Moderate
CVE-2021-31955
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
CVE-2021-31955
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Windows Kernel Information Disclosure Vulnerability
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.
The team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability
Source: https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
Ah good old NtQuerySystemInformation() strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old ntoskrnl.exe, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a SystemSuperfetchInformation class request of type SuperfetchPrivSourceQuery via the undocumented NtQuerySystemInformation() function, one can obtain the kernel address of the EPROCESS structure for the current process. This is REALLY bad since the EPROCESS kernel structure contains also contains a pointer to the process’s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.
According to https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
