RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

The September 2021 Security Update Review

14 September 2021 at 17:37

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for September 2021

For September, Adobe released 15 patches covering 59 CVEs in Adobe Acrobat Reader, XMP Toolkit SDK, Photoshop, Experience Manager, Genuine Service, Digital Editions, Premiere Elements, Photoshop Elements, Creative Cloud Desktop, ColdFusion, Framemaker, InDesign, SVG-Native-Viewer, InCopy, and Premiere Pro. A total of 17 of these bugs came through the ZDI program.

The update for Adobe Acrobat fixes 26 bugs in total. Of these 26 bugs, 13 are rated Critical, 9 are rated Important, and four are rated Moderate in severity. The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability. The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file. The update for Framemaker includes five bugs found by ZDI researcher Mat Powell. The most severe of these issues result from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. If you’re still using ColdFusion, you’ll definitely want to patch the two Critical rated security feature bypass bugs being fixed today.

You can check out all of Adobe’s patches on their PSIRT page. None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Apple Patches for September 2021

Although Apple does not follow the second Tuesday patch release cycle, they did release patches yesterday fixing a couple of significant bugs. CVE-2021-30860 fixes an input validation bug in CoreGraphics that could allow remote code execution. Apple notes they are aware of a report this bug is being actively exploited. This was reported by the Citizen Lab, and public accounts indicate this bug was used to target a Saudi activist’s iPhone. While the likelihood of widespread attack using this bug is low, it should still be taken seriously. Apple also notes CVE-2021-30858 – a Use-After-Free (UAF) bug in Webkit – has also been detected in the wild. These bugs impact several different Apple products, including iOS, iPad OS, watchOS, Safari, Catalina, and Big Sur. Definitely take some time to review all of the patches and apply the applicable updates once tested.

Google Chrome Patches for September 2021

Not to be outdone by Apple, Google also released a new version of Chrome yesterday to address a total of nine CVEs – two of which are listed as under active attack. CVE-2021-30632 fixes an Out-of-Bounds (OOB) Write, while CVE-2021-30633 fixes a UAF bug. Both were reported by an anonymous researcher, and both could lead to code execution at the level of the logged-on user. All of the bugs fixed in this release receive a “High” severity rating from Google. If you are running Chrome, definitely update to ensure you are on the latest stable version.

Side note: As of today, not all these fixes have not been absorbed by Microsoft Edge (Chromium) and are unrelated to the Edge (Chromium) fixes discussed below. Microsoft did list CVE-2021-30632 on September 11 but appears to have jumped the gun a bit on this release as it currently shows a September 14 release date.

Microsoft Patches for September 2021

For September, Microsoft released patches today for 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. This is in addition to the 20 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the September total to 86 CVEs. A total of 11 of these bugs were submitted through the ZDI program.

Of the 66 new CVEs patched today, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume is slightly higher than the average for 2021, which is below the 2020 volume while still above what was seen in 2019. As with last month, Microsoft spent significant resources responding to bugs under active attack, most notably CVE-2021-40444. One other bug is listed as publicly known but not being exploited (for now).

Let’s take a closer look at some of the more interesting updates for this month, starting with the MSHTML bug that’s listed as under active attack:

-       CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability
This patch fixes a bug currently being exploited via Office documents. A specially crafted ActiveX control is embedded in an Office doc then sent to a target. If opened on an affected system, code executes at the level of the logged-on user. Microsoft lists disabling ActiveX as a workaround, but other reports state this may be ineffective. As of now, the most effective defense is to apply the patch and avoid Office docs you aren’t expecting to receive. There are multiple updates for specific platforms, so be sure to carefully review and install all needed patches to ensure you are covered.  

-       CVE-2021-36965 - Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
This patch fixes a vulnerability that could allow network adjacent attackers to run their code on affected systems at SYSTEM level. This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly.

-       CVE-2021-38647 - Open Management Infrastructure Remote Code Execution Vulnerability
This patch rates the highest CVSS (9.8) for this month and fixes an RCE bug in the Open Management Infrastructure (OMI). If you aren’t familiar with OMI, it’s an open-source project to further the development of a production-quality implementation of the DMTF CIM/WBEM standards. You can read all about it here. This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system. OMI users should test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for September 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability Important 8.8 Yes Yes RCE
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability Critical 8.1 No No RCE
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability Important 6.4 No No Tampering
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability Important 6.1 No No Info
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38650 Microsoft Office Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36975 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38639 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36961 Windows Installer Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability Moderate 4.6 No No Info
CVE-2021-30606 Chromium: CVE-2021-30606 Use after free in Blink High N/A No No RCE
CVE-2021-30607 Chromium: CVE-2021-30607 Use after free in Permissions High N/A No No RCE
CVE-2021-30608 Chromium: CVE-2021-30608 Use after free in Web Share High N/A No No RCE
CVE-2021-30609 Chromium: CVE-2021-30609 Use after free in Sign-In High N/A No No RCE
CVE-2021-30610 Chromium: CVE-2021-30610 Use after free in Extensions API High N/A No No RCE
CVE-2021-30632 Chromium: CVE-2021-30632 Out of bounds write in V8 High N/A No Yes RCE
CVE-2021-30623 Chromium: CVE-2021-30623 Use after free in Bookmarks Low N/A No No RCE
CVE-2021-30624 Chromium: CVE-2021-30624 Use after free in Autofill Low N/A No No RCE
CVE-2021-30611 Chromium: CVE-2021-30611 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30612 Chromium: CVE-2021-30612 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30613 Chromium: CVE-2021-30613 Use after free in Base internals Medium N/A No No RCE
CVE-2021-30614 Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip Medium N/A No No RCE
CVE-2021-30615 Chromium: CVE-2021-30615 Cross-origin data leak in Navigation Medium N/A No No Info
CVE-2021-30616 Chromium: CVE-2021-30616 Use after free in Media Medium N/A No No RCE
CVE-2021-30617 Chromium: CVE-2021-30617 Policy bypass in Blink Medium N/A No No SFB
CVE-2021-30618 Chromium: CVE-2021-30618 Inappropriate implementation in DevTools Medium N/A No No RCE
CVE-2021-30619 Chromium: CVE-2021-30619 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30620 Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink Medium N/A No No SFB
CVE-2021-30621 Chromium: CVE-2021-30621 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30622 Chromium: CVE-2021-30622 Use after free in WebApp Installs Medium N/A No No RCE

As we did last month, this month’s table also lists the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign CVSS scores, so none are listed in the table. Again, these bugs are different than the ones fixed by Google Chrome in yesterday’s release. Those bugs should be incorporated into a future version of Edge (Chromium).

