Microsoft CVE Summary

This report contains detail for the following vulnerabilities:

Tag CVE ID CVE Title
.NET Core & Visual Studio CVE-2021-41355 .NET Core and Visual Studio Information Disclosure Vulnerability
Active Directory Federation Services CVE-2021-41361 Active Directory Federation Server Spoofing Vulnerability
Console Window Host CVE-2021-41346 Console Window Host Security Feature Bypass Vulnerability
HTTP.sys CVE-2021-26442 Windows HTTP.sys Elevation of Privilege Vulnerability
Microsoft DWM Core Library CVE-2021-41339 Microsoft DWM Core Library Elevation of Privilege Vulnerability
Microsoft Dynamics CVE-2021-40457 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
Microsoft Dynamics CVE-2021-41353 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability
Microsoft Dynamics CVE-2021-41354 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
Microsoft Edge (Chromium-based) CVE-2021-37978 Chromium: CVE-2021-37978 Heap buffer overflow in Blink
Microsoft Edge (Chromium-based) CVE-2021-37979 Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC
Microsoft Edge (Chromium-based) CVE-2021-37980 Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox
Microsoft Edge (Chromium-based) CVE-2021-37977 Chromium: CVE-2021-37977 Use after free in Garbage Collection
Microsoft Edge (Chromium-based) CVE-2021-37974 Chromium: CVE-2021-37974 Use after free in Safe Browsing
Microsoft Edge (Chromium-based) CVE-2021-37975 Chromium: CVE-2021-37975 Use after free in V8
Microsoft Edge (Chromium-based) CVE-2021-37976 Chromium: CVE-2021-37976 Information leak in core
Microsoft Exchange Server CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability
Microsoft Exchange Server CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability
Microsoft Graphics Component CVE-2021-41340 Windows Graphics Component Remote Code Execution Vulnerability
Microsoft Intune CVE-2021-41363 Intune Management Extension Security Feature Bypass Vulnerability
Microsoft Office Excel CVE-2021-40473 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel CVE-2021-40472 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office Excel CVE-2021-40471 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel CVE-2021-40474 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel CVE-2021-40485 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel CVE-2021-40479 Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2021-40483 Microsoft SharePoint Server Spoofing Vulnerability
Microsoft Office SharePoint CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability
Microsoft Office SharePoint CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability
Microsoft Office SharePoint CVE-2021-41344 Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft Office Visio CVE-2021-40480 Microsoft Office Visio Remote Code Execution Vulnerability
Microsoft Office Visio CVE-2021-40481 Microsoft Office Visio Remote Code Execution Vulnerability
Microsoft Office Word CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2021-40462 Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2021-41330 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Microsoft Windows Codecs Library CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability
Rich Text Edit Control CVE-2021-40454 Rich Text Edit Control Information Disclosure Vulnerability
Role: DNS Server CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability
Role: Windows Active Directory Server CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability
Role: Windows AD FS Server CVE-2021-40456 Windows AD FS Security Feature Bypass Vulnerability
Role: Windows Hyper-V CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability
Role: Windows Hyper-V CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability
System Center CVE-2021-41352 SCOM Information Disclosure Vulnerability
Visual Studio CVE-2020-1971 OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference
Visual Studio CVE-2021-3450 OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT
Visual Studio CVE-2021-3449 OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing
Windows AppContainer CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
Windows AppContainer CVE-2021-40476 Windows AppContainer Elevation Of Privilege Vulnerability
Windows AppX Deployment Service CVE-2021-41347 Windows AppX Deployment Service Elevation of Privilege Vulnerability
Windows Bind Filter Driver CVE-2021-40468 Windows Bind Filter Driver Information Disclosure Vulnerability
Windows Cloud Files Mini Filter Driver CVE-2021-40475 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
Windows Common Log File System Driver CVE-2021-40443 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Windows Common Log File System Driver CVE-2021-40467 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Windows Common Log File System Driver CVE-2021-40466 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Windows Desktop Bridge CVE-2021-41334 Windows Desktop Bridge Elevation of Privilege Vulnerability
Windows DirectX CVE-2021-40470 DirectX Graphics Kernel Elevation of Privilege Vulnerability
Windows Event Tracing CVE-2021-40477 Windows Event Tracing Elevation of Privilege Vulnerability
Windows exFAT File System CVE-2021-38663 Windows exFAT File System Information Disclosure Vulnerability
Windows Fastfat Driver CVE-2021-41343 Windows Fast FAT File System Driver Information Disclosure Vulnerability
Windows Fastfat Driver CVE-2021-38662 Windows Fast FAT File System Driver Information Disclosure Vulnerability
Windows Installer CVE-2021-40455 Windows Installer Spoofing Vulnerability
Windows Kernel CVE-2021-41336 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability
Windows MSHTML Platform CVE-2021-41342 Windows MSHTML Platform Remote Code Execution Vulnerability
Windows Nearby Sharing CVE-2021-40464 Windows Nearby Sharing Elevation of Privilege Vulnerability
Windows Network Address Translation (NAT) CVE-2021-40463 Windows NAT Denial of Service Vulnerability
Windows Print Spooler Components CVE-2021-41332 Windows Print Spooler Information Disclosure Vulnerability
Windows Print Spooler Components CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability
Windows Remote Procedure Call Runtime CVE-2021-40460 Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability
Windows Storage Spaces Controller CVE-2021-40489 Storage Spaces Controller Elevation of Privilege Vulnerability
Windows Storage Spaces Controller CVE-2021-41345 Storage Spaces Controller Elevation of Privilege Vulnerability
Windows Storage Spaces Controller CVE-2021-26441 Storage Spaces Controller Elevation of Privilege Vulnerability
Windows Storage Spaces Controller CVE-2021-40478 Storage Spaces Controller Elevation of Privilege Vulnerability
Windows Storage Spaces Controller CVE-2021-40488 Storage Spaces Controller Elevation of Privilege Vulnerability
Windows TCP/IP CVE-2021-36953 Windows TCP/IP Denial of Service Vulnerability
Windows Text Shaping CVE-2021-40465 Windows Text Shaping Remote Code Execution Vulnerability
Windows Win32K CVE-2021-40449 Win32k Elevation of Privilege Vulnerability
Windows Win32K CVE-2021-41357 Win32k Elevation of Privilege Vulnerability
Windows Win32K CVE-2021-40450 Win32k Elevation of Privilege Vulnerability

