It’s the week of Hacker Summer Camp in Las Vegas, and Microsoft has published fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their Chromium-based Edge browser, and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month). As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.
There is one 0-day being patched this month. CVE-2022-34713 is a remote code execution (RCE) vulnerability affecting the Microsoft Windows Support Diagnostic Tool (MSDT) – it carries a CVSSv3 base score of 7.8, as it requires convincing a potential victim to open a malicious file. The advisory indicates that this CVE is a variant of the “Dogwalk” vulnerability, which made news alongside Follina (CVE-2022-30190) back in May.
Publicly disclosed, but not (yet) exploited is CVE-2022-30134, an Information Disclosure vulnerability affecting Exchange Server. In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages. Administrators should enable Extended Protection in order to fully remediate this vulnerability, as well as thefiveothervulnerabilitiesaffecting Exchange this month. Details about how to accomplish this are available via the Exchange Blog.
Microsoft also patched several flaws affecting Remote Access Server (RAS). The most severe of these (CVE-2022-30133 and CVE-2022-35744) are related to Windows Point-to-Point Tunneling Protocol and could allow RCE simply by sending a malicious connection request to a server. Seven CVEs affecting the Windows Secure Socket Tunneling Protocol (SSTP) on RAS were also fixed this month: six RCEs and one Denial of Service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network.
Vulnerabilities affecting Windows Network File System (NFS) have been trending in recent months, and today sees Microsoft patching CVE-2022-34715 (RCE, CVSS 9.8) affecting NFSv4.1 on Windows Server 2022.
This is the worst of it. One last vulnerability to highlight: CVE-2022-35797 is a Security Feature Bypass in Windows Hello – Microsoft’s biometric authentication mechanism for Windows 10. Successful exploitation requires physical access to a system, but would allow an attacker to bypass a facial recognition check.
Microsoft’s updates for July’s Patch Tuesday fix 86 CVEs, including two vulnerabilities in their Chromium-based Edge browser that were patched earlier in the month.
One 0-day vulnerability has been patched: CVE-2022-22047 affects all currently supported versions of Microsoft’s pervasive operating system. This is an elevation-of-privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS), a critical service that is often impersonated by malware. An attacker with an already-existing foothold can exploit this vulnerability to gain SYSTEM-level privileges. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft’s investigation into the in-the-wild exploitation of CVE-2022-22047.
Four critical remote code execution (RCE) vulnerabilities were fixed today. CVE-2022-22029 and CVE-2022-22039 affect network file system (NFS) servers, and CVE-2022-22038 affects the remote procedure call (RPC) runtime. Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later. CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.
Over a third of today’s vulnerabilities (a whopping 32 CVEs) affect their Azure Site Recovery offering. Anyone making use of this VMWare-to-Azure backup solution should be sure to upgrade to version 9.49 of the Microsoft Azure Site Recovery Unified Setup, available in Update rollup 62.
July’s Patch Tuesday sees Microsoft releasing fixes for over 60 CVEs. Top of mind for many administrators this month is CVE-2022-30190, also known as Follina, which was observed being exploited in the wild at the end of May. Microsoft provided mitigation instructions (disabling the MSDT URL protocol via the registry), but actual patches were not available until today’s cumulative Windows Updates. Even if the mitigation was previously applied, installing the updates is highly recommended.
None of the other CVEs being addressed this month have been previously disclosed or seen exploited yet. However, it won’t be long before attackers start looking at CVE-2022-30136, a critical remote code execution (RCE) vulnerability affecting the Windows Network File System (NFS). Last month, Microsoft fixed a similar vulnerability (CVE-2022-26937) affecting NFS v2.0 and v3.0. CVE-2022-30136, on the other hand, is only exploitable in NFS v4.1. Microsoft has provided mitigation guidance to disable NFS v4.1, which should only be done if the May updates fixing previous NFS versions have been applied. Again, even if the mitigation has been put into place, best to patch sooner rather than later.
Also reminiscent of last month is CVE-2022-30139, a critical RCE in LDAP carrying a CVSSv3 base score of 7.1, which again is only exploitable if the MaxReceiveBuffer LDAP policy value is set higher than the default. Rounding out the critical RCEs for July is CVE-2022-30163, which could allow a malicious application running on a Hyper-V guest to execute code on the host OS.
The other big news this month is the end of support for Internet Explorer 11 (IE11) on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels, as Microsoft encourages users to adopt the Chromium-based Edge browser (which saw fixes for 5 CVEs this month). Internet Explorer 11 on other versions of Windows should continue receiving security updates and technical support based on the OS support lifecycle, so this is only the beginning of the end for the legacy browser.
This month is par for the course in terms of both number and severity of vulnerabilities being patched by Microsoft. That means there’s plenty of work to be done by system and network administrators, as usual.
There is one 0-day this month: CVE-2022-26925, a Spoofing vulnerability in the Windows Local Security Authority (LSA) subsystem, which allows attackers able to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication. This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution (RCE). This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.
Two other CVEs were also publicly disclosed before today’s releases, though they have not yet been seen exploited in the wild. CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). CVE-2022-29972 is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.
All told, 74 CVEs were fixed this month, the vast majority of which affect functionality within the Windows operating system. Other notable vulnerabilities include CVE-2022-21972 and CVE-2022-23270, critical RCEs in the Point-to-Point Tunneling Protocol. Exploitation requires attackers to win a race condition, which increases the complexity, but if you have any RAS servers in your environment, patch sooner rather than later.
CVE-2022-26937 carries a CVSSv3 score of 9.8 and affects services using the Windows Network File System (NFS). This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues, and upgrading is highly recommended.
CVE-2022-22017 is yet another client-side Remote Desktop Protocol (RDP) vulnerability. While not as worrisome as when an RCE affects RDP servers, if a user can be enticed to connect to a malicious RDP server via social engineering tactics, an attacker will gain RCE on their system.
Sharepoint Server administrators should be aware of CVE-2022-29108, a post-authentication RCE fixed today. Exchange admins have CVE-2022-21978 to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.
A host of Lightweight Directory Access Protocol (LDAP) vulnerabilities were also addressed this month, including CVE-2022-22012 and CVE-2022-29130 – both RCEs that, thankfully, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.
Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.
From Defender to Windows, Office to Azure, this month’s Patch Tuesday has a large swath of Microsoft’s portfolio getting vulnerabilities fixed. 119 CVEs were addressed today, not including the 26 Chromium vulnerabilities that were fixed in the Edge browser.
One of these has been observed being exploited in the wild: CVE-2022-24521, reported to Microsoft by the National Security Agency, affects the Common Log File System Driver in all supported versions of Windows and allows attackers to gain additional privileges on a system they already have local access to. Another local privilege escalation (LPE), CVE-2022-26904 affecting the Windows User Profile Service, had been publicly disclosed but not reported as already being exploited – it’s harder for attackers to leverage as it relies on winning a race condition, which can be tricky to reliably achieve.
LPEs don’t always get the same attention that remote code execution (RCE) vulnerabilities do, but they can be a great help to attackers after they gain an initial foothold. These two categories dominate this month’s vulnerabilities, with 55 LPEs and 47 RCEs getting patched. 10 of the RCEs are considered “Critical,” affecting Windows Hyper-V (CVE-2022-22008, CVE-2022-23257, CVE-2022-24537); Windows SMB Client (CVE-2022-24500, CVE-2022-24541); Windows Network File System (CVE-2022-24491 and CVE-2022-24497); LDAP (CVE-2022-26919); Microsoft Dynamics (CVE-2022-23259); and the Windows RPC Runtime (CVE-2022-26809).
On the Office side of the house, Skype for Business Server was patched for spoofing (CVE-2022-26910) and information disclosure (CVE-2022-26911) vulnerabilities. Two RCEs affecting Excel (CVE-2022-24473 and CVE-2022-26901) were fixed, as well as a spoofing vulnerability in SharePoint Server (CVE-2022-24472).
With so many vulnerabilities to manage, it can be difficult to prioritize. Thankfully, most of this month’s CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.
For any readers who enjoy deeper dives into vulnerabilities and exploits, Rapid7’s Jake Baines has a technical writeup of CVE-2022-24527, an LPE he discovered in the Connected Cache component of Microsoft Endpoint Manager that got fixed today. Check it out!
Microsoft’s March 2022 updates include fixes for 92 CVEs (including 21 from the Chromium project, which is used by their Edge web browser). None of them have been seen exploited in the wild, but three have been previously disclosed. CVE-2022-24512, affecting .NET and Visual Studio, and CVE-2022-21990, affecting Remote Desktop Client, both allow RCE (Remote Code Execution). CVE-2022-24459 is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated Important – organizations should remediate at their regular patch cadence.
Three CVEs this month are rated Critical. CVE-2022-22006 and CVE-2022-24501 both affect video codecs. In most cases, these will update automatically via the Microsoft Store. However, any organizations with automatic updates disabled should be sure to push out updates. The vulnerability most likely to raise eyebrows this month is CVE-2022-23277, a Critical RCE affecting Exchange Server. Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.
SharePoint administrators get a break this month, though on the client side, a handful of Office vulnerabilities were fixed. ThreeseparateRCEs in Visio, Tampering and Security Feature Bypass vulnerabilities in Word, and Information Disclosure in the Skype Extension for Chrome all got patched.
CVE-2022-24508 is an RCE affecting Windows SMBv3, which has potential for widespread exploitation, assuming an attacker can put together a suitable exploit. Luckily, like this month’s Exchange vulnerabilities, this too requires authentication.
Organizations using Microsoft’s Azure Site Recovery service should be aware that 11 CVEs were fixed with today’s updates, split between RCEs and LPEs. They are all specific to the scenario where an on-premise VMware deployment is set up to use Azure for disaster recovery.
Today’s fixes from Microsoft are relatively light as far as Patch Tuesdays go. This is the first month in possibly forever where no vulnerabilities are considered Critical. A total of 70 CVEs were fixed today (including 22 that affect the Chromium browser engine, which is used by Edge).
Although 16 of this month’s vulnerabilities allow remote code execution (RCE), none carry a CVSS base score higher than 8.8. Only one vulnerability was publicly disclosed before today: CVE-2022-21989, an elevation of privilege vulnerability in the Windows Kernel. None of this month’s vulnerabilities have yet been seen exploited in the wild.
Despite the lack of Critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month. RCE vulnerabilities are also important to patch, even if they may not be considered “wormable.” In terms of prioritization, defenders should first focus on patching server systems. SharePoint has RCE (CVE-2022-22005), Security Feature Bypass (CVE-2022-21968), and Spoofing (CVE-2022-21987) vulnerabilities getting fixed today. CVE-2022-21984 is an RCE affecting DNS Server. Microsoft Dynamics administrators should also be aware that there are six CVEs being patched, including 2 RCEs, 3 allowing elevation of privilege, and a spoofing vulnerability.
On the client side, CVE-2022-22003 and CVE-2022-22004 are RCEs affecting Microsoft Office. Although this requires a local user to open a malicious file, these sorts of social engineering attacks are common and can be very effective. Updates should be rolled out to end users as soon as reasonably practicable.
The first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.
The majority of this month’s patched vulnerabilities, such as CVE-2022-21857 (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in.
Critical RCEs
Besides CVE-2021-22947 (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is CVE-2021-21907, affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially “wormable” by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for CVE-2021-31166).
Not quite as bad is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website – thankfully the Windows preview pane is not a vector for this attack.
CVE-2022-21846 affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be “adjacent” to the target system in terms of network topology). This restriction also applies to CVE-2022-21855 and CVE-2022-21969, two less severe RCEs in Exchange this month.
CVE-2022-21912 and CVE-2022-21898 both affect DirectX Graphics and require local access. CVE-2022-21917 is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.
Defenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.
This month’s Patch Tuesday comes in the middle of a global effort to mitigate Apache Log4j CVE-2021-44228. In today’s security release, Microsoft issued fixes for 83 vulnerabilities across an array of products — including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month’s release is CVE-2021-43890, a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.
Interestingly, this round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there’s no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for a zero-day vulnerability that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7’s vulnerability research team did a full root cause analysis of the bug as attacks ramped up in November.
As usual, RCE flaws figure prominently in the “Critical”-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we’d advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating.
