Patch Tuesday – January 2021

Post Syndicated from Richard Tsang original https://blog.rapid7.com/2021/01/12/patch-tuesday-january-2021/

Patch Tuesday - January 2021

We arrive at the first Patch Tuesday of 2021 (2021-Jan) with 83 vulnerabilities across our standard spread of products.  Windows Operating System vulnerabilities dominated this month’s advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.

Vulnerability Breakdown by Software Family

Family Vulnerability Count
Windows 65
ESU 35
Microsoft Office 11
Developer Tools 5
SQL Server 1
Apps 1
System Center 1
Azure 1
Browser 1

Microsoft Defender Remote Code Execution Vulnerability (CVE-2021-1647)

CVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4.

As a default, Microsoft’s affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used.  

This vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).

Patching Windows Operating Systems Next

Another confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month’s Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month.  This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.

More Work to be Done

Lastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that Adobe Flash has officially reached end-of-life and would’ve been actively removed from all browsers via Windows Update (already).

Summary Tables

Here are this month’s patched vulnerabilities split by the product family.

Azure Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability No No 5.5 Yes

Browser Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability No No 4.2 No

Developer Tools Vulnerabilities

cve Vulnerability Title Exploited Disclosed CVSS3 FAQ?
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability No No 7 Yes
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1723 ASP.NET Core and Visual Studio Denial of Service Vulnerability No No 7.5 No

Developer Tools Windows Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability No No 7.8 No

Microsoft Office Vulnerabilities

CVE title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability No No 4.6 No
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability No No 4.6 No
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability No No 8 No
CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability No No 8 No
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability No No 8 No
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

SQL Server Vulnerabilities

CVE title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability No No 8.8 Yes

System Center Vulnerabilities

CVE title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability Yes No 7.8 Yes

Windows Vulnerabilities

CVE title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability No No 6.6 No
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability No No 7 No
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability No No 5 Yes
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability No No 7.7 No
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability No No 5 No
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability No No 5 No
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability No No 7.3 No
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability No Yes 7.8 Yes
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-1691 Hyper-V Denial of Service Vulnerability No No 7.7 No
CVE-2021-1692 Hyper-V Denial of Service Vulnerability No No 7.7 No
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes

Windows Apps Vulnerabilities

CVE title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1669 Windows Remote Desktop Security Feature Bypass Vulnerability No No 8.8 Yes

Windows ESU Vulnerabilities

CVE title Exploited Disclosed CVSS3 FAQ?
CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability No No 7 No
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability No No 8.8 No
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability No No 7.3 No
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.3 No
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability No No 5.7 Yes
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability No No 6.5 No
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability No No 4.3 No
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability No No 7.8 No

Summary Graphs

Patch Tuesday - January 2021
Patch Tuesday - January 2021
Patch Tuesday - January 2021
Patch Tuesday - January 2021

Note: Graph data is reflective of data presented by Microsoft’s CVRF at the time of writing.