CVE-2021-34453 - Microsoft Exchange Server Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-34453
MITRE
NVD
CVE Title: Microsoft Exchange Server Denial of Service Vulnerability
CVSS:

CVSS:3.0 7.5/6.5
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-34453
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 21 5007012 (Security Update) Important Denial of Service Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2016 Cumulative Update 22 5007012 (Security Update) Important Denial of Service Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 10 5007012 (Security Update) Important Denial of Service Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 11 5007012 (Security Update) Important Denial of Service Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-34453 Nicolas Joly of Microsoft Corporation


CVE-2021-36953 - Windows TCP/IP Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-36953
MITRE
NVD
CVE Title: Windows TCP/IP Denial of Service Vulnerability
CVSS:

CVSS:3.0 7.5/6.5
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-36953
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Denial of Service 5005569 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Denial of Service 5005569 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Denial of Service 5005573 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Denial of Service 5005573 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Denial of Service 5005030
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Denial of Service 5005030
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Denial of Service 5005030
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Denial of Service 5005566 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Denial of Service 5005566 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Denial of Service 5005566 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Denial of Service None Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Denial of Service 5005633
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Denial of Service 5005633
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Denial of Service 5005613
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Denial of Service 5005613
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Denial of Service 5005613
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Denial of Service 5005606
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Denial of Service 5005606
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Denial of Service 5005606
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Denial of Service 5005606
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Denial of Service 5005633
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Denial of Service 5005633
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Denial of Service 5005623
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Denial of Service 5005623
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Denial of Service 5005613
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Denial of Service 5005613
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Denial of Service 5005573 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Denial of Service 5005573 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Denial of Service 5005030
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Denial of Service 5005030
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Denial of Service 5005575 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Denial of Service 5005575 Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Denial of Service 5005565
Base: 7.5
Temporal: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-36953 Huichen Lin and Dong Seong Kim of School of Information Technology and Electrical Engineering - The University of Queensland


CVE-2021-36970 - Windows Print Spooler Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-36970
MITRE
NVD
CVE Title: Windows Print Spooler Spoofing Vulnerability
CVSS:

CVSS:3.0 8.8/8.2
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityFunctional
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-36970
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Spoofing 5005569 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Spoofing 5005569 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Spoofing 5005573 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Spoofing 5005573 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Spoofing 5005030
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Spoofing 5005030
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Spoofing 5005030
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Spoofing 5005566 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Spoofing 5005566 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Spoofing 5005566 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Spoofing None Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Spoofing None Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Spoofing 5005613
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Spoofing 5005623
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Spoofing 5005623
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Spoofing 5005573 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Spoofing 5005573 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Spoofing 5005030
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Spoofing 5005030
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Spoofing 5005575 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Spoofing 5005575 Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Spoofing 5005565
Base: 8.8
Temporal: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-36970 XueFeng Li and Zhiniang Peng with Sangfor