The remaining Critical-rated bug fixes a code execution vulnerability in the Scripting Engine. An attacker would need to convince a user to browse to a specially crafted website or open a file to get code execution. Looking at the other RCE bugs addressed in this release, many impact Office or an Office component. Visio receives some rare updates to go along with the more common fixes for Word, Access, and Excel.

This month’s release brings a total of 27 Elevation of Privilege (EoP) patches with it. The most notable is one listed as publicly known impacting DNS. Microsoft provides no details about the nature of the bug other than to say local privileges are required to successfully exploit it. This is not to be confused with the patch for an EoP in the Bind Filter Driver, which is completely different from the ISC BIND DNS system. Other notable EoP bugs include updates for Edge (Chromium) that seem unique to Edge – meaning the bugs weren’t from the port of Chromium and patched by Google. Visual Studio receives a patch to fix an EoP reported by ZDI researcher Michael DePlante. The issue results from incorrect permissions set on a resource used by the installer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. There are some patches for the Print Spooler, but these don’t appear to have the impact or urgency as the PrintNightmare series of bugs. The other EoP fixes address various Windows components. In almost all cases, an attacker would need to log on to an affected system and run specially crafted code.

There are only two patches for security feature bypasses (SFBs) in this month’s release, but one seems awfully familiar. CVE-2021-38632 fixes a bug that could allow an attacker with physical access to a powered-off system to gain access to encrypted data. This sounds vaguely like the “cold boot” attacks widely discussed back in 2008. The other SFB bug being fixed this month could allow an attacker to bypass the Windows Key Storage Provider that issues key certificates for trust in attestation scenarios. This one’s a bit more vague, but surprisingly, Microsoft lists the attack complexity as Low for this bug. Definitely something to look out for.

Looking at the 12 information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is a bug in the Windows Installer that could allow an attacker to read from the file system. The Windows Storage component has a bug with a similar impact. It’s not clear if any file can be read by an attacker or just specifical files and locations. The info disclosure being fixed in the Microsoft Accessibility Insights for Android is even more vague. According to Microsoft, the type of info disclosed is “sensitive information.” Well then. Plan accordingly.

The September release includes fixes for seven spoofing bugs and one for a cross-site scripting (XSS) bug. Microsoft provides no details on what may be spoofed for any of these vulnerabilities, but some have intriguing titles. There are fixes for Microsoft Edge for iOS and Android, so for those of you who use Edge on your phone, hit up the appropriate store to update your apps. There is a fix for a spoofing bug in Windows Authenticode, but the attacker vector is listed as local with privileges required. It’s possible this could allow an attacker access to something otherwise prohibited, but without further details, we can only speculate.

This month’s release is rounded out by a fix for a Denial-of-Service (DoS) bug in the Windows Installer and by a fix for Microsoft Edge (Chromium) in the mercurial Tampering category. Again, no information on what sort of tampering this vulnerability would allow. However, tampering bugs in the browser usually means an attacker could view and/or alter data within the browser. Interestingly, Microsoft appears to have released this update on September 9, but it does not appear to map to any bug fix released by the Chrome team.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on October 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The September 2021 Security Update Review

The August 2021 Security Update Review

10 August 2021 at 17:22

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for August 2021

For August, Adobe released two patches addressing 29 CVEs in Adobe Connect and Magento. The update for Connect is rated Important and fixes a single security feature bypass and two cross-site scripting bugs. The Critical-rated patch for Magento fixes a wide range of bugs, the worst of which could allow remote code execution.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for August 2021

For August, Microsoft released patches today for 44 CVEs in Microsoft Windows and Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, and Microsoft Dynamics. This is in addition to seven CVEs patched in Microsoft Edge (Chromium-based) earlier this month. A total of eight of these bugs were submitted through the ZDI program. Of the 44 CVEs patched today, seven are rated Critical and 37 are rated Important in severity. This is the smallest release for Microsoft in 2021 and could be due to resource constraints since Microsoft spent so much time in July responding to events like PrintNightmare and PetitPotam. In fact, this is the smallest release since December 2019. It will be interesting to see if the September patch volume rebounds to triple digits or remains on the smaller side.

According to Microsoft, two of these bugs are publicly known and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s listed as under active attack:

-       CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability
This bug could allow a local privilege escalation through the Windows Update Medic Service – a new feature introduced in Windows 10 designed to repair Windows Update components from damage so that the computer can continue to receive updates. An attacker would need to log on to an affected system and run a specially crafted program to escalate privileges. Microsoft does not say how widespread the attacks are, but they are most likely targeted at this point.

-       CVE-2021-36942 - Windows LSA Spoofing Vulnerability
Speaking of PetitPotam, Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface. This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.

-       CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
Another month, another remote code execution bug in the print spooler. This bug is listed as publicly known, but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug.

UPDATE: Microsoft has released KB5005652 to provide guidance on managing new Point and Print default driver installation behavior. This is an update for CVE-2021-34481, which was originally released in July, 2021. Sysadmins should review this KB along with applying the Print Spooler related updates in this release.

-       CVE-2021-34535 - Remote Desktop Client Remote Code Execution Vulnerability
Before you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server. However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.

