Tuesday, May 11, 2021

Microsoft Patch Tuesday for May 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Chris Neal. 

Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities across its suite of products, the fewest in any month since January 2020. 

There are only three critical vulnerabilities patched in this month, while two are of “moderate” severity and the rest are “important.” All three critical vulnerabilities, however, are considered "more likely” to be exploited, according to Microsoft. 

This month’s security update provides patches for several major pieces of software, including Microsoft Office, SharePoint and Windows’ wireless networking. For a full rundown of these CVEs, head to Microsoft’s security update page

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here.

The most serious vulnerability exists in the HTTP protocol stack. An unauthenticated attacker could exploit CVE-2021-31166 by sending a specially crafted packet to a targeted server. If successful, the adversary could gain the ability to execute remote code on the targeted server. 

According to Microsoft, the vulnerability is wormable and the company “recommends prioritizing the patching of affected servers.” It has a CVSS severity score of 9.8 out of 10. Microsoft stated in their advisory that it would be relatively easy for an attacker to exploit this vulnerability, as it is considered to be of “low” complexity. 

Another critical remote code execution vulnerability, CVE-2021-26419, exists in Internet Explorer’s scripting engine. An attacker could exploit this vulnerability by tricking the user to visit a specially crafted website. Alternatively, they could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that utilizes Internet Explorer’s rendering engine, and then trick a user into opening that file.  

The third critical vulnerability exists in OLE Automation, an inter-process communication mechanism. CVE-2021-31194 could allow an attacker to execute remote code on the targeted machine, without any user interaction required.

Cisco Talos would also like to specifically highlight CVE-2021-31170, an elevation of privilege vulnerability in Windows Graphics Component. A successful of attacker could use this vulnerability to gain greater permissions on a targeted machine and use that in additional attacks. Microsoft considers this vulnerability to be “important,” though the company states in its advisory that exploitation is “more likely.” 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57539, 57540, 57542 - 57545 and 57548 - 57550. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.