CVE-2021-40443 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40443
MITRE
NVD
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVSS:

CVSS:3.0 7.8/6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40443
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40443 Asuka with Cyber KunLun


HyungSeok Han with Theori


CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40449
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
CVSS:

CVSS:3.0 7.8/7.2
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityFunctional
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Detected No Yes

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40449
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Elevation of Privilege 5005606
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Elevation of Privilege 5005633
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40449 Boris Larin (oct0xor) with Kaspersky


CVE-2021-40454 - Rich Text Edit Control Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40454
MITRE
NVD
CVE Title: Rich Text Edit Control Information Disclosure Vulnerability
CVSS:

CVSS:3.0 5.5/5.1
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityFunctional
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

An attacker that successfully exploited this vulnerability could recover cleartext passwords from memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40454
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft 365 Apps for Enterprise for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
No
Microsoft 365 Apps for Enterprise for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
No
Microsoft Office 2013 RT Service Pack 1 4018332 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Office 2013 Service Pack 1 (32-bit editions) 4018332 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Office 2013 Service Pack 1 (64-bit editions) 4018332 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Office 2016 (32-bit edition) 4461476 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Office 2016 (64-bit edition) 4461476 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
No
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Office LTSC 2021 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
No
Microsoft Office LTSC 2021 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
No
Microsoft Office LTSC for Mac 2021 Release Notes (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Information Disclosure 5005569 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Information Disclosure 5005569 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Information Disclosure 5005613
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Information Disclosure 5005623
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Information Disclosure 5005623
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Information Disclosure 5005575 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Information Disclosure 5005575 Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 5.1
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40454 None

CVE-2021-40455 - Windows Installer Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40455
MITRE
NVD
CVE Title: Windows Installer Spoofing Vulnerability
CVSS:

CVSS:3.0 5.5/4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityHigh
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40455
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Spoofing 5005569 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Spoofing 5005569 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Spoofing 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Spoofing 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Spoofing 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Spoofing 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Spoofing 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Spoofing 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Spoofing 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Spoofing 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Spoofing None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Spoofing None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Spoofing 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Spoofing 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Spoofing 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Spoofing 5005623
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Spoofing 5005623
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Spoofing 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Spoofing 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Spoofing 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Spoofing 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Spoofing 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Spoofing 5005575 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Spoofing 5005575 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Spoofing 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40455 Fortinet's FortiGuard Labs.


CVE-2021-40456 - Windows AD FS Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40456
MITRE
NVD
CVE Title: Windows AD FS Security Feature Bypass Vulnerability
CVSS:

CVSS:3.0 5.3/4.6
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityLow
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What security feature could be bypassed by exploiting this vulnerability?

This vulnerability could allow an attacker to bypass ADFS BannedIPList entries for WS-Trust workflows.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40456
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows Server 2019 5006672 (Security Update) Important Security Feature Bypass 5005030
Base: 5.3
Temporal: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Security Feature Bypass 5005030
Base: 5.3
Temporal: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Security Feature Bypass 5005575 Base: 5.3
Temporal: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Security Feature Bypass 5005575 Base: 5.3
Temporal: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Security Feature Bypass 5005565
Base: 5.3
Temporal: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Security Feature Bypass 5005565
Base: 5.3
Temporal: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40456 None

CVE-2021-40457 - Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40457
MITRE
NVD
CVE Title: Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
CVSS:

CVSS:3.1 7.4/6.9
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeChanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityFunctional
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

The CVSS Score says user action is required. What type of user action is required?

A user would have to open a maliciously crafted email sent to Dynamics 365 Customer Engagement.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40457
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Dynamics 365 Customer Engagement V9.0 4618795 (Security Update) Important Spoofing None Base: 7.4
Temporal: 6.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe
Microsoft Dynamics 365 Customer Engagement V9.1 4618810 (Security Update) Important Spoofing None Base: 7.4
Temporal: 6.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:F/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40457 None

CVE-2021-40475 - Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40475
MITRE
NVD
CVE Title: Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVSS:

CVSS:3.0 5.5/4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40475
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Information Disclosure 5005575 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Information Disclosure 5005575 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40475 ziming zhang of Ant Security Light-Year Lab