Here’s the full list of CVEs released by Microsoft for August 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-36948 Windows Update Medic Service Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes No RCE
CVE-2021-36942 Windows LSA Spoofing Vulnerability Important 9.8 Yes No Spoofing
CVE-2021-34535 Remote Desktop Client Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-34480 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No No RCE
CVE-2021-34530 Windows Graphics Component Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34534 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-26432 Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26424 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26423 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34485 .NET Core and Visual Studio Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-34532 ASP.NET Core and Visual Studio Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33762 Azure CycleCloud Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-36943 Azure CycleCloud Elevation of Privilege Vulnerability Important 4 No No EoP
CVE-2021-26430 Azure Sphere Denial of Service Vulnerability Important 6 No No DoS
CVE-2021-26429 Azure Sphere Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2021-26428 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-36949 Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability Important 7.1 No No SFB
CVE-2021-36950 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-34524 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-36946 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-34478 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36940 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-34471 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36941 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34536 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36945 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-34537 Windows Bluetooth Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36938 Windows Cryptographic Primitives Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36927 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26425 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34486 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34487 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34533 Windows Graphics Component Font Parsing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36937 Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-26431 Windows Recovery Environment Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26433 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36926 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36932 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36933 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-26426 Windows User Account Profile Picture Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34484 Windows User Profile Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-30590 Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks High N/A No No RCE
CVE-2021-30591 Chromium: CVE-2021-30591 Use after free in File System API High N/A No No RCE
CVE-2021-30592 Chromium: CVE-2021-30592 Out of bounds write in Tab Groups High N/A No No RCE
CVE-2021-30593 Chromium: CVE-2021-30593 Out of bounds read in Tab Strip High N/A No No Info
CVE-2021-30594 Chromium: CVE-2021-30594 Use after free in Page Info UI High N/A No No RCE
CVE-2021-30596 Chromium: CVE-2021-30596 Incorrect security UI in Navigation Medium N/A No No SFB
CVE-2021-30597 Chromium: CVE-2021-30597 Use after free in Browser UI Medium N/A No No RCE

You’ll notice this month’s table includes the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign a CVSS score, so none is listed in the table.

Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system. One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note  it needs neither privileges or user interaction to be exploited. This may fall into the “wormable” category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface. That certainly sounds like elevated code on a listening network service. Don’t ignore this patch.

Another interesting Critical-rated bug affects the TCP/IP stack. Despite its CVSS rating of 9.9, this may prove to be a trivial bug, but it’s still fascinating. An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it’s still cool to see new bugs in new scenarios being found in protocols that have been around for years.

The remaining patches for RCE bugs primarily address open-and-own types of bugs in Microsoft Dynamics (on-prem), Office, Word, and Windows media components. For example, the vulnerability in Word would require someone to open a specially crafted Word doc with an affected version, resulting in code execution at the logged-on user lever. There’s also an Important-rated RCE bug in the print spooler, however, it’s not clear why this one is rated Important while the other is rated Critical. Both have the exact same CVSS rating. One is publicly known, but that shouldn’t affect severity. Best to treat both print spooler bugs as Critical, just to be on the safe side. 

There are a total of 16 Elevation of Privilege (EoP) patches in this month’s release. Most of these exist in Windows components and require an attacker to log on to an affected system and execute their specially crafted program. Six of these bugs were reported through the ZDI program by Abdelhamid Naceri (halov) and deal with improper link resolution before file access (Link Following) vulnerabilities. For example, by creating a directory junction, an attacker can abuse the Windows Update Assistant to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the Administrator. Altogether, there are EoP fixes for Windows Defender, Azure Sphere and CycleCloud, Storage Spaces, the Update Assistant, the Bluetooth service, Windows Event Tracing, and the aforementioned Print Spooler.

Looking at the eight information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is the patch for .NET Core and Visual Studio that could disclose data inside the targeted website like IDs, tokens, nonces, and other sensitive information. Microsoft does not specify what information is disclosed by the bug in the Windows Cryptographic Primitives Library, but judging by the title alone, it’s possible (though unlikely) that an attacker could recover plaintext data from encrypted content. Let’s hope we receive more information on this bug in the future.

Only two patches this month result in Denial-of-Service (DoS) conditions, but you likely only need to act on one. The update for Azure Sphere should have been automatically delivered to your device provided it is connected to the Internet. The other patch fixes a DoS bug in .NET Core and Visual Studio and needs to be installed as per usual.

There are also just two security feature bypasses getting fixes this month. The first is for Azure Active Directory Connect, but you’ll need to do more than just patch to prevent a Man-in-The-Middle (MiTM) attack between your Azure AD Connect server and a domain controller. You will also need to disable NTLM as laid out in this document. The other spoofing bug occurs in SharePoint Server and likely manifests as a cross-site scripting (XSS) issue. Speaking of XSS bugs, this month’s release is rounded out by two patches for XSS vulnerabilities in Microsoft Dynamics.

As expected, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on September 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The August 2021 Security Update Review

The July 2021 Security Update Review

13 July 2021 at 17:24

The second Tuesday of the month is here, and it brings with it the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for July 2021

For July, Adobe released five patches addressing 29 CVEs in Adobe Dimension, Illustrator, Framemaker, Acrobat and Reader, and Adobe Bridge. A total of 15 of these bugs were reported through the ZDI program with several being discovered by ZDI researchers Mat Powell and Joshua Smith. The update for update Acrobat and Reader fixes 19 different bugs – several of which could lead to code execution if an attacker can convince a user to open a malicious PDF with an affected version. The update for Dimension also could allow code execution. For Illustrator, three bugs are being fixed. The two that allow for code execution occur in during the processing of PDF and JPEG2000 files. These issues result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Similar Out-Of-Bounds (OOB) Write bugs exist in the five fixes for Bridge. Again, code execution would occur at the level of the logged-on user. The single CVE fixed by the Framemaker patch corrects an OOB Write that exists within the parsing of TrueType fonts embedded in PDF files.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for July 2021

For July, Microsoft released patches for 117 CVEs in Microsoft Windows, Dynamics, Exchange Server, Microsoft Office, Windows Storage Spaces Controller, Bing, SharePoint Server, Internet Explorer (IE), Visual Studio, and OpenEnclave. A total of 17 of these bugs were reported through the ZDI program. Of these 117 bugs, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity. This volume of fixes is more than the last two months combined and on par with the monthly totals from 2020. Perhaps the lowered rate seen in the prior months was an aberration. According to Microsoft, six of these bugs are publicly known and four are listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s already received a lot of (warranted) attention:

-       CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability
Much has already been written about this currently exploited bug also known as PrintNightmare. Microsoft released an Out-of-Band (OOB) patch for this bug on July 1, and they have updated it multiple times since then. There have been reports the patch is ineffective, but Microsoft insists it works – provided certain registry keys have the correct values. Enterprises should verify these registry keys are configured as intended and get this patch rolled out. It’s also a fine time to disable the Print Spooler service wherever it isn’t needed and restrict the installation of printer drivers to just administrators.

