Windows Installer zero-day under active exploitation

An elevation of privilege flaw in Microsoft’s Windows Installer is now under active exploitation, and there’s no patch in sight.

A proof of concept for the Windows Installer vulnerability was published earlier this month by researcher Abdelhamid Naceri. An attacker who exploits the flaw could potentially gain administrator rights.

The vulnerability is a variant of CVE-2021-41379, a similar flaw also discovered by Naceri that was seemingly fixed in the November Patch Tuesday update. However, Naceri found that the update did not fully fix the problem, and during the analysis he discovered the new variant.

Naceri said in his proof of concept for the new Windows Installer flaw that “the best workaround available at the time of writing this is to wait [for] Microsoft to release a security patch, due to the complexity of this vulnerability.”

UPDATE 11/30: Naceri Tuesday published a temporary fix for the variant.

Since the proof of concept was posted on Nov. 21, at least two vendors, Cisco Talos and McAfee, have reported exploitation associated with the new variant of CVE-2021-41379.

Talos Security Intelligence and Research Group technical leader Jaeson Schultz wrote in a Nov. 23 blog that Cisco Talos had detected malware samples attempting to exploit the flaw.

McAfee chief scientist Raj Samani tweeted Monday that McAfee had detected exploitation in “23 countries and multiple sectors.” The countries include the United States, Canada, China, India, Brazil and others; three of the highest prevalence rates can be seen in Saudi Arabia, Ukraine and Belgium. While McAfee reported the activity, which is rated as “high” threat severity, as exploitation of CVE-2021-41379, the alert referenced the public PoC for Naceri’s variant.

Naceri told SearchSecurity last week that his exploit could not be chained with other vulnerabilities for a remote takeover attack. In a follow-up direct message Monday, he reaffirmed that point and said attackers can do plenty with the flaw even though it’s only exploitable locally.

“The vulnerability cannot be exploited remotely — only and strictly locally,” Naceri said. “The problem is, these kinds of bugs are actually really valuable. Gaining code execution as an unprivileged user is easy nowadays, using either n-day vulnerabilities or social engineering. But having administrative privileges can be a hard task to achieve. In some scenarios, if an attacker compromised a machine of the domain, he could eventually take over the entire domain.”

Naceri also said the Windows Installer variant will have its own CVE.

A Microsoft spokesperson said in an email to SearchSecurity that the company “is aware of a different vulnerability disclosure from one of the original finders of CVE-2021-41379” but did not say whether a patch was in development.

The spokesperson also said CVE-2021-41379 was fully patched.

“We released an update for CVE-2021-41379 during the November Update Tuesday 11B release. Customers who have applied the update are protected against this vulnerability,” they said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS

Unofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.

Tracked as CVE-2021-24084 (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.

Security researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates.

But as observed by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be exploited to gain administrator privileges and run malicious code on Windows 10 machines running the latest security updates.

“Namely, as HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,” 0patch co-found Mitja Kolsek said in a post last week.

However, it’s worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.

Neither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted —

  • Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
  • Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates

CVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch shipped unofficial fixes for a local privilege escalation vulnerability (CVE-2021-34484) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.

Then last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service (CVE-2021-41379) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.

Most challenging security threats for CTOs

Most challenging security threats for CTOs

59% of CTOs still see human error as the main security threat to their business, alongside other prominent concerns such as ransomware (49%) and phishing (36%), a research from STX Next reveals.

CTOs security threat

Despite this recognition of risk, the findings suggest that more needs to be done to properly safeguard companies against dangers, with only 26% having a dedicated cybersecurity team in place and only 50% outsourcing cyber responsibilities.

What CTOs around the world think

The research surveyed 500 global CTOs about the biggest challenges facing their organization. Other key findings from the research included:

  • Multifactor authentication (MFA) adoption is strong, with 88% of organizations employing it in some way
  • However, 47% have not implemented ransomware protection, despite its ever-increasing popularity among cybercriminals
  • 58% are not using security information and event management (SIEM), and 41% have not employed privileged access management (PAM)
  • Conversely, 92% have implemented disaster recovery (DR) capabilities such as automated backups

Maciej Dziergwa, CEO at STX Next, said: “Our survey shows that, despite the inexorable rise of ransomware in the last couple of years, the biggest security concern in the minds of CTOs remains the potential impact of human error. This is understandable given that in order to be successful, many types of cyberattack rely on someone inadvertently clicking a link or downloading a file.

“Where things really get interesting, however, is when we see what businesses are doing to protect themselves against these threats. Companies that employ their own dedicated cyber team are still in the minority, and while outsourcing is preferred, this isn’t a common policy at the majority of organizations either.

“It’s a similar situation when looking at certain key protective tools that haven’t yet been implemented on a large scale, such as ransomware protection. The established presence of measures such as multi-factor authentication provide some cause for optimism though, so it will be interesting to see if the other security features follow a similar trajectory in the near future.”

The importance of applying disaster recovery

Dziergwa believes that to further shore up security capabilities, businesses should look closely at how disaster recovery processes have been successfully implemented, and aim to replicate these approaches for cyber.

He added: “The strong presence of disaster recovery planning shows that organizations are doing well when it comes to the more all-encompassing, overarching responsibilities that ensure the business is resilient in the face of unexpected disruption. The next step is for leaders to apply this approach to the more granular elements of cybersecurity, including anti-ransomware tools.”

He concluded: “After all, security features are designed in many cases to reduce the potential for human error to cause major cyber incidents. By investing more heavily in these areas, CTOs will have less need to worry about any risky behaviour by their staff in future.”

8-year-old HP printer vulnerability affects 150 printer models

8-year-old HP printer vulnerability affects 150 printer models

Researchers have discovered several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard.

Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they’ve likely exposed a large number of users to cyberattacks for a notable amount of time.

HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.

These are CVE-2021-39237 and CVE-2021-39238. For a complete list of the affected products, click on the tracking numbers for the corresponding advisories.

The first one concerns two exposed physical ports that grant full access to the device. Exploiting it requires physical access and could lead to potential information disclosure.

The second one is a buffer overflow vulnerability on the font parser, which is a lot more severe, having a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution.

CVE-2021-39238 is also “wormable,” meaning a threat actor could quickly spread from a single printer to an entire network.

As such, organizations must upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often ignored point of entry.

Multiple potential vectors

F-Secure’s Bolshev and Hirvonen used an HP M725z multi-function printer (MFP) unit as their testbed to discover the above flaws.

After they reported their findings to HP on April 29, 2021, the company found that, unfortunately, many other models were also affected.

As the researchers explain in F-Secure’s report, there are several ways to exploit the two flaws, including:

  • Printing from USB drives, which is what was used during the research too. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. 
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under the attacker’s control and in the same network segment.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
  • Direct attack via exposed UART ports mentioned in CVE-2021-39237, if the attacker has physical access to the device for a short time.
One of the attack flows for CVE-2021-38238
One of the attack flows for CVE-2021-38238
Source: F-Secure

To exploit CVE-2021-39238, it would take a few seconds, whereas a skilled attacker could launch a catastrophic assault based on the CVE-2021-39237 in under five minutes.

However, it would require some skills and knowledge, at least during this first period when not many technical details are public.

Also, even if printers themselves aren’t ideal for proactive security examination, they can detect these attacks by monitoring network traffic and looking into the logs.

Finally, F-Secure points out that they have seen no evidence of anyone using these vulnerabilities in actual attacks. Hence, the F-Secure researchers were likely the first to spot them.

An HP spokesperson has shared the following comment with Bleeping Computer:

HP constantly monitors the security landscape and we value work that helps identify new potential threats. We have published a security bulletin for this potential vulnerability here. The security of our customers is a top priority and we encourage them to always stay vigilant and to keep their systems up to date.

Mitigation methods

Apart from upgrading the firmware on the affected devices, admins can follow these guidelines to mitigate the risk of the flaws:

  • Disable printing from USB
  • Place the printer into a separate VLAN sitting behind a firewall
  • Only allow outbound connections from the printer to a specific list of addresses
  • Set up a dedicated print server for the communication between workstations and the printers

The last point underlines that even without fixing patches if proper network segmentation practices are followed the chances of suffering damage from network intruders drop significantly.

A detailed guide on the best practices for securing your printer is available in HP’s technical paper. You can also watch a video demo of how this HP printer vulnerability can be exploited below.