CVE-2021-40476 - Windows AppContainer Elevation Of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40476
MITRE
NVD
CVE Title: Windows AppContainer Elevation Of Privilege Vulnerability
CVSS:

CVSS:3.0 7.5/6.7
Base score metrics
Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityProof-of-Concept
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40476
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Elevation of Privilege 5005613
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40476 James Forshaw of Google Project Zero




CVE-2021-40477 - Windows Event Tracing Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40477
MITRE
NVD
CVE Title: Windows Event Tracing Elevation of Privilege Vulnerability
CVSS:

CVSS:3.1 7.8/6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40477
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40477 None

CVE-2021-40478 - Storage Spaces Controller Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-40478
MITRE
NVD
CVE Title: Storage Spaces Controller Elevation of Privilege Vulnerability
CVSS:

CVSS:3.0 7.8/6.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-40478
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Elevation of Privilege 5005569 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Elevation of Privilege 5005566 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Elevation of Privilege None Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Elevation of Privilege 5005623
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Elevation of Privilege 5005613
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Elevation of Privilege 5005573 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Elevation of Privilege 5005030
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Elevation of Privilege 5005575 Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Elevation of Privilege 5005565
Base: 7.8
Temporal: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-40478 ghiadt12 from Viettel Cyber Security working with Trend Micro Zero Day Initiative


CVE-2021-41344 - Microsoft SharePoint Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-41344
MITRE
NVD
CVE Title: Microsoft SharePoint Server Remote Code Execution Vulnerability
CVSS:

CVSS:3.0 8.1/7.1
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-41344
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 5002029 (Security Update) Important Remote Code Execution 5002020 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Foundation 2013 Service Pack 1 5002042 (Security Update) Important Remote Code Execution 5002024 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe
Microsoft SharePoint Server 2019 5002028 (Security Update) Important Remote Code Execution 5002018 Base: 8.1
Temporal: 7.1
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2021-41344 None

CVE-2021-41348 - Microsoft Exchange Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-41348
MITRE
NVD
CVE Title: Microsoft Exchange Server Elevation of Privilege Vulnerability
CVSS:

CVSS:3.0 8.0/7.0
Base score metrics
Attack VectorAdjacent
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-41348
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 21 5007012 (Security Update) Important Elevation of Privilege 5004779
Base: 8.0
Temporal: 7.0
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2016 Cumulative Update 22 5007012 (Security Update) Important Elevation of Privilege 5004779
Base: 8.0
Temporal: 7.0
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 10 5007012 (Security Update) Important Elevation of Privilege 5004779
Base: 8.0
Temporal: 7.0
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 11 5007012 (Security Update) Important Elevation of Privilege 5004779
Base: 8.0
Temporal: 7.0
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-41348 None

CVE-2021-41350 - Microsoft Exchange Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-41350
MITRE
NVD
CVE Title: Microsoft Exchange Server Spoofing Vulnerability
CVSS:

CVSS:3.0 6.5/5.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-41350
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Exchange Server 2016 Cumulative Update 21 5007012 (Security Update) Important Spoofing 5004779
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2016 Cumulative Update 22 5007012 (Security Update) Important Spoofing 5004779
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 10 5007012 (Security Update) Important Spoofing 5004779
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 11 5007012 (Security Update) Important Spoofing 5004779
Base: 6.5
Temporal: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-41350 Diamond Chen


CVE-2021-41355 - .NET Core and Visual Studio Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-41355
MITRE
NVD
CVE Title: .NET Core and Visual Studio Information Disclosure Vulnerability
CVSS:

CVSS:3.0 5.7/5.0
Base score metrics
Attack VectorAdjacent
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-41355
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
.NET 5.0 (Security Update) Important Information Disclosure None Base: 5.7
Temporal: 5.0
Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Release Notes (Security Update) Important Information Disclosure None Base: 5.7
Temporal: 5.0
Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) Release Notes (Security Update) Important Information Disclosure None Base: 5.7
Temporal: 5.0
Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2021-41355 Srinivas Nunna of Microsoft


CVE-2021-41361 - Active Directory Federation Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-41361
MITRE
NVD
CVE Title: Active Directory Federation Server Spoofing Vulnerability
CVSS:

CVSS:3.1 5.4/4.7
Base score metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

How could an attacker exploit this vulnerability?