-       CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability
This bug is also listed as under active exploit, but there’s no indication of how widespread the attack is. The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.

-       CVE-2021-34494 - Windows DNS Server Remote Code Execution Vulnerability
This bug is currently not under active attack, but considering the severity, there are those who will work to change that status. This bug could allow remote code execution at a privileged service level on a listening network port without user interaction. Microsoft does mention low privileges are needed, but depending on the server configuration, these could be easily gained. This bug is restricted to DNS Servers only, but if there’s one system you don’t want wormed, it’s probably your DNS server. Definitely test and deploy this one quickly.

-       CVE-2021-34458 - Windows Kernel Remote Code Execution Vulnerability
It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.

Here’s the full list of CVEs released by Microsoft for July 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No Yes RCE
CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 Yes No RCE
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 9 Yes No EoP
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34492 Windows Certificate Spoofing Vulnerability Important 8.1 Yes No Spoofing
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34440 GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability Important 4.7 No No Spoofing
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability Important 7.3 No No Info
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability Important 8.2 No No SFB
CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2021-31984 Power BI Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34449 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34491 Win32k Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-34446 Windows HTML Platform Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability Important 6.3 No No DoS
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33765 Windows Installer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability Important 5.9 No No Info
CVE-2021-33788 Windows LSA Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability Important 8.1 No No SFB
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability Moderate 5.3 No No Info

Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new. One of the new ones is CVE-2021-31206, which was disclosed during the last Pwn2Own contest. There are also new patches for elevation of privilege bugs that could be exploited in a man-in-the-middle attack or be network adjacent. The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today. Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.

Taking a look at the remaining Critical-rated bugs, there are two updates for Defender code execution bugs, although you likely won’t need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. There are also RCE bugs in Dynamics 365 Business Central, Windows Media Foundation, MSHTML, and Hyper-V.

Moving to the Important-rated RCE bugs, there are quite a few impacting the Windows DNS Server. Most of these would require an administrator to view a malicious record in the DNS Snap-in to be exploited. There are also a few that have no user interaction and require only low-level privileges. Two of the patches fix denial-of-service (DoS) bugs in the server. Shutting DNS down is nearly as severe as taking it over. In all cases, the DNS Server must be enabled for a system to be impacted by these bugs. The Important RCEs category is rounded out by fixes for Office components, SharePoint Server, and HEVC Video Extensions.

There are a total of 32 Elevation of Privilege (EoP) patches in this month’s release. In addition to the ones previously mentioned, six of these fix EoP bugs in the Windows Storage Spaces Controller. There are also fixes for EoP vulnerabilities in the kernel, Remote Access Connection Manager, Installer service, partition management, and projected file system.

We’ve already mentioned quite a few DoS bugs in this release, and there are a few more to look out for. The first is a bug in the Local Security Authority (LSA). Microsoft doesn’t detail the impact of the bug, but a DoS on LSA implies users can’t authenticate. There are three DoS vulnerabilities in the TCP/IP stack. Again, no details from Microsoft, but it appears an attacker could shut down all networking on a device. Finally, there are fixes for DoS bugs in bowser.sys and the Windows AF_UNIX Socket Provider.

There are 14 patches fixing information disclosure bugs this month, including the single Moderate-rated fix for a bug in SharePoint Server. This bug could disclose PII and, in some cases, requires multiple packages to be completely addressed. Most of the other bugs only lead to leaks consisting of unspecified memory contents. Two notable exceptions impact KDC and SMB. The KDC has a weak encryption algorithm that could be used to decrypted and expose information related to a user or service's active session. The SMB bug could allow an attacker unauthorized file system access, meaning they could read files on the affected system.

Eight security feature bypasses are fixed in this month’s release. The patch for ADFS fixes a bug in the Primary Refresh Tokens, which are normally stored in the TPM. The tokens aren’t encrypted properly. Attackers could extract and potentially decrypt the token for reuse until the token expires or is renewed. There’s a bug in LSA that could allow a read-only domain controller (RODC) to delegate rights by granting itself a ticket. This ticket isn’t validated by a domain controller, which could lead to a read-only DC getting Read/Write privileges. A patch for the Security Account Manager adds Advanced Encryption Standard (AES) encryption as the preferred method when using the MS-SAMR protocol. Microsoft will be releasing KB5004605 with additional configuration details in the future. At the time of release, it’s mentioned, but not live yet. Frustratingly, no details are available about the other bypasses, which includes the patches for two publicly known bugs and Windows Hello.

This month’s release is rounded out by seven patches to address spoofing bugs in SharePoint Server, Bing Search, Visual Studio, Office, Authenticode, Installer, and bug that could allow certificate spoofing. In late June, Microsoft reported they were investigating reports regarding a malicious actor trying to leverage the Windows Hardware Compatibility Program (WHCP) process. While they indicated there was no evidence of certificate exposure, it’s possible this patch resulted from that investigation. They do mark the bug as publicly known, but there’s no documentation confirming the link. No details are available about any of the other spoofing patches.

As usual, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on August 10, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The July 2021 Security Update Review

The June 2021 Security Update Review

8 June 2021 at 17:31

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for June 2021

For June, Adobe released 10 patches addressing 39 CVEs in Adobe Connect, Acrobat and Reader, Photoshop. Photoshop Elements, Experience Manager, Creative Cloud, RoboHelp, Premiere Elements, Animate, and After Effects. A total of nine of these bugs came through the ZDI program. The two patches that stand out are the fixes for Reader and After Effects. In the case of Adobe Reader, the Critical-rated CVEs could allow code execution if an attacker can convince a user to open a specially crafted PDF file with an affected version of Reader. For the use-after-free (UAF) bugs reported through our program, the specific flaw exists within the handling of AcroForm fields. The issue results from the lack of validating the existence of an object prior to performing operations on the object. The update for After Effects fixes a large mix of Critical- to Moderate-rated bugs. The worst of these could allow code execution at the level of the logged-on user.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for June 2021

For June, Microsoft released patches for 50 CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop. A total of eight of these bugs came through the ZDI program. Of these 50 bugs, five are rated Critical and 45 are rated Important in severity. According to Microsoft, six of these bugs are currently under active attack while three are publicly known at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with some of the bugs listed as under active attack:

-       CVE-2021-33742 - Windows MSHTML Platform Remote Code Execution Vulnerability
This bug could allow an attacker to execute code on a target system if a user views specially crafted web content. Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer. It’s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list.

-       CVE-2021-31199/CVE-2021-31201 - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
These two bugs are linked to the Adobe Reader bug listed as under active attack last month (CVE-2021-28550). It’s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits. It is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.

-       CVE-2021-31956 - Windows NTFS Elevation of Privilege Vulnerability
This is another of the bugs listed as under active attack this month. This was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. It's possible these bugs were used in conjunction, as that is a common technique - use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.

-       CVE-2021-31962 - Kerberos AppContainer Security Feature Bypass Vulnerability
This bug allows an attacker to bypass Kerberos authentication and potentially authenticate to an arbitrary service principal name (SPN). This vulnerability earns the highest CVSS for June at 9.4. This could allow an attacker to potentially bypass authentication to access any service that is accessed via an SPN. Given that SPN authentication is crucial to security in Kerberos deployments, this patch should be given highest priority.

Here’s the full list of CVEs released by Microsoft for June 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 7.5 Yes Yes RCE
CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 8.4 Yes Yes EoP
CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability Important 5.2 No Yes EoP
CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability Important 5.2 No Yes EoP
CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability Important 5.5 No Yes Info
CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability Important 7.5 Yes No DoS
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 7.1 No No RCE
CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability Critical 6.4 No No RCE
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31962 Kerberos AppContainer Security Feature Bypass Vulnerability Important 9.4 No No SFB
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-33741 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability Important 6.7 No No RCE
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31938 Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31974 Server for NFS Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26414 Windows DCOM Server Security Feature Bypass Important 4.8 No No SFB
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability Important 8.6 No No DoS
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability Important 5.5 No No SFB

Looking at the remaining Critical-rated bugs, the update for Defender stands out even though you likely won’t need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. You should still verify the version and manually apply the update if needed. Similarly, the update for the VP9 codecs should be automatically updated through the Microsoft store. Again, if you’re in a disconnected environment, you’ll need to manually apply the patch. The remaining Critical-rated bugs include a browse-and-own bug in the scripting engine and a remote code execution vulnerability in SharePoint. The SharePoint bug requires no user interaction but does require some level of privilege. The attack complexity is listed as high, but considering the target, attackers are likely to do everything possible to turn this into a practical exploit.

Moving on to the Important-rated updates, there are a couple of SharePoint code execution bugs here as well. One of these came through the ZDI program, and we’ll post more details about it in the near future. We blogged about a similar bug last week, so you can check that out in the meantime. There are several patches impacting Office components with the most notable being the update for Outlook. Fortunately, the Preview Pane is not affected. An attacker would need to convince someone to open a specially crafted file with an affected version of Outlook. Those using Microsoft Intune for device management should ensure they apply the patch as soon as possible. While the attack scenario is not defined, it does not require authentication or user interaction. If you use Intune, I recommend treating this patch as Critical and deploy it quickly. The Important-rated code execution patches are rounded out by a couple of patches for the 3D Viewer and Paint 3D. One of the Paint bugs was reported by ZDI researcher Mat Powell and exists within the parsing of STL files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure.

There are 10 additional elevation of privilege (EoP) bugs receiving patches this month beyond those previously mentioned. The bug fixed by the Desktop Windows Manager (DWM) patch is also listed as publicly known and under active attack. Again, it’s not clear how widespread these attacks are, but they are likely more targeted at this point. The update for the Chromium-based Edge actually went live on Friday, June 4. It’s not clear how this bug is an EoP rather than code execution, but either way, user interaction is required. The other EoPs addressed this month require the attacker to run their code on an affected system to escalate privileges. Several Windows components are impacted by these bugs, including the Windows Kernel and Microsoft’s Kubernetes tools.

There are seven patches fixing information disclosure bugs this month, with the vulnerability for the Windows Kernel listed as under active attack. For the most part, all of these bugs only lead to leaks consisting of unspecified memory contents. The one exception is the info leak in SharePoint that could lead to exposing Personally Identifiable Information (PII).

There are five patches fixing denial-of-service (DoS) bugs in the release. The most notable affected components are Hyper-V and Windows Defender. Again, you should have already received the Defender update. Even if you have Defender disabled, a vulnerability scanner may detect systems as vulnerable due to the presence of the impacted files. However, Microsoft states systems with Defender disabled are not in a “vulnerable state.” The DoS bug fixed in the Windows Remote Desktop Protocol is listed as publicly known, but it’s not clear what public information is available.

Four security feature bypasses are fixed in this month’s release, including the previously mentioned Kerberos bypass. The update for Windows DCOM requires special attention. The patch doesn’t automatically fix the vulnerability. Instead, it provides enterprises the ability to enable hardening for protections from the bug. Microsoft plans another release in Q4 2021 that enables the protections by default while allowing the hardened to be disabled via the registry. In late 2021 or early 2022, the ability to disable the protections will be removed. It seems Microsoft anticipates some application compatibility problems may arise from this fix, so definitely test this update thoroughly.

