CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog.
1. Sudo Heap-Based Buffer Overflow Vulnerability
- CVE-2021-3156: Sudo contains an off-by-one error that can result in a
heap-based buffer overflow, which allows for privilege escalation.
A heap based buffer overflow exists in the sudo command line utility that can
be exploited by a local attacker to gain elevated privileges. The
vulnerability was introduced in July of 2011 and affects version 1.8.2 through
1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The
technique used by this implementation leverages the overflow to overwrite a
service_user struct in memory to reference an attacker controlled library
which results in it being loaded with the elevated privileges held by sudo.
2. Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability
- CVE-2021-31166: Microsoft HTTP Protocol Stack contains a
vulnerability in http.sys that allows for remote code execution.
On January 12, NSFOCUS CERT detected that Microsoft released a monthly
security update, which fixed an HTTP protocol stack remote code
execution vulnerability (CVE-2022-21907). A buffer overflow can occur
due to a boundary error in the HTTP Trailer Support feature in the HTTP
stack (HTTP.sys). An unauthenticated attacker can execute arbitrary code
on a target system by sending specially crafted HTTP packets to a web
server. The vulnerability is suggested by Microsoft as “wormable” and
can self-propagate through the network without user interaction, with a
CVSS score of 9.8. At present, the PoC that can lead to the BSoD of the
target host has been disclosed, and relevant users are requested to take
measures to protect it as soon as possible.
The Windows HTTP stack (HTTP.sys) is a kernel driver for processing HTTP
requests in the Windows operating system, commonly used in communication
between web browsers and web servers, as well as in Internet Information
Services (IIS).
3. Microsoft SMBv1 Server Remote Code Execution Vulnerability
- CVE-2017-0148: The SMBv1 server in Microsoft allows remote
attackers to execute arbitrary code via crafted packets.
CVE-2020-1301, Microsoft Windows SMB Server Remote Code Execution
Vulnerability The vulnerability is located in the SMBv1 driver while SMBv2
and SMBv3 versions are not affected. The trigger point of the
vulnerability is the SMBv1 driver does not fully verify the SI_COPYFILE
structure when processing the FSCTL_SIS_COPTFILE request in the MS-FSCC
protocol, resulting in an integer overflow. To exploit this vulnerability,
you need to pass SMB protocol authentication, which increases the
difficulty. But SMBv1 is deployed in all versions from Windows 7-10, so
the vulnerability has a wide range of impacts. Attackers who successfully
exploit this vulnerability can execute arbitrary code on the target
host.
On June 10, 2020 (Beijing time), Microsoft released the security update
for June 2020, including patches for 129 vulnerabilities. This update
covers multiple components and software including Microsoft Windows,
Internet Explorer (IE), Office, Microsoft Edge, Windows Defender, etc. 11
of the 128 Common Vulnerabilities and Exposures were officially marked as
Critical by Microsoft, and 118 of them were marked as "Important".
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2
and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2;
Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server
2016 allows remote attackers to execute arbitrary code via crafted
packets, aka "Windows SMB Remote Code Execution Vulnerability." This
vulnerability is different from those described in CVE-2017-0143,
CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
Source:
