Tuesday, April 13, 2021

Microsoft Patch Tuesday for April 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Vanja Svajcer. 

Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year.

Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in today's security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. Talos encourages everyone with an affected product to update as soon as possible if they have not already and put other mitigation strategies into place in the meantime. Users can also detect the exploitation of the previously disclosed vulnerabilities with Cisco Secure IPS.

The new vulnerabilities Microsoft disclosed today are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10.

In all, there are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder is all “important.” 

Twelve of the critical vulnerabilities exist in the remote procedure call runtime — all of which require no user interaction and could allow an attacker to execute remote code on the victim machine. For a full rundown of these CVEs, head to Microsoft’s security update page.

This month’s security update provides patches for several other pieces of software, including Microsoft Office, the Windows Kernel and Visual Studio. 

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here

Windows Media Video Decoder contains two of the other critical remote code execution vulnerabilities patched this month — CVE-2021-27095 and CVE-2021-28315. An adversary does not need special privileges to exploit these vulnerabilities, according to Microsoft, and the exploit itself is of low complexity. 

Another critical vulnerability, CVE-2021-28460, exists in Azure Sphere that could allow an attacker to execute remote code on the targeted system. Cisco Talos discovered this vulnerability as part of a sponsored research challenge. Versions 21.03 and higher of Azure Sphere are already protected from this vulnerability.

The Windows Network File System also contains a critical remote code execution vulnerability. CVE-2021-28445 does not require any user interaction, according to Microsoft, and has a CVSS severity score of 8.1 out of 10. 

Talos would also like to highlight two elevation of privilege vulnerabilities in the Win32k process. CVE-2021-27072 and CVE-2021-28310 affect certain versions of Windows 10 and Windows Server and could allow an adversary to obtain a higher level of credentials on the targeted machine, which could be used in additional attacks. CVE-2021-28310 has already been exploited in the wild, according to Microsoft. 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57403, 57404, 57411 and 57414. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.