CVE-2021-40444: Microsoft MSHTML Remote Code Execution Vulnerability

Overview

Severity
High (CVSS 8.8)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:P/RL:O/RC:C
Category
Remote Code Execution
Exploit Status
Actively Exploited
Exploitation Likelihood
Detected
Publicly Disclosed
Yes
Patch Tuesday
2021-Sep
Released
2021-09-07
Last Updated
2022-08-16
EPSS Score
94.33% (percentile: 100.0%)
CISA KEV
Listed — due 2021-11-17

Description

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. UPDATE September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.

FAQ

There are three updates listed in the Security Updates table for Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. Which updates do I need to apply to my system to be protected from this vulnerability? Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates. I am running Windows 7, Windows Server 2008 R2, or Windows Server 2008. Do I need to apply both the Monthly Rollup and the IE Cumulative updates? The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update. Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.

Known Exploits (20)

  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2024-07-28T17:23:43Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2023-06-05T02:27:21Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-12-28T06:33:25Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-12-19T08:16:07Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-11-08T17:38:30Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-11-06T03:51:17+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-10-09T14:52:35+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-10-08T15:46:41+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-10-04T05:01:03+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-10-03T20:22:57+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-10-03T01:13:42Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-24T10:59:34Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-15T22:34:35Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-14T01:37:25Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-13T05:02:34+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-12T18:05:53Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-12T12:47:49+08:00
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-10T16:55:53Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-09T15:43:08Z
  • Microsoft MSHTML Remote Code Execution Vulnerability — added 2021-09-09T09:46:00Z

Detection & Weaponization (4 sources)

Maturity: Detection

  • Metasploit modules: Microsoft Office Word Malicious MSHTML RCE
  • Sigma rules: Suspicious Word Cab File Write CVE-2021-40444, Potential CVE-2021-40444 Exploitation Attempt, Potential Exploitation Attempt From Office Application
  • YARA rules: expl_cve_2021_40444.yar, ARKBIRD_SOLG_Exp_CVE_2021_40444_Sep_2021_1, SIGNATURE_BASE_EXPL_CVE_2021_40444_Document_Rels_XML, SIGNATURE_BASE_EXPL_MAL_Maldoc_OBFUSCT_MHTML_Sep21_1, SIGNATURE_BASE_EXPL_XML_Encoded_CVE_2021_40444, SIGNATURE_BASE_SUSP_OBFUSC_Indiators_XML_Officedoc_Sep21_1, SIGNATURE_BASE_SUSP_OBFUSC_Indiators_XML_Officedoc_Sep21_2
  • GitHub PoC: 36 repositories

Affected Products (42)

Windows

  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 21H1 for x64-based Systems
  • Windows 10 Version 21H1 for ARM64-based Systems
  • Windows 10 Version 21H1 for 32-bit Systems
  • Windows Server 2022
  • Windows Server 2022 (Server Core installation)
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows 8.1 for 32-bit systems
  • Windows 8.1 for x64-based systems
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)

ESU

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Security Updates (13)

Acknowledgments

Bryce Abdo of Mandiant, Haifei Li of EXPMON, Genwei Jiang of Mandiant, Rick Cole (MSTIC), Dhanesh Kizhakkinan of Mandiant

Revision History

  • 2021-09-07: Information published.
  • 2021-09-09: The information in the workaround section was updated. This an informational change only.
  • 2021-09-14: CVE updated to announce that Microsoft is releasing security updates for all affected versions of Windows to address this vulnerability. These updates include Monthly Rollups, Security Only, and IE Cumulative updates. Please see the FAQ for information on which updates are applicable to your system. Other information has been updated as well, including the following: 1) Executive Summary has been updated 2) FAQs have been added.
  • 2021-09-23: For all CVEs affecting Windows that were released on September 14, 2021: 1) In the Security Updates table, the Build Numbers for KB KB5005565 have been corrected for all affected editions of the following versions of Windows 10: Windows 10, version 2004, all editions; Windows Server, version 2004 (Server Core installation); Windows 10, version 20H2; Windows Server, version 20H2 (Server Core Installation); Windows 10, version 21H1. 2) For CVEs where Windows Server 2022 is affected the links have been updated to point to information related to 5005575. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.
  • 2022-08-16: Updated links to security updates. This is an informational change only.