This month’s release is rounded out by three patches to address spoofing bugs in SharePoint Server. As per usual, the servicing stack advisory (ADV990001) was revised for versions of Windows 10 and Server 2019. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on July 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The June 2021 Security Update Review

The May 2021 Security Update Review

11 May 2021 at 17:26

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for May 2021

For May, Adobe released 12 patches addressing 44 CVEs in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate. A total of five of these bugs came through the ZDI program.

The update for Acrobat and Reader should be given the highest priority. One of the 14 CVEs fixed by this patch is listed as being currently used in the wild. The bug (CVE-2021-28550) is one of three use after free (UAF) bugs addressed by this patch. These and other vulnerabilities could lead to code execution if someone were to open a specially crafted PDF with an affected version of Acrobat or Reader. The update for InDesign also stands out. These bugs result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.

Beyond the one Reader bug, none of the other vulnerabilities patched by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for May 2021

For May, Microsoft released patches for 55 CVEs in Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server. A total of 13 of these bugs came through the ZDI program. Of these 55 bugs, four are rated as Critical, 50 are rated as Important, and one is listed as Moderate in severity. According to Microsoft, three of these bugs are publicly known but none are listed as under active exploit at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug sure to garner a lot of attention:

-       CVE-2021-31166 - HTTP Protocol Stack Remote Code Execution Vulnerability
This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.

-       CVE-2021-28476 - Hyper-V Remote Code Execution Vulnerability
With a CVSS of 9.9, this bug scores the highest severity rating for this month’s release. However, Microsoft notes an attacker is more likely to abuse this vulnerability for a denial of service in the form of a bugcheck rather than code execution. Because of this, it could be argued that the attack complexity would be high, which changes the CVSS rating to 8.5. That still rates as high severity, but not critical. Still, the bugcheck alone is worth making sure your Hyper-V systems get this update.

-       CVE-2021-27068 - Visual Studio Remote Code Execution Vulnerability
This patch fixes an unusual bug in Visual Studio 2019 that could allow code execution. It’s unusual because it’s listed as not requiring any user interaction, so it’s unclear how an attacker would leverage this vulnerability. It does appear that the attacker would need to be authenticated at some level, but the attack complexity is listed as low. If you are a developer running Visual Studio, make sure you grab this update.

-       CVE-2020-24587 - Windows Wireless Networking Information Disclosure Vulnerability
We don’t normally highlight info disclosure bugs, but this one has the potential to be pretty damaging. This patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system. It’s not clear what the range on such an attack would be, but you should assume some proximity is needed. You’ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.

Here’s the full list of CVEs released by Microsoft for May 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-31204 .NET Core and Visual Studio Elevation of Privilege Vulnerability Important 7.3 Yes No EoP
CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability Important 7.2 Yes No RCE
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability Moderate 6.6 Yes No SFB
CVE-2021-31166 HTTP Protocol Stack Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-28476 Hyper-V Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-31194 OLE Automation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26419 Scripting Engine Memory Corruption Vulnerability Critical 6.4 No No RCE
CVE-2021-28461 Dynamics Finance and Operations Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-31936 Microsoft Accessibility Insights for Web Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-31182 Microsoft Bluetooth Driver Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2021-31174 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31195 Microsoft Exchange Server Remote Code Execution Vulnerability Important 6.5 No No RCE
CVE-2021-31198 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31209 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-28455 Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-31180 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31178 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31175 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31176 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31177 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31179 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31171 Microsoft SharePoint Information Disclosure Vulnerability Important 4.1 No No Info
CVE-2021-31181 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-31173 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-28474 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-26418 Microsoft SharePoint Spoofing Vulnerability Important 4.6 No No Spoofing
CVE-2021-28478 Microsoft SharePoint Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31172 Microsoft SharePoint Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2021-31184 Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26422 Skype for Business and Lync Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-26421 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-31214 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31211 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31213 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27068 Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28465 Web Media Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31190 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31165 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31167 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31168 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31169 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31208 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28479 Windows CSC Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31185 Windows Desktop Bridge Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-31170 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31188 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31191 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31186 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-31193 Windows SSDP Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31187 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2020-24587 Windows Wireless Networking Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2020-24588 Windows Wireless Networking Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2020-26144 Windows Wireless Networking Spoofing Vulnerability Important 6.5 No No Spoofing

There’s a flurry of Exchange patches in this month’s release, and some are related to bugs disclosed during the recent Pwn2Own contest. Two of the patches correct remote code execution bugs. While it appears these bugs result from Pwn2Own submissions, the exploits used during the contest did not require user interaction. The write-up from Microsoft does list user interaction in the CVSS score, however they may be scoring just this piece of the exploit chain. There’s also a spoofing bug and a security feature bypass that were used at the contest as part of a multi-bug chain. More Exchange patches are expected as not everything disclosed at the contest has been addressed. We’re working with Microsoft to get further clarification.

Moving on to the two remaining Critical-rated patches, both involve browsing to a website to get code execution. One bug impacts Internet Explorer while the other occurs when an attacker invokes OLE automation through a web browser. In both cases, the attacker would somehow have to lure the victim to their website.

Looking at the Important-rated patches, 18 involve remote code execution (RCE) of some form. One of the publicly known bugs falls into this category, although the disclosure occurred several months ago. The common utilities (common_utils.py) had an update checked in to GitHub back in December. If you use the Neural Network Intelligence open-source toolkit, make sure you have the latest version. There are several open-and-own style bugs in various Office components. There are three code execution bugs in Visual Studio Code, but these require a user to open a malicious file in a directory. If an attacker can convince such an act, they can execute their code at the level of the logged-on user.

Another RCE was reported by ZDI researcher Hossein Lotfi and impacts the Jet Red Database Engine and Access Connectivity Engine. To completely address this vulnerability, you’ll want to apply the update and restrict access to remote databases. Failing to restrict access can still expose your database to potential SQL adhoc/injection flaws. Microsoft published KB5002984 to provide guidance on restricting access.

There are 11 elevation of privilege (EoP) bugs receiving patches this month, and most are in the Windows Container Manager Service. Another EoP fix for .NET Core and Visual Studio is listed as publicly known, but Microsoft does not say where the disclosure occurred. One bug reported through the ZDI program affects the Wallet Service. By creating a directory junction, an attacker can abuse the service to create a file in an arbitrary location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Two other EoP bugs in the Windows Graphics component were reported by ZDI researcher Lucas Leong. The vulnerability result from the handling of Palette and Font Entry objects.

This month’s release includes 10 patches for information disclosure bugs, including the one previously mentioned. For the most part, these only lead to leaks consisting of unspecified memory contents. There are some notable exceptions. The info disclosure bugs in SharePoint could lead to unauthorized file system access or exposing Personally Identifiable Information (PII). Again, the info disclosure bug in Wireless is the most severe of this bunch.

There are eight spoofing bugs in May, and two were reported by the same researcher who reported the Wireless info disclosure bug. These also impact the Wireless component, but it’s not clear how the spoofing occurs. These also have CVEs from 2020, so again, it’s an indicator that these bugs have been in the works for a while. Other spoofing bugs being fixed this month affect SharePoint Server, Bluetooth, and Skype for Business and Lync.

In addition to the previously mentioned Exchange security feature bypass, there’s a fix for a bypass in the SMB client. In SMBv2, guest fallback is not disabled by default. The patch disables guest fallback access to enforce the OS and Group Policy settings. You can also disable guest access via the registry. The May release is rounded out with a cross-site scripting (XSS) bug in Dynamics Finance and Operations and a DoS bug in Windows Desktop Bridge.

Finally, the servicing stack advisory (ADV990001) was revised for all versions of Windows. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on June 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The May 2021 Security Update Review

The April 2021 Security Update Review

13 April 2021 at 17:29

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for April 2021

For April, Adobe released four patches addressing 10 CVEs in Adobe Photoshop, Digital Editions, RoboHelp, and Bridge. The update for Bridge fixes six CVEs, all of which were reported through the ZDI program. Four of these bugs are rated Critical and could allow arbitrary code execution if exploited. The patch for Photoshop fixes two Critical-rated CVEs. Both of these buffer overflows could all arbitrary code execution. The update for Digital Editions fixes a Critical-rated privilege escalation bug that could lead to an arbitrary file system write. Finally, the patch for RoboHelp fixes a single privilege escalation bug. None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for April 2021

For April, Microsoft released patches for 114 CVEs in Microsoft Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, Visual Studio, and Exchange Server. This is the largest number of CVEs addressed in a month by Microsoft this year, and it is slightly higher than April of last year. A total of five of these bugs came through the ZDI program. None of the bugs being addressed this month were disclosed at the recent Pwn2Own contest. Of these 114 bugs, 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity. Six additional bugs impact Edge (Chromium-based) and were ingested from a recent Chromium update. According to Microsoft, one bug is currently being exploited while four others are publicly known at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-28310 - Win32k Elevation of Privilege Vulnerability
This is the only vulnerability listed as being actively exploited being patched in April. The bug allows an attacker to escalate privileges by running a specially crafted program on a target system. This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf. Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system.

-       CVE-2021-28480/28481 – Microsoft Exchange Server Remote Code Execution Vulnerability
Both of these CVEs are listed at a 9.8 CVSS and have identical write-ups, so they both get listed here. Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as “Network,” it is likely these bugs are wormable – at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. These bugs were credited to the National Security Agency. Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.

-       CVE-2021-28329 et al. – Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are 27 bugs in this month’s release with this title, and all have identical descriptions and CVSS scores. However, 12 are rated Critical while 15 are rated Important in severity. In RPC vulnerabilities seen in the past, an attacker would need to send a specially crafted RPC request to an affected system. Successful exploitation results in executing code in the context of another user. Perhaps the users involved in the Important-rated bugs have lower privileges than their Critical-rated counterparts, but that is not clear from the description. Either way, the researcher who reported these bugs certainly found quite the attack surface.

-       CVE-2021-28444 – Windows Hyper-V Security Feature Bypass Vulnerability
This security feature bypass allows an attacker to potentially bypass Router Guard configurations on Hyper-V. Router Guard is designed to prevent guest OSes from offering router services on the network. Many don’t realize Windows can be set up as a router, and on physical or virtual systems, be configured to re-route packets to a rouge location (e.g. Man-in-the-Middle) or simply black hole the traffic. If you’re running Hyper-V, even accidental misconfigurations could cause disruptions, so definitely don’t ignore this patch.

Here’s the full list of CVEs released by Microsoft for April 2021, minus the Edge bugs ingested from Chromium.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-28310 Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-28458 Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-27091 RPC Endpoint Mapper Service Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-28437 Windows Installer Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-28312 Windows NTFS Denial of Service Vulnerability Moderate 3.3 Yes No DoS
CVE-2021-28460 Azure Sphere Unsigned Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-28480 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-28481 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-28482 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28483 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2021-28329 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28330 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28331 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28332 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28333 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28334 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28335 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28336 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28337 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28338 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28339 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28343 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-27095 Windows Media Video Decoder Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-28315 Windows Media Video Decoder Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-27092 Azure AD Web Sign-in Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-27067 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28459 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-28313 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28321 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28322 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28456 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28451 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28454 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27089 Microsoft Internet Messaging API Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28449 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28452 Microsoft Outlook Memory Corruption Vulnerability Important 7.1 No No RCE
CVE-2021-28450 Microsoft SharePoint Denial of Service Update Important 5 No No DoS
CVE-2021-28317 Microsoft Windows Codecs Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28453 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27096 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28466 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28468 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28471 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28327 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28340 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28341 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28342 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28344 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28345 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28346 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28352 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28353 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28354 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28355 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28356 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28357 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28358 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28434 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28470 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28448 Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28472 Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28457 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28469 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28473 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28475 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28477 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-27064 Visual Studio Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28464 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27072 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-28311 Windows Application Compatibility Cache Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-28326 Windows AppX Deployment Server Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-28438 Windows Console Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-28443 Windows Console Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-28323 Windows DNS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28328 Windows DNS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-27094 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2021-28447 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2021-27088 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28435 Windows Event Tracing Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28318 Windows GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28348 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28349 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28350 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26416 Windows Hyper-V Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-28314 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28441 Windows Hyper-V Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28444 Windows Hyper-V Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-26415 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28440 Windows Installer Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26413 Windows Installer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2021-27093 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28309 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-27079 Windows Media Photo Codec Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-28445 Windows Network File System Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-26417 Windows Overlay Filter Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28446 Windows Portmapping Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2021-28320 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27090 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27086 Windows Services and Controller App Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28324 Windows SMB Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-28325 Windows SMB Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28347 Windows Speech Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28351 Windows Speech Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28436 Windows Speech Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28319 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-28439 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-28442 Windows TCP/IP Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28316 Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability Important 4.2 No No SFB

