Last Login: October 06, 2021
architect00's Latest (8) Contributions
This is a remote -code-execution vulnerability which can be abused by an unauthenticated attacker. According to the VMware FAQ this vulnerability can be used under the following circumstances:
This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
Looking at the timeline of another file upload vuln in vmware vcenter:
- published on 2021-02-23 https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- public exploitation on 2021-02-26 https://twitter.com/bad_packets/status/1408890423871819781
I would argue, that this vuln has a high likelyhood of being exploited soon.
Can be used as LPE and RCE. Code will run as SYSTEM.
Possible temporary mitigations
Patch for CVE-2021-1675 published on the 08.06.2021 mitigates exploitation if User is not an admin and computer is not a domain controller.
To mitigate lateral movement a GPO can be used to disabled connections to spooler RPC service https://github.com/LaresLLC/CVE-2021-1675
To mitigate LPE and RCE a ACL for the printer driver can be set https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
Disabling the spooler service is also an theoretical option, but might come at a high operational cost.
The vulnerability affects Internet Explorer 11 on all Windows Versions. It is located in the
Possible attack vectors:
- website content
- activeX components in office documents
Google Project Zero released a PoC on 13.05.2021, which triggers the vulnerability and causes a crash. At the time of writing I could not find any weaponized exploit.
The CVSS rating of the vulnerability differs between Windows desktop versions and server versions. In server versions the CVSS Privileges Required is set to High. Desktop versions are rated with CVSS None. The reason could be, that IE enhanced protection mode is disabled on Windows desktop versions and enabled on server versions by default.
My rating of the exploitability score was affected by the availability of the PoC and the Microsoft exploitability rating. In year 2020, Operation PowerFall was using a similar vulnerability (CVE-2020-1380) in IE. I expect to see exploits for CVE-2021-26419 in a similar context.
Attackers might gain direct control over the host after exploitation without a sandbox escape. IE 11 does have a enhanced protected mode (EPM), which runs IE in an AppContainer and acts as a sandbox. EPM was introduced with Windows 8 and is disabled by default on Windows desktop versions.
The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.
The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.
Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.
0patch released a blog article about their micro patch concerning CVE-2021-26897. It describes the root cause as
CVE-2021-26897 is a buffer overflow issue, whereby a series of oversized “dynamic update” DNS queries with SIG (signature) records causes writing beyond the buffer boundary when these records are saved to file.
According to the blog article the record saves happen
- periodically or
- when the DNS service stops
The analysis of 0patch was based on an article from the McAfee Labs. They provided enough information to enable 0patch to gain understanding were the vulnerability is located.
Successful exploitation of this vulnerability results in running code with Local System privileges. A attacker does need a domain joined computer and have access to a DNS server. The configuration of the DNS server needs to have Dynamic Updates activated.
In an Active Directory environment Dynamic Updates are enabled by default. The default setting secure dynamic updates only allows domain joined computers to update a DNS zone.
I rated the Attack Value pretty high. Successful exploitation provides adversaries with high privileged access to domain controllers.
The Exploitability score is based on the fact, that the vulnerability can be reversed through public resources and seems to be a buffer overflow. Nevertheless the broader mass of adversaries might be waiting for a detailed writeup or P-o-C and act opportunistic.