, M580 and other models from the Modicon series, and has been named by Armis as ModiPwn. Bug does require local access to the target’s network so you do have to be on the same network as an affected device, however once you do manage to do this, you can leak hashes from the devices memory via undocumented commands (got to love extra hidden features, they are a real treasure trove of bugs). Once this hash has been leaked the attacker can then take over the encrypted connection between one of the Modicon devices and its managing workstation and reconfigure the Modicon device with a passwordless configuration, then allowing the attack to abuse additional undocumented commands to gain RCE and gain full control over the device.

Whilst there are no reports of in the wild exploitation, the fact that this doesn’t yet have a patch is concerning to say the least given that these types of vulnerabilities have been used in the past such as in the Triton malware, its safe to assume that exploits for this vulnerability may start circulating in the wild soon if they haven’t already been developed. It is highly recommended to prevent access to these devices until a patch is released, and once one is released, to patch as soon as possible.

1
Ratings
Technical Analysis

More info on this vulnerability can be found at https://srcincite.io/blog/2021/07/13/fswa-2021-zero-day-give-away.html where the original author, Steven Steely of Source Insight, shows an example of how this vulnerability could be exploited to leak sensitive credentials from configuration files and combined this with a 0day deserialization vulnerability in Apache Shiro in the rememberMe cookie to gain RCE. For this reason, given a real world example of how this could be used to gain RCE on a typical deployment, I have elevated the Attacker Value.

Overall this vulnerability in a nutshell allows unauthenticated users to leak the content of files on the target system provided the target file is within the web root (aka the attacker can’t leak the content of files outside of the web root). Provided a user can leak sensitive info (which is not that uncommon), they can utilize this information to then conduct privilege elevation attacks and bypass authentication.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Actors with local access are exploiting this vulnerability to execute code with elevated permission names.
Source: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771

Indicated sources as
  • Vendor Advisory
  • Government or Industry Alert
  • Personally observed in an environment