Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2021-43890

Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated
Validated
Validated

Description

A spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. Exploitation of this vulnerability allows attackers to craft malicious applications that appear to be legitimate applications, such that when installing them, they appear to be signed and published by well known and trusted parties.

Add Assessment

2
Ratings
Technical Analysis

A great overview of this bug is available at https://borncity.com/win/2021/12/16/update-fixt-windows-appx-installer-0-day-schwachstelle-cve-2021-43890-emotet-schlupfloch/ which leads on from a description at https://borncity.com/win/2021/12/02/windows-10-11-falle-beim-trusted-apps-installer/ showing how this bug was exploited in the wild. Essentially, by abusing the ms-appinstaller:// URI handler in Microsoft Windows, one can trick users into thinking that the website is trying to ask them to install software to do something; in the case of the campaign it was to install a PDF viewer so that one could open a protected PDF.

However what is interesting here is that if a user goes to inspect the properties of the app to be installed, a cursory glance will show that, according to AppX Installer, it is signed by a trusted publisher and the publisher details look legitimate. Its not unless you click on the Trusted App details link that one will see that something looks odd (assuming of course the user hasn’t already found the request for downloading a PDF viewer for viewing a sent PDF file suspicious).

Microsoft fixed this bug by disabling the ms-appinstaller:// URL entirely to prevent it from being abused for these types of attacks, however it is also recommended that the Prevent non-admin users from installing packaged Windows apps setting be set to prevent non-admin users from being able to install packaged Windows apps, which should prevent variants of this attack from being exploitable in your environment. More information on these and other mitigations can be found under the Workarounds section at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890.

General Information

Vendors

  • Microsoft

Products

  • App Installer

Additional Info

Technical Analysis