Attacker Value
High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2021-26411

Disclosure Date: March 11, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Internet Explorer Memory Corruption Vulnerability

Add Assessment

2
Ratings
Technical Analysis

Update: This is now reported as having been exploited in the wild by North Korean APT actors along with CVE-2020-1380 as noted at https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

Reported as exploited in the wild at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411. Appears to be a memory corruption bug in Internet Explorer and Edge which would allow for a watering hole or drive by attack whereby a user is convinced to visit an attacker’s malicious website and then the attacker would be able to gain RCE on the user’s computer. Interestingly, despite this being a memory corruption bug, which is typically harder to exploit, Microsoft has still written up the exploitability of this vulnerability as Low.

There also appears to be an analysis of this vulnerability at https://enki.co.kr/blog/2021/02/04/ie_0day.html which suggests that this was the vulnerability used by the Laurus APT group to attack security researchers in Feburary. An English summary can be found at https://www.bleepingcomputer.com/news/security/hacking-group-also-used-an-ie-zero-day-against-security-researchers/ which suggests that this vulnerability was a double free vulnerability in IE which was triggered by sending a user a malicious MHT/MHTML file, and if the user allowed script execution, then CVE-2021-26411 would be exploited.

Given that Mitja Kolsek of 0Patch was able to replicate this issue relatively quickly, I’d say its likely that attackers will be able to exploit this vulnerability as well. I would expect to see more widespread exploitation of this vulnerability in the coming months.

2
Technical Analysis

There is now public threat intelligence that the Purple Fox exploit kit has incorporated this vulnerability and is exploiting it.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
5.9
Exploitability Score:
1.6
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Internet Explorer 9,
  • Internet Explorer 11,
  • Internet Explorer 11 on Windows 10 Version 1909 for 32-bit Systems,
  • Internet Explorer 11 on Windows 10 Version 1909 for x64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 1909 for ARM64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 2004 for 32-bit Systems,
  • Internet Explorer 11 on Windows 10 Version 2004 for ARM64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 2004 for x64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 20H2 for x64-based Systems,
  • Internet Explorer 11 on Windows 10 Version 20H2 for 32-bit Systems,
  • Internet Explorer 11 on Windows 10 Version 20H2 for ARM64-based Systems,
  • Internet Explorer 11 on Windows Server 2012,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for ARM64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows Server 2019,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for ARM64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 2004 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 2004 for ARM64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 2004 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 20H2 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 20H2 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 20H2 for ARM64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systems,
  • Microsoft Edge (EdgeHTML-based) on Windows Server 2016

Exploited in the Wild

Reported by:
Technical Analysis