CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability

This vulnerability is being actively exploited in the wild

What is HTTP Basic Authentication?

HTTP Basic Authentication is a weak authentication method that uses a user name and password combination to gain access to an account or service.
This vulnerability is not limited to certain web application implementations but also affects software like Android, iOS, Windows, Linux, and Unix.

Summary

This vulnerability is being actively exploited in the wild.
For the past few weeks, a number of websites have been affected by an ongoing and rapidly-spreading watering hole attack that's exploiting a vulnerability in Microsoft Word.
The vulnerability was first discovered back in September 2016, but it appears to be only recently that this exploit has become active again, with nearly 800 websites already reported as compromised according to our honeypot data.
We're seeing continued activity on this exploit as we speak and expect that this vulnerability will continue to impact websites for some time yet.

Overview

When a vulnerability is discovered in software, business owners have to decide whether or not to disclose it.
This is a critical decision because the vulnerability could be exploited by hackers and cause serious damage to an organization's business processes. Some companies opt not to disclose vulnerabilities while others decide to go public with their findings.
There are many different factors that influence a company's decision on whether or not to disclose a vulnerability. This can include the severity of the vulnerability, the cost-benefit analysis, and how much time they will spend on patching the vulnerability.
Companies can also choose not to disclose vulnerabilities if they believe that doing so will put them at risk of legal action from other organizations that may wish to exploit them for themselves.
It is important for companies to carefully weigh the benefits of going public with their findings against the potential risks involved when disclosing these vulnerabilities. With this information, you can make an informed decision about whether you want your company's name associated with an exploitable vulnerability.

Elements of Successful Attacks

This vulnerability is being actively exploited in the wild. The attackers are using an SMB stack overflow to execute the code.

1) The malware executable must sleep for a certain period of time before it can successfully exploit the vulnerability. This is to avoid detection by AV or IDS/IPS signatures. 2) The binary contains scripts that cause windows explorer to close as soon as it loads and then re-open, which could indicate a possible exploitation attempt 3) It uses a known technique that was used in an exploit kit to decrypt and execute the payload so if no memory space exists, the payload will not execute 4) It uses an old version of pycharm (2017.3.2) instead of a newer version (2018.2) because they never patched this bug 5) It uses a custom compiled python script that uses a slightly different technique from other binaries 6) The payload executes Windows command line cmd with elevated privileges

Mitigation Mitigation:


* Apply the patch provided by Microsoft to all systems.
* Disable SMBv1 on your network.
* Consider disabling SMBv2 on your network as it contains the same vulnerability.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe