Advisories Archive

CVE-2021-44228: Wowza Streaming Engine v. <= 4.8.16+1 - RCE (Log4j)

Severity: High

Wowza Streaming Engine v.<= 4.8.16+1 (build 20211129092949) is vulnerable to the Log4j JNDI injection, affecting the 'j_username' username field, in the login page as well as other HTTP headers. Attackers exploiting this issue will be able to achieve remote code execution (RCE) in the context of the NT AUTHORITY\SYSTEM Windows user managing the service.

All vendors affected by the Log4j vulnerability must use the CVE-2021-44228 when referring to this vulnerability in their own products. At present, MITRE does not offer an option for a vendor to associate its own unique CVE ID with this same underlying vulnerability.

CVE-2021-44903: MSI Center Pro v. <= 2.0.16.0 - Multiple Privilege Escalation (LPE/EoP)

Severity: High

Micro-Star International (MSI) Center Pro v. <= 2.0.16.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

CVE-2021-44899: MSI Center v. <= 1.0.31.0 - Multiple Privilege Escalation (LPE/EoP)

Severity: High

Micro-Star International (MSI) Center v. <= 1.0.31.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

CVE-2021-44901: MSI Dragon Center v. <= 2.0.116.0 - Multiple Privilege Escalation (LPE/EoP)

Severity: High

Micro-Star International (MSI) Dragon Center v. <= 2.0.116.0 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following drivers components:

atidgllk.sys - D299A2420F92A1F0150265F26D496AE587A681DA
atillk64.sys - C52CEF5B9E1D4A78431B7AF56A6FDB6AA1BCAD65
MODAPI.sys/WinRing0x64.sys - D25340AE8E92A6D29F599FEF426A2BC1B5217299
NTIOLib.sys - CFD03C6FA17F369E5D7286D1B8A97C49DDAE93A3
NTIOLib.sys - FC639CC99362DF79D7AAC31057740C515205A6C4
NTIOLib.sys - 4C9691E9B87DC84619E30C6EB21256369EFB8996
NTIOLib_X64.sys - 9F31AD3DBA608773EBE62962D654508D7787FF08
NTIOLib_X64.sys - DB4C5957DBDA3D3691AA1E393D1F63AD0B049DF5
NTIOLib_X64.sys - AD31989CC268ABF8CB36BF44C2087AA761F30F3E
WinRing0.sys - 8AC34EB21B9B38F67CD29684C45696C20AB2E75A

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

CVE-2021-44900: MSI App Player v. <= 4.280.1.6309 - Multiple Privilege Escalation (LPE/EoP)

Severity: High

Micro-Star International (MSI) App Player v. <= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the following driver component:

NTIOLib_X64.sys - AE3763CBBD21F6E561AC502D2EE7FE8EDFB2292D

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

CVE-2021-41285: Crucial Ballistix MOD Utility v. <= 2.0.2.5 - Multiple Privilege Escalation (LPE/EoP)

Severity: High

Crucial by Micron Technology, Inc Ballistix MOD Utility v.<= 2.0.2.5 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the MODAPI.sys driver component.

All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to:

Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a virtual address user-space.
Read/write Model-Specific Registers (MSRs) via the __readmsr/__writemsr functions calls.
Read/write 1/2/4 bytes to or from an IO port.

Attackers could exploit these issues to achieve local privilege escalation from low-privileged users to NT AUTHORITY\SYSTEM.

Root Cause Analysis

CVE-2021-40827: Clementine Music Player v. <= v.1.3.1 - Read Access Violation on Block Data Move

Severity: Medium

Clementine Music Player v. <= 1.3.1, in libgstreamer-1.0-0.dll (F1CC318CA54B8BC35179A48DAEBB94DF741D9E3B) module, is affected by a Read Access Violation on Block Data Move (potential Stack Overflow), affecting the MP3 file parsing functionality at memcpy+0x265.

