By Jon Munshaw, with contributions from Martin Lee.
Microsoft released its monthly security update Tuesday, disclosing 44 vulnerabilities in the company’s firmware and software. This is the fewest amount of vulnerabilities Microsoft has patched in a month in more than two years.
There are only nine critical vulnerabilities included in this release, and the remainder is “important.”
The most serious of the issues is CVE-2021-26424 a remote code executing vulnerability which exists in the Windows TCP/IP protocol implementation. An attacker could remotely trigger this vulnerability from a Hyper-V guest by sending a specially crafted TCP/IP packet to a host utilizing the TCP/IP protocol stack. This raises the possibility of a malicious program running in a virtual machine compromising the host environment.
Other products included in this month’s Patch Tuesday include the Windows Graphic Component, print spooler and Microsoft Office. For a full rundown of these CVEs, head to Microsoft’s security update page. Talos discovered two of the vulnerabilities patched this month: CVE-2021-26428 and CVE-2021-26430, both in Azure Sphere. We discovered these vulnerabilities as part of our ongoing participation in Microsoft’s Azure Sphere Challenge and will cover these more in-depth in a future post.
Another critical remote code execution vulnerability (CVE-2021-34535) exists in the Remote Desktop Client. This vulnerability already has a proof-of-concept available and has a severity score of 8.8 out of a possible 10. An attacker with control of a Remote Desktop Server could exploit this vulnerability to execute code on a client machine. An attacker could also potentially use a malicious program running in a guest virtual machine in Hyper-V to exploit this vulnerability to execute code.
We would also like to specifically highlight CVE-2021-26432, a critical remote code execution vulnerability in Windows Services for NFS. Microsoft’s advisory states that exploitation of this vulnerability is “more likely” and the severity score is a near-maximum 9.8.
This month’s Patch Tuesday also includes more information on the PetitPotam attack vector. This tool, which serves as a proof of concept to exploit CVE-2021-36942, has been publicly released; nevertheless, Microsoft has not yet reported the vulnerability as being exploited in the wild despite the severity score of 9.8.
This vulnerability could be used as part of an attack against domain controllers, though an attacker would first have to gain access to the internal network. Domain controllers are often a popular target for cyber attacks because they give attackers access to multiple systems once compromised.
In addition to installing the patch, Microsoft also advised users to follow other mitigation techniques they outlined in an advisory last week.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57997 - 57999 and 58003.