Vulristics: Microsoft Patch Tuesdays Q1 2021. Hello everyone! It has been 3 months since my last review of Microsoft vulnerabilities for Q4 2020. In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.
I will be using the reports that I created with my Vulristics tool. This time I’ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.
January 2021
- All vulnerabilities: 83
- Urgent: 0
- Critical: 1
- High: 28
- Medium: 51
- Low: 3
So, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). “Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.”
The most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). “According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day.”
Also, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.
There were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.
February 2021
- All vulnerabilities: 57
- Urgent: 1
- Critical: 2
- High: 21
- Medium: 31
- Low: 2
One Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. “Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data”. Public exploit in a form of Metasploit Module is found at Vulners (Win32k ConsoleControl Offset Confusion).
But the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.
- This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on AttackerKB and for which public exploit is found at Vulners (Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation). This is not the same vulnerability that was exploited in HAFNIUM. We’ll get to those vulnerabilities later.
- Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.
If vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports?
- Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. “Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact.”
- Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). “RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered “more likely” to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network.”
But for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.
March 2021
- All vulnerabilities: 82
- Urgent: 0
- Critical: 0
- High: 36
- Medium: 43
- Low: 3
And again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.
- Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners (Microsoft Windows Containers Privilege Escalation).
- Internet Explorer Memory Corruption (CVE-2021-26411). “A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website”. Exploitation in the wild is mentioned at AttackerKB.
But we also see several Windows DNS Server Remote Code Executions . “All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered “wormable,” yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020.” In general, updating DNS Server is never a bad thing.
And where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.
Other Q1 2021
- All vulnerabilities: 85
- Urgent: 0
- Critical: 7
- High: 5
- Medium: 27
- Low: 46
The 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at AttackerKB and Microsoft. However, we still don’t see public exploits.
“ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!”
Everything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.
“Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)”.
“Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits, which are discussed in detail by MSTIC here. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
In short, these Exchange vulnerabilities are the top.
The rest are Chrome vulnerabilities, simply because Microsoft’s browser is now based on Chrome.
You can download full versions of reports here:
- ms_patch_tuesday_january2021
- ms_patch_tuesday_february2021
- ms_patch_tuesday_march2021
- ms_patch_tuesday_other_Q1_2021
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.