Chiphell - 分享与交流用户体验

查看: 3598|回复: 1

[安全相关] 修了,但没完全修好!MS的CVE-2021-41379补丁未能完全修复漏洞

发表于 2021-11-25 14:17 | 显示全部楼层 |阅读模式
本帖最后由 埃律西昂 于 2021-11-25 14:43 编辑
原英文标题:《New zero-day vulnerability in Windows Installer affects all versions of Microsoft's OS》

Microsoft already launched an update to address the vulnerability, but it wasn't enough to solve the issue

Computer security group Cisco Talos has found a new vulnerability that affects every Windows version to date, including Windows 11 and Server 2022. The vulnerability exists in the Windows Installer and allows hackers to elevate their privileges to become an administrator.

The discovery of this vulnerability led the Cisco Talos group to update its Snort rules, which consists of rules to detect attacks targeting a list of vulnerabilities. The updated list of rules includes the zero-day elevation of privilege vulnerability, as well as new and modified rules for emerging threats from browsers, operating systems and network protocols, among others.

Exploiting this vulnerability allows hackers with limited user access to elevate their privileges, acting as an administrator of the system. The security firm has already found malware samples out on the Internet, so there's a good chance someone already fell victim to it.

The vulnerability had been previously reported to Microsoft by Abdelhamid Naceri, a security researcher at Microsoft, and was supposedly patched with the fix CVE-2021-41379 on November 9. However, the patch didn't seem to be enough to fix the issue, as the problem persists, leading Naceri to publish the proof-of-concept on GitHub.

In simple terms, the proof-of-concept shows how a hacker can replace any executable file on the system with an MSI file using the discretionary access control list (DACL) for Microsoft Edge Elevation Service.

Microsoft rated the vulnerability as "medium severity," with a base CVSS (Common Vulnerability scoring system) score of 5.5 and a temporal score of 4.8. Now that a functional proof-of-concept exploit code is available, others could try to further abuse it, possibly increasing these scores. At the moment, Microsoft has yet to issue a new update to mitigate the vulnerability.

Naceri seems to have tried to patch the binary himself, but with no success. Until Microsoft patches the vulnerability, the Cisco Talos group recommends those using a Cisco secure firewall to update their rules set with Snort rules 58635 and 58636 to keep users protected from the exploit.

‎‎计算机安全组织Cisco Talos发现了一个新的漏洞,该漏洞影响了迄今为止的每个Windows版本,包括Windows 11和Server 2022。该漏洞存在于 Windows 安装程序中,并允许黑客提升其权限以成为管理员。‎



‎该漏洞之前已由微软的安全研究员Abdelhamid Naceri报告给微软,据称已于11月9日使用修复程序CVE-2021-41379进行修补。但是,由于问题仍然存在,该补丁似乎不足以解决此问题,导致Naceri在‎‎GitHub‎‎上发布了概念验证。

‎简单来说,概念验证显示了黑客如何使用 Microsoft 边缘提升服务的任意访问控制列表 (DACL) 将系统上的任何可执行文件替换为 MSI 文件。‎

‎Microsoft 将该漏洞评为"中等严重性",基本 CVSS(常见漏洞评分系统)得分为 5.5,时间得分为 4.8。现在,一个功能性的概念验证漏洞利用代码已经可用,其他人可能会试图进一步滥用它,可能会增加这些分数。目前,微软尚未发布新的更新来缓解该漏洞。‎

‎Naceri似乎试图自己修补二进制文件,但没有成功。在 Microsoft 修补此漏洞之前,Cisco Talos 小组建议使用思科安全防火墙的用户更新其使用 Snort 规则 58635 和 58636 设置的规则,以保护用户免受攻击。‎
 楼主| 发表于 2021-11-29 21:17 | 显示全部楼层
本帖最后由 埃律西昂 于 2021-11-29 21:18 编辑

您需要登录后才可以回帖 登录 | 加入我们


小黑屋|手机版|Archiver|Chiphell ( 沪ICP备12027953号-5 )沪公网备310112100042806 上海市互联网违法与不良信息举报中心

GMT+8, 2021-12-7 23:48 , Processed in 0.006085 second(s), 8 queries , Gzip On, Redis On.

Powered by Discuz! X3.4

© 2007-2021 All rights reserved.

快速回复 返回顶部 返回列表