CVE-2021-40444

Description

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.

UPDATE September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.

Add Assessment

JunquerGJ (4)

September 07, 2021 10:50pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Low

Exploitability

Low

Requires user interaction Vulnerable in uncommon configuration

Technical Analysis

Vulnerable if default behaviour has been changed ( By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack )
Requires social engineering to be exploited
Workaround easy to deploy

ccondon-r7 (278)

September 07, 2021 7:12pm UTC (3 years ago)•

Ratings

Attacker Value

Medium

Exploitability

Low

Requires user interaction Vulnerable in uncommon configuration

Technical Analysis

Sounds from Microsoft’s out-of-band advisory like this is seeing limited, targeted attacks and folks are only vulnerable in non-default configurations (i.e., “by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack”). All this plus user interaction required = another social engineering opportunity for attackers with specific targets, but probably not a big concern as far as widespread, automated exploitation goes. No patch yet, but sounds like the most out-of-the-box mitigation is just to use the default option of opening docs in a protected manner.

See More &1 replySee Less

ccondon-r7 (278) September 22, 2021 8:35pm UTC (3 years ago)

Those are great, @NinjaOperator, thanks for sharing!

nu11secur1ty (198)

September 22, 2021 4:28pm UTC (3 years ago)•

Ratings

Attacker Value

Medium

Exploitability

Low

Difficult to patch Easy to weaponize Unauthenticated Vulnerable in default configuration Vulnerable in uncommon configuration

Technical Analysis

Vulnerability:

Microsoft MSHTML Remote Code Execution Vulnerability
Tested with malicious .exe file

Executive Summary:

Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.

UPDATE September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.

Conclusion:

Security is not checked
Just OPEN :D

Risk Assessment:

This may well be a meterpreter malicious backdoor shell file
This may well be a malicious MSI package or hidden bat file

Status:

Low(Medium)

Fixed

Windows 11

Source:

href

Reproduce:

href

Demo docx:

href

Demo VLC:

href

NinjaOperator (83)

September 07, 2021 6:45pm UTC (3 years ago)•

Ratings

Technical Analysis

Microsoft MSHTML Remote Code Execution Vulnerability
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

A threat actor could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

See More &1 replySee Less

NinjaOperator (83) November 11, 2021 3:48pm UTC (2 years ago)•Edited 2 years ago

Update: Unnamed threat actors are exploiting this vulnerability to drop Cobalt Strike
https://twitter.com/h2jazi/status/1458794565968748545

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.3

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

High

Availability (A):

Low

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1809 10.0.17763.2183

Windows Server 2019 10.0.17763.2183

Windows Server 2019 (Server Core installation) 10.0.17763.2183

Windows 10 Version 1909 10.0.18363.1801

Windows 10 Version 21H1 10.0.19043.1237

Windows Server 2022 10.0.20348.230

Windows 10 Version 2004 10.0.19041.1237

Windows Server version 2004 10.0.19041.1237

Windows 10 Version 20H2 10.0.19042.1237

Windows Server version 20H2 10.0.19042.1237

Windows 10 Version 1507 10.0.10240.19060

Windows 10 Version 1607 10.0.14393.4651

Windows Server 2016 10.0.14393.4651

Windows Server 2016 (Server Core installation) 10.0.14393.4651

Windows 7 6.1.7601.25712

Windows 7 Service Pack 1 6.1.7601.25712

Windows 8.1 6.3.9600.20120

Windows Server 2008 Service Pack 2 6.0.6003.21218

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.21218

Windows Server 2008 Service Pack 2 6.0.6003.21218

Windows Server 2008 R2 Service Pack 1 6.1.7601.25712

Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.25712

Windows Server 2012 6.2.9200.23462

Windows Server 2012 (Server Core installation) 6.2.9200.23462

Windows Server 2012 R2 6.3.9600.20120

Windows Server 2012 R2 (Server Core installation) 6.3.9600.20120

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

windows 10 1507,
windows 10 1607,
windows 10 1809,
windows 10 1909,
windows 10 2004,
windows 10 20h2,
windows 10 21h1,
windows 7 -,
windows 8.1 -,
windows rt 8.1 -,
windows server 2004,
windows server 2008 -,
windows server 2008 r2,
windows server 2012 -,
windows server 2016,
windows server 2019,
windows server 2022,
windows server 20h2

Metasploit Modules

exploit/windows/fileformat/word_mshtml_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/word_mshtml_rce.rb)

Exploited in the Wild

Reported by:

NinjaOperator indicated source as Vendor Advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444)

Reported: September 07, 2021 6:47pm UTC (3 years ago)

JunquerGJ indicated source as Vendor Advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444)

Reported: September 07, 2021 10:50pm UTC (3 years ago)

Lawrenc52280603 indicated source as Vendor Advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444)

Reported: September 09, 2021 9:55am UTC (3 years ago)

Henry23159 indicated source as News Article or Blog

Reported: September 10, 2021 5:06am UTC (3 years ago)

tjs indicated sources as

Vendor Advisory (https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/)
Threat Feed

Reported: September 17, 2021 2:53pm UTC (3 years ago)

gwillcox-r7 indicated sources as

Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa22-117a)
Threat Feed (https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/)

Reported: March 19, 2022 9:43pm UTC (2 years ago) • Edited 2 years ago

References

Canonical

CVE-2021-40444 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444

http://packetstormsecurity.com/files/164210/Microsoft-Windows-MSHTML-Overview.html

http://packetstormsecurity.com/files/165214/Microsoft-Office-Word-MSHTML-Remote-Code-Execution.html

http://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html

Rapid7

Moderate

CVE-2021-40444

Moderate

Low

Required

None

Network

CVE-2021-40444

Description

Add Assessment

Ratings

Technical Analysis

Ratings

Technical Analysis

Ratings

Technical Analysis

CVE-2021-40444

Vulnerability:

Executive Summary:

Conclusion:

Risk Assessment:

Status:

Fixed

Source:

Reproduce:

Demo docx: