Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2021-34448

Disclosure Date: July 16, 2021
CVE-2021-34448 CVSS v3 Base Score: 6.8
Exploited in the Wild
Reported by mkienow-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Scripting Engine Memory Corruption Vulnerability

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Common in enterpriseEasy to weaponizeUnauthenticatedVulnerable in default configurationRequires user interaction
Technical Analysis

Looking at Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 shows very little information other than that this is a scripting engine vulnerability which is exploitable across a wide range of Windows OS versions and is exploitable remotely. Further investigation though shows that Cisco Talos at https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html mentions that this vulnerability is a memory corruption vulnerability triggered when opening a maliciously crafted email or visiting a malicious website.

Further examination of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 using the Download column (which is not enabled by default but can be added) shows several references to IE Cumulative Update which suggests this is potentially an IE related vulnerability. Further examination of past advisories named in the same way like https://msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0224 shows that IE scripting engine vulnerabilities are also referenced using the same style of language, so it would seem this is a memory corruption vulnerability within IE’s scripting engine.

Users should ideally apply patches to fix this issue given it has been exploited in the wild already, however if this is not possible then users should disable JavaScript in their browsers as most scripting engine vulnerabilities rely on taking advantage of flaws in the JavaScript engine of a given browser, which requires the browser to have JavaScript enabled in the first place. Note that this will break the operation of most sites so patching is preferred where possible.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.8 Medium
Impact Score:
5.2
Exploitability Score:
1.6
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1809 10.0.17763.2061
Windows Server 2019 10.0.17763.2061
Windows 10 Version 1909 10.0.18363.1679
Windows 10 Version 21H1 10.0.19043.1110
Windows 10 Version 2004 10.0.19041.1110
Windows 10 Version 20H2 10.0.19042.1110
Windows 10 Version 1507 10.0.10240.19003
Windows 10 Version 1607 10.0.14393.4530
Windows Server 2016 10.0.14393.4530
Windows 7 6.1.7601.25661
Windows 7 Service Pack 1 6.1.7601.25661
Windows 8.1 6.3.9600.20069
Windows Server 2008 R2 Service Pack 1 6.1.7601.25661
Windows Server 2012 6.2.9200.23409
Windows Server 2012 R2 6.3.9600.20069
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1507,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 10 21h1,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis