CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.2%
The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host is prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An authenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(144876);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/07");
script_cve_id("CVE-2021-1647");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/11/17");
script_xref(name:"CEA-ID", value:"CEA-2021-0001");
script_name(english:"Security Update for Windows Defender (January 2021)");
script_set_attribute(attribute:"synopsis", value:
"An antimalware application installed on the remote host is affected by
a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The Malware Protection Engine version of Microsoft Windows Defender installed on the remote Windows host
is prior to 1.1.17600.5. It is, therefore, affected by an unspecified remote code execution vulnerability. An
authenticated, local attacker can exploit this to bypass authentication and execute arbitrary code with administrator privileges.");
# https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?66e83fa0");
script_set_attribute(attribute:"solution", value:
"Enable automatic updates to update the malware engine for the relevant antimalware applications. Refer to Knowledge Base
Article 2510781 for information on how to verify that MMPE has been updated.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-1647");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/01/12");
script_set_attribute(attribute:"patch_publication_date", value:"2021/01/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/01/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:windows_defender");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("microsoft_windows_defender_win_installed.nbin");
script_require_keys("SMB/Registry/Enumerated", "SMB/svcs");
script_require_ports(139, 445);
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
app = 'Windows Defender';
app_info = vcf::get_app_info(app:app, win_local:TRUE);
# Check if disabled
if (!isnull(app_info['Disabled']))
exit(0,'Windows Defender is disabled.');
# Check if we got tyhe Malware Engine Version
if (isnull(app_info['Engine Version']))
exit(0,'Unable to get the Malware Engine Version.');
constraints = [{'max_version': '1.1.17600.5', 'fixed_version':'1.1.17700.4'}];
vcf::av_checks::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, check:'Engine Version');
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.2%