Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2021-31955

Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows Kernel Information Disclosure Vulnerability
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

The team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability

Source: https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

Add Assessment

1
Ratings
Technical Analysis

Ah good old NtQuerySystemInformation() strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old ntoskrnl.exe, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a SystemSuperfetchInformation class request of type SuperfetchPrivSourceQuery via the undocumented NtQuerySystemInformation() function, one can obtain the kernel address of the EPROCESS structure for the current process. This is REALLY bad since the EPROCESS kernel structure contains also contains a pointer to the process’s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.

According to https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.

General Information

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis