oval_repository@lists.cisecurity.org

A list for people using the OVAL repository.

View all threads

[External] Windows OVAL Definition for CVE-2021-41338 False Positive Issue

LS
Liam Sawyer
Thu, Oct 20, 2022 12:42 PM

Hello,

This is regarding Windows OVAL Definition for CVE-2021-41338 - Windows
AppContainer Firewall Rules Security Feature Bypass Vulnerability
.

According to OVAL Definitions, the CVE-2021-41338 affects Microsoft
Windows 10, Microsoft Windows Server 2016, and Microsoft Windows Server
2019.
[image: image.png]

I’ve attached the section of the Windows OVAL Definition containing this
vulnerability for your reference.

Microsoft indicates that this firewallAPI.dll has two binary versions
depending on the location, System32 or WoW64. The issue is that OVAL checks
only the version number regardless of its location.

For example:

Microsoft indicates that Windows Server 2016 is vulnerable if:

The firewallapi.dll version in the “%WinDir%\System32” directory is
less than 10.0.14393.4169.
OR
The firewallapi.dll version in the “%WinDir%\sysWoW64” directory is
less than 10.0.14393.4704.

However, Windows OVAL Definition simply indicates that Windows Server 2016
is vulnerable if the firewallAPI.dll version is less than
10.0.14393.4704. Therefore, it marks a server running Windows Server 2016
as vulnerable to this CVE-2021-41338 because the firewallapi.dll version
in the “%WinDir%\System32” directory is less than 10.0.14393.4704.

Microsoft provided a list of the minimum firewallapi.dll versions of the
affected systems according to OVAL Definitions below.

Operating System

Minimum firewallapi.dll version

%WinDir%\System32

%WinDir%\sysWoW64

Windows 10 Version 1607 for 32-bit Systems

10.0.14393.4169

10.0.14393.4704

Windows 10 Version 1607 for x64-based Systems

10.0.14393.4169

10.0.14393.4704

Windows 10 Version 1809 for 32-bit Systems

10.0.17763.2237

10.0.17763.2237

Windows 10 Version 1809 for x64-based Systems

10.0.17763.2237

10.0.17763.2237

Windows 10 Version 1909 for 32-bit Systems

10.0.18362.1854

10.0.18362.1832

Windows 10 Version 1909 for x64-based Systems

10.0.18362.1854

10.0.18362.1832

Windows 10 Version 2004 for 32-bit Systems

10.0.19041.1288

10.0.19041.1266

Windows 10 Version 2004 for x64-based Systems

10.0.19041.1288

10.0.19041.1266

Windows 10 Version 20H2 for 32-bit Systems

10.0.19041.1288

10.0.19041.1266

Windows 10 Version 20H2 for x64-based Systems

10.0.19041.1288

10.0.19041.1266

Windows 10 Version 21H1 for 32-bit Systems

10.0.19041.1288

10.0.19041.1266

Windows 10 Version 21H1 for x64-based Systems

10.0.19041.1288

10.0.19041.1266

Windows Server 2016

10.0.14393.4169

10.0.14393.4704

Windows Server 2016 (Server Core installation)

10.0.14393.4169

10.0.14393.4704

Windows Server 2019

10.0.17763.2237

10.0.17763.2237

Can someone please provide me with a way to remediate this? How can we get
this section of OVAL Definitions updated?

Your help will be much appreciated.

Thank you.

Liam

Hello, This is regarding Windows OVAL Definition for *CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability*. According to OVAL Definitions, the *CVE-2021-41338* affects Microsoft Windows 10, Microsoft Windows Server 2016, and Microsoft Windows Server 2019. [image: image.png] I’ve attached the section of the Windows OVAL Definition containing this vulnerability for your reference. Microsoft indicates that this *firewallAPI.dll* has two binary versions depending on the location, System32 or WoW64. The issue is that OVAL checks only the version number regardless of its location. *For example:* Microsoft indicates that Windows Server 2016 is vulnerable if: The *firewallapi.dll* version in the *“%WinDir%\System32”* directory is less than *10.0.14393.4169*. *OR* The *firewallapi.dll* version in the *“%WinDir%\sysWoW64”* directory is less than *10.0.14393.4704*. However, Windows OVAL Definition simply indicates that Windows Server 2016 is vulnerable if the *firewallAPI.dll* version is less than *10.0.14393.4704*. Therefore, it marks a server running Windows Server 2016 as vulnerable to this *CVE-2021-41338* because the *firewallapi.dll* version in the *“%WinDir%\System32”* directory is less than *10.0.14393.4704*. Microsoft provided a list of the minimum *firewallapi.dll* versions of the affected systems according to OVAL Definitions below. *Operating System* *Minimum firewallapi.dll version* *%WinDir%\System32* *%WinDir%\sysWoW64* Windows 10 Version 1607 for 32-bit Systems 10.0.14393.4169 10.0.14393.4704 Windows 10 Version 1607 for x64-based Systems 10.0.14393.4169 10.0.14393.4704 Windows 10 Version 1809 for 32-bit Systems 10.0.17763.2237 10.0.17763.2237 Windows 10 Version 1809 for x64-based Systems 10.0.17763.2237 10.0.17763.2237 Windows 10 Version 1909 for 32-bit Systems 10.0.18362.1854 10.0.18362.1832 Windows 10 Version 1909 for x64-based Systems 10.0.18362.1854 10.0.18362.1832 Windows 10 Version 2004 for 32-bit Systems 10.0.19041.1288 10.0.19041.1266 Windows 10 Version 2004 for x64-based Systems 10.0.19041.1288 10.0.19041.1266 Windows 10 Version 20H2 for 32-bit Systems 10.0.19041.1288 10.0.19041.1266 Windows 10 Version 20H2 for x64-based Systems 10.0.19041.1288 10.0.19041.1266 Windows 10 Version 21H1 for 32-bit Systems 10.0.19041.1288 10.0.19041.1266 Windows 10 Version 21H1 for x64-based Systems 10.0.19041.1288 10.0.19041.1266 Windows Server 2016 10.0.14393.4169 10.0.14393.4704 Windows Server 2016 (Server Core installation) 10.0.14393.4169 10.0.14393.4704 Windows Server 2019 10.0.17763.2237 10.0.17763.2237 Can someone please provide me with a way to remediate this? How can we get this section of OVAL Definitions updated? Your help will be much appreciated. Thank you. Liam