The ADFS (Active Directory Federation Services) services are vulnerable during the logout redirect request to cross-site scripting of the post logout redirect URI. An attacker who successfully exploited this vulnerability could leave an application using this ADFS library vulnerable to common XSS attacks.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-41361
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows Server 2016 5006669 (Security Update) Important Spoofing 5005573 Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Spoofing 5005573 Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Spoofing 5005030
Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Spoofing 5005030
Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Spoofing 5005575 Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Spoofing 5005575 Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Spoofing 5005565
Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Spoofing 5005565
Base: 5.4
Temporal: 4.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-41361 Nadish Shajahan


CVE-2021-3450 - OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-3450
MITRE
NVD
CVE Title: OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT
CVSS:
None
FAQ:

Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Unlikely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-3450
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2021-3450 None

CVE-2021-3449 - OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-3449
MITRE
NVD
CVE Title: OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing
CVSS:
None
FAQ:

Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-3449
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2021-3449 None

CVE-2020-1971 - OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2020-1971
MITRE
NVD
CVE Title: OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference
CVSS:
None
FAQ:

Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2020-1971
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) Release Notes (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2020-1971 None

CVE-2021-26427 - Microsoft Exchange Server Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-26427
MITRE
NVD
CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS:

CVSS:3.0 9.0/7.8
Base score metrics
Attack VectorAdjacent
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

According to the CVSS, the attack vector is Adjacent. What does that mean and how is that different from a Network vector?

This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.


What is meant by scope change for this particular vulnerability?

In this case, the attacker is making specific requests over an adjacent network. This normally means as part of the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). From this point their attack allows changes to be made within the target Exchange server. The scope change is due to the attack on the network level triggering an effect on the OS level of the target system.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-26427
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Microsoft Exchange Server 2013 Cumulative Update 23 5007011 (Security Update) Important Remote Code Execution 5004778
Base: 9.0
Temporal: 7.8
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2016 Cumulative Update 21 5007012 (Security Update) Important Remote Code Execution Base: 9.0
Temporal: 7.8
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2016 Cumulative Update 22 5007012 (Security Update) Important Remote Code Execution Base: 9.0
Temporal: 7.8
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 10 5007012 (Security Update) Important Remote Code Execution Base: 9.0
Temporal: 7.8
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes
Microsoft Exchange Server 2019 Cumulative Update 11 5007012 (Security Update) Important Remote Code Execution Base: 9.0
Temporal: 7.8
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-26427 National Security Agency (NSA)


Andrew Ruddick, Microsoft Security Response Center


CVE-2021-38662 - Windows Fast FAT File System Driver Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-38662
MITRE
NVD
CVE Title: Windows Fast FAT File System Driver Information Disclosure Vulnerability
CVSS:

CVSS:3.0 5.5/4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-38662
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Information Disclosure 5005569 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 5006675 (Security Update) Important Information Disclosure 5005569 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 5006667 (Security Update) Important Information Disclosure 5005566 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 2004 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 20H2 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for 32-bit Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for ARM64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 10 Version 21H1 for x64-based Systems 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 for ARM64-based Systems 5006674 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 11 for x64-based Systems 5006674 (Security Update) Important Information Disclosure None Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Information Disclosure 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Information Disclosure 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows RT 8.1 5006714 (Monthly Rollup) Important Information Disclosure 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Information Disclosure 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Information Disclosure 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Information Disclosure 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 5006736 (Monthly Rollup)
5006715 (Security Only)
Important Information Disclosure 5005606
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Information Disclosure 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 5006743 (Monthly Rollup)
5006728 (Security Only)
Important Information Disclosure 5005633
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Information Disclosure 5005623
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 5006739 (Monthly Rollup)
5006732 (Security Only)
Important Information Disclosure 5005623
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 5006714 (Monthly Rollup)
5006729 (Security Only)
Important Information Disclosure 5005613
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 5006669 (Security Update) Important Information Disclosure 5005573 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 5006672 (Security Update) Important Information Disclosure 5005030
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 5006699 (Security Update) Important Information Disclosure 5005575 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server 2022 (Server Core installation) 5006699 (Security Update) Important Information Disclosure 5005575 Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 2004 (Server Core installation) 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes
Windows Server, version 20H2 (Server Core Installation) 5006670 (Security Update) Important Information Disclosure 5005565
Base: 5.5
Temporal: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2021-38662 OldStone of Kunlun Lab


CVE-2021-38663 - Windows exFAT File System Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2021-38663
MITRE
NVD
CVE Title: Windows exFAT File System Information Disclosure Vulnerability
CVSS:

CVSS:3.0 5.5/4.8
Base score metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone
Temporal score metrics
Exploit Code MaturityUnproven
Remediation LevelOfficial Fix
Report ConfidenceConfirmed

FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2021-10-12T07:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2021-38663
Product KB Article Severity Impact Supercedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 5006675 (Security Update) Important Information Di