The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine.
Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user.

eax=00000000 ebx=00000000 ecx=029be272 edx=00000000 esi=0edd2ffe edi=194cba44
eip=76888f55 esp=0edcfb38 ebp=0edcfb40 iopl=0 nv dn ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010616
msvcrt!memcpy+0x265:
76888f55 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_msvcrt.dll!memcpy

Basic Block:
    777c8f55 rep movs dword ptr es:[edi],dword ptr [esi]
       Tainted Input operands: 'ecx','esi'
    777c8f57 cld
 
    777c8f58 jmp dword ptr msvcrt!memcpy+0x310 (777c9000)[edx*4]
Exception Hash (Major/Minor): 0xb323a61f.0x1e633652

 Hash Usage : Stack Trace:
Major+Minor : msvcrt!memcpy+0x265
Major+Minor : libgstreamer_1_0_0!gst_buffer_fill+0x190
Major+Minor : libgsttag_1_0_0!gst_tag_mux_get_type+0x20df
Major+Minor : libgsttag_1_0_0!gst_tag_list_from_id3v2_tag+0x9ab
Major+Minor : libglib_2_0_0!g_rec_mutex_unlock+0x14
Minor       : libgstreamer_1_0_0!gst_buffer_unmap+0x56
Minor       : libgstreamer_1_0_0!gst_memory_resize+0x22
Minor       : libgstid3demux+0x17fc
Minor       : libgstreamer_1_0_0!gst_buffer_set_size+0x2f
Minor       : libgsttag_1_0_0!gst_tag_demux_get_type+0x1011
Minor       : libgstreamer_1_0_0!gst_element_get_type+0x114
Minor       : libgsttag_1_0_0!gst_tag_demux_get_type+0x1c49
Minor       : libglib_2_0_0!g_mutex_unlock+0x12
Minor       : libgstreamer_1_0_0!gst_tag_setter_get_tag_merge_mode+0x186
Minor       : KERNEL32!timeGetTime+0x37
Minor       : libglib_2_0_0!g_thread_pool_new+0x2f6
Instruction Address: 0x0000000076888f55

Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at msvcrt!memcpy+0x0000000000000265 (Hash=0xb323a61f.0x1e633652)

CVE-2021-40826: Clementine Music Player v. <= v.1.3.1 - User Mode Write Access Violation

Severity: Medium

Clementine Music Player v. <= 1.3.1 is affected by a User Mode Write Access Violation, affecting the MP3 file parsing functionality at clementine+0x3aa207.

The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine.
Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user.

eax=00000080 ebx=00000000 ecx=e6f6bc6d edx=00000000 esi=00000000 edi=54d40bb8
eip=007aa207 esp=561af1f8 ebp=561af280 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
clementine+0x3aa207:
007aa207 894604          mov     dword ptr [esi+4],eax ds:002b:00000004=????????

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_WRITE_AVRF_c0000005_clementine.exe!Unknown

Basic Block:
    007aa207 mov dword ptr [esi+4],eax
       Tainted Input operands: 'eax','esi'
    007aa20a mov eax,dword ptr [ebp+0ch]
    007aa20d mov dword ptr [esi+8],eax
    007aa210 lock inc dword ptr [qtcore4!zn9qlistdata11shared_nulle (6e200074)]
    007aa217 setne al
    007aa21a mov eax,dword ptr [esi]
    007aa21c mov dword ptr [esi],offset qtcore4!zn9qlistdata11shared_nulle (6e200074)
    007aa222 lock dec dword ptr [eax]
    007aa225 setne dl
    007aa228 test dl,dl
    007aa22a jne clementine+0x3aa23b (007aa23b)

Exception Hash (Major/Minor): 0xf535c3f1.0x4c51c076

 Hash Usage : Stack Trace:
Major+Minor : clementine+0x3aa207
Major+Minor : clementine+0x2555e4
Major+Minor : libgobject_2_0_0!g_cclosure_marshal_VOID__OBJECTv+0x46
Instruction Address: 0x00000000007aa207

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at clementine+0x00000000003aa207 (Hash=0xf535c3f1.0x4c51c076)

CVE-2021-1079: NVIDIA GeForce Experience v. <= 3.21 - from Arbitrary File Write to EoP to Code Execution

Severity: High

NVIDIA GeForce Experience (GFE) v.<= 3.21 is affected by an Arbitrary File Write vulnerability in the GameStream/ShadowPlay plugins, where log files are created using NT AUTHORITY\SYSTEM level permissions, which lead to Command Execution and Elevation of Privileges (EoP).

Root Cause Analysis

CVE-2021-26237: FastStone Image Viewer v. <= 7.5 - User Mode Write Access Violation

Severity: High

FastStone Image Viewer v.<= 7.5 is affected by a user mode Write Access Violation at 0x00402d7d, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Attackers could exploit this issue for a Denial of Service (DoS) or possibly to achieve code execution.