Last Login: June 09, 2021
architect00's Contributions (6)
The vulnerability affects Internet Explorer 11 on all Windows Versions. It is located in the
Possible attack vectors:
- website content
- activeX components in office documents
Google Project Zero released a PoC on 13.05.2021, which triggers the vulnerability and causes a crash. At the time of writing I could not find any weaponized exploit.
The CVSS rating of the vulnerability differs between Windows desktop versions and server versions. In server versions the CVSS Privileges Required is set to High. Desktop versions are rated with CVSS None. The reason could be, that IE enhanced protection mode is disabled on Windows desktop versions and enabled on server versions by default.
My rating of the exploitability score was affected by the availability of the PoC and the Microsoft exploitability rating. In year 2020, Operation PowerFall was using a similar vulnerability (CVE-2020-1380) in IE. I expect to see exploits for CVE-2021-26419 in a similar context.
Attackers might gain direct control over the host after exploitation without a sandbox escape. IE 11 does have a enhanced protected mode (EPM), which runs IE in an AppContainer and acts as a sandbox. EPM was introduced with Windows 8 and is disabled by default on Windows desktop versions.
The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.
The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.
Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.
0patch released a blog article about their micro patch concerning CVE-2021-26897. It describes the root cause as
CVE-2021-26897 is a buffer overflow issue, whereby a series of oversized “dynamic update” DNS queries with SIG (signature) records causes writing beyond the buffer boundary when these records are saved to file.
According to the blog article the record saves happen
- periodically or
- when the DNS service stops
The analysis of 0patch was based on an article from the McAfee Labs. They provided enough information to enable 0patch to gain understanding were the vulnerability is located.
Successful exploitation of this vulnerability results in running code with Local System privileges. A attacker does need a domain joined computer and have access to a DNS server. The configuration of the DNS server needs to have Dynamic Updates activated.
In an Active Directory environment Dynamic Updates are enabled by default. The default setting secure dynamic updates only allows domain joined computers to update a DNS zone.
I rated the Attack Value pretty high. Successful exploitation provides adversaries with high privileged access to domain controllers.
The Exploitability score is based on the fact, that the vulnerability can be reversed through public resources and seems to be a buffer overflow. Nevertheless the broader mass of adversaries might be waiting for a detailed writeup or P-o-C and act opportunistic.