Today’s Patch Tuesday sees Microsoft issuing fixes for over 70 CVEs, affecting the usual mix of their product lines. From Windows, Edge, and Office, to Exchange, SharePoint, and Dynamics, there is plenty of patching to do for workstation and server administrators alike.
One vulnerability has already been seen exploited in the wild: CVE-2021-40449 is an elevation of privilege vulnerability in all supported versions of Windows, including the newly released Windows 11. Rated as Important, this is likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems.
Three CVEs were publicly disclosed before today, though haven’t yet been observed in active exploitation. CVE-2021-40469 is an RCE vulnerability affecting Microsoft DNS servers, CVE-2021-41335 is another privilege escalation vulnerability in the Windows Kernel, and CVE-2021-41338 is a flaw in Windows AppContainer allowing attackers to bypass firewall rules.
Attackers will likely be paying attention to the latest Windows Print Spooler vulnerability – CVE-2021-36970 is a Spoofing vulnerability with a CVSSv3 score of 8.8 that we don’t yet have much more information about. Also worth noting is CVE-2021-40486, an RCE affecting Microsoft Word, OWA, as well as SharePoint Server, which can be exploited via the Preview Pane. CVE-2021-40487 is another RCE affecting SharePoint Server that Microsoft expects to be exploited before too long.
Another notable vulnerability is CVE-2021-26427, the latest in Exchange Server RCEs. The severity is mitigated by the fact that attacks are limited to a “logically adjacent topology,” meaning that it cannot be exploited directly over the public Internet. Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a Spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege; and CVE-2021-34453, which is a Denial of Service vulnerability.
Finally, virtualization administrators should be aware of two RCEs affecting Windows Hyper-V: CVE-2021-40461 and CVE-2021-38672. Both affect relatively new versions of Windows and are considered Critical, allowing a VM to escape from guest to host by triggering a memory allocation error, allowing it to read kernel memory in the host.
Microsoft has fixed a total of 60 vulnerabilities this month, including two publicly disclosed 0-days. Fortunately there are only a few issues rated critical this month with the vast majority of the remainder being rated important. Here’s three big things you can go patch right now.
The hot topic this month is the most recent remote code execution 0-day vulnerability in MSHTML. When it was first discovered it was only being used in a limited number of attacks, however this quickly changed once instructions for exploiting the vulnerability were published online. This vulnerability was severe enough to warrant publishing patches for older operating systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008. Now that updates have been published for this vulnerability they should be applied as soon as possible.
Windows DNS Local Elevation of Privilege (CVE-2021-36968)
This is the second publicly disclosed vulnerability updated this month. While the details surrounding this CVE are sparse, we do know that Microsoft has not detected exploitation in the wild.
Microsoft has made additional patches available for older operating systems. If you were previously unable to patch against this vulnerability you may want to review this new information.
Hot off the press, it’s another issue of the Patch Tuesday blog! While the number of vulnerabilities is low this month, there are a number of high risk items administrators will want to patch right away including a few that will require additional remediation steps. This Patch Tuesday also includes updates for three vulnerabilities that were publicly disclosed earlier this month. Let’s jump in.
Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 With a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users’ backups, but the trade-off is that customers will need to do the chore themselves. We’ve updated our blog post with this additional information.
Windows LSA Spoofing Vulnerability aka ADV210003
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 Another high priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see our blog post for more information.
Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26432 While Microsoft has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that “Exploitation [is] more likely”. Put this update near the top of your TODO list.
Windows TCP/IP Remote Code Execution Vulnerability
Microsoft has patched another 117 CVEs, returning to volumes seen in early 2021 and most of 2020. It would appear that the recent trend of approximately 50 vulnerability fixes per month was not indicative of a slowing pace. This month there were 13 vulnerabilities rated Critical with nearly the rest being rated Important. Thankfully, none of the updates published today require additional steps to remediate, so administrators should be able to rely on their normal patching process. Once CVE-2021-34527 has been remediated, priority should be to patch public facing DNS and Exchange servers, followed by Workstations, SharePoint servers, and finally Office applications.
