Zero-day vulnerability in Windows

Use-after-free
CVE-2021-40449

A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a previously unknown remote access trojan (RAT).

The attacks were noticed in late August and September 2021

Known malware:

MysterySnail

Vulnerability details

Advisory: SB2021101211 - Privilege escalation in Microsoft Windows kernel

Vulnerable component: Windows

CVE-ID: CVE-2021-40449

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-416 - Use After Free

Description:

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the Win32k NtGdiResetDC function in Microsoft Windows kernel. A local user can run a specially crafted program to trigger a use-after-free error, when the function ResetDC is executed a second time for the same handle during execution of its own callback, and execute arbitrary code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

External links:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40449

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-windows-zero-day-to-attack-defens...

https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/



About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.