It seems like the PrintNightmare is nearly over. While the past two weeks have been a frenzy for the security community there has been no new information since the end of last week when Microsoft made a final revision to their guidance on CVE-2021-34527. If you haven’t patched this yet, this is your daily reminder. For further details please see our blog on the topic.
Multiple Critical DNS Vulnerabilities Patched
Administrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are CVE-2021-34494 and CVE-2021-33780. Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists CVE-2021-33780 as “Exploitation More Likely” so it may only be a matter of time before attackers attempt to make use of these flaws.
New Exchange Updates Available
Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.
Scripting Engine Exploited in the Wild
Exploitation of CVE-2021-34448 has been observed in the wild by researchers. There are no details on the frequency or spread of this exploit. This vulnerability requires the user to visit a link to download a malicious file. As with other vulnerabilities that require user interaction, strong security hygiene is the first line of defense.
Summary Tables
Here are this month’s patched vulnerabilities split by the product family.
The second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft’s product families. Despite that, there’s still plenty to discuss this month.
Vulnerability Breakdown by Software Family
Family
Vulnerability Count
Windows
28
ESU
14
Microsoft Office
11
Browser
9
Developer Tools
8
Microsoft Dynamics
2
Exchange Server
2
Azure
2
System Center
2
Exploited and Publicly Disclosed Vulnerabilities
One zero-day was announced: CVE-2021-1732 is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: CVE-2021-1727, a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; CVE-2021-24098, which is a denial of service (DoS) affecting Windows 10 and Server 2019; CVE-2021-24106, an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and CVE-2021-26701, an RCE in .NET Core.
Vulnerabilities in Windows TCP/IP
Microsoft also disclosed a set of three serious vulnerabilities affecting the TCP/IP networking stack in all supported versions of Windows. Two of these (CVE-2021-24074 and CVE-2021-24094) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). CVE-2021-24094 is specific to IPv6 link-local addresses, meaning it isn’t exploitable over the public internet. CVE-2021-24074, however, does not have this limitation. The third, CVE-2021-24086, is a DoS vulnerability that could allow an attacker to trigger a “blue screen of death” on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.
In the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.
Zerologon Update
Back in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. “Zerologon”. In October, Microsoft noted that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they reminded organizations that the February 2021 security update bundle will also be enabling “Domain Controller enforcement mode” by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to heed the detailed guidance before applying the latest updates to ensure continued business process continuity.
Adobe
Most important amongst the six security advisories published by Adobe today is APSB21-09, detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.
We arrive at the first Patch Tuesday of 2021 (2021-Jan) with 83 vulnerabilities across our standard spread of products. Windows Operating System vulnerabilities dominated this month’s advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server.
CVE-2021-1647 is marked as a CVSS 7.8, actively exploited, remote code execution vulnerability through the Microsoft Malware Protection Engine (mpengine.dll) between version 1.1.17600.5 up to 1.1.17700.4.
As a default, Microsoft’s affected antimalware software will automatically keep the Microsoft Malware Protection Engine up to date. What this means, however, is that no further action is needed to resolve this vulnerability unless non-standard configurations are used.
This vulnerability affects Windows Defender or the supported Endpoint Protection pieces of the System Center family of products (2012, 2012 R2, and namesake version: Microsoft System Center Endpoint Protection).
Patching Windows Operating Systems Next
Another confirmation of the standard advice of prioritizing Operating System patches whenever possible is that 11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities addressed in this month’s Patch Tuesday would be immediately covered through these means. As an interesting observation, the Windows Remote Procedure Call Runtime component appears to have been given extra scrutiny this month. This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed.
More Work to be Done
Lastly, some minor calls to note that this Patch Tuesday includes SQL Server as that is an atypical family covered during Patch Tuesdays and, arguably more notable, is a reminder that Adobe Flash has officially reached end-of-life and would’ve been actively removed from all browsers via Windows Update (already).
Summary Tables
Here are this month’s patched vulnerabilities split by the product family.
Active Template Library Elevation of Privilege Vulnerability
No
No
7.8
No
Summary Graphs
Note: Graph data is reflective of data presented by Microsoft’s CVRF at the time of writing.
The collective thoughts of the interwebz
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.