Moving on to the remaining Critical-rated patches, there are two additional patches for Exchange that are nearly as severe as those already documented. None of the Exchange bugs this month indicate Office 365 versions are affected. Like those before them, these bugs only impact on-prem installations. Microsoft also provided additional information about the security updates. If you’re running Exchange, this should be considered required reading.

There’s a bug impacting Azure Sphere, but you likely won’t need to take any action to be protected. Devices running Azure Sphere connected to the Internet should receive automatic updates. If your devices are isolated, you will need to ensure these updates are applied. The final two Critical-rated patches correct bugs in the Windows Media Video Decoder component. For these, an attacker would need to convince a user to open specially crafted media on an affected system to gain arbitrary code execution at the logged-on user level.

Looking at other bugs in this release, we see more than half of the patches this month are related to remote code execution vulnerabilities. Beyond those already mentioned, the bugs mostly impact Office and Windows components. In most cases, they represent open-and-own scenarios. Of those that stand out, there’s a bug impacting Outlook that requires user interaction but could lead to code execution. There are several patches for Visual Studio as well. These also will require some form of user interaction. There’s one patch for the Visual Studio Code GitHub Pull Requests and Issues Extension, but it’s unclear how an attacker would leverage this vulnerability. The same goes for the bug in Visual Studio Code Kubernetes Tools. The final RCE bugs to watch out for impact the GDI+ component. These are somewhat cryptic. Even though they are listed as RCE, their attack vector is listed as local and user interaction is none. This would indicate the bugs could be triggered by something other than viewing or opening an image, but without further details, we can only speculate. 

There are 19 bugs labelled as privilege escalations, and this includes two of the publicly known vulnerabilities. The first occurs in the Azure ms-rest-nodeauth library, and the other is in the RPC Endpoint Mapper Service. There’s also a privilege escalation in Hyper-V, but it’s not clear where an attacker would escalate from or to. For the majority of these bugs, an attacker would need to log on to an affected system and run their own code. As mentioned above, these are typically combined with a separate code execution bug to take over a system.

This month’s release also includes patches for nine Denial of Service (DoS) bugs, including the publicly known Moderate-rate DoS in NTFS. The other DoS bug that stands impacts the TCP/IP driver. It appears an attacker could cause a DoS by sending specially crafted packets to an affected system, although it’s not clear if this would result in a blue screen of if the system would just stop responding. Other DoS bugs impact SharePoint, the AppX Deployment server, Hyper-V, and other Windows components.

The final publicly known bug this month in an info disclosure bug in the Windows Installer. If exploited, the bug could allow attackers unauthorized file system access. There are 17 total info disclosure bugs receiving patches this month, and most only lead to leaks consisting of unspecified memory contents. An exception to this is a bug that impacts the Azure DevOps Server. If exploited, this vulnerability could leak pipeline configuration variables and secrets. There’s a patch for an info disclosure bug in Excel as well. A user would need to open a specially crafted file with Excel to be impacted, but it’s not clear what would leak beyond “sensitive information.”

Shifting to the security feature bypasses, there are two patches for the Windows Early Launch Antimalware driver – better known as ELAM. Microsoft does not list what security feature could be bypassed by either vulnerability. Other bypasses impact the Azure AD Web Sign-in and the Windows WLAN AutoConfig Service. These bugs also provide no guidance on what may be bypassed by an attacker.

This month’s release is rounded out by patches to address two spoofing bugs. The first bug impacts Azure DevOps Server and Team Foundation Services, while the other affects the Windows Installer. Neither of these bugs receives much in the way of documentation, but a CVSS score north of 6 means they shouldn’t be ignored.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on May 11, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The April 2021 Security Update Review

Pwn2Own 2021 - Schedule and Live Results

6 April 2021 at 13:47

Welcome to Pwn2Own 2021! This year, we’re distributed amongst various locations to run the contest, but we’ll be bringing you all of the results live from Austin with love. This year’s event is shaping up to be one of the largest in Pwn2Own history, with 23 separate entries targeting 10 different products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and - our newest category - Enterprise Communications.

If you’ve ever wanted to watch Pwn2Own but couldn’t get to Vancouver, you’re in luck! We’ll be streaming the entirety of the event on YouTube, Twitch, and the conference site. In between the attempts, we’ll also have interviews with researchers and vendors, highlights from previous events, and other videos highlighting some of the work done by Trend Micro research. On Wednesday, we’ll have a special “Hacker Hall of Fame” video series that is not to be missed. Be sure to stop by often to see the latest.

As always, we started the contest with a random drawing to determine the order of attempts. We have a total of 23 attempts scheduled over the next three very full days. The complete schedule for the contest is below (all times Eastern [UTC -4:00]). We will update this schedule with results as they become available.

Note: All times subject to change

Tuesday, April 6

Miss any of the attempts? You can watch the full replay of Day One here.

1000 - Jack Dates from RET2 Systems targeting Apple Safari in the Web Browser category

SUCCESS - Jack used an integer overflow in Safari and an OOB Write to get kernel-level code execution. In doing so, he wins $100,000 and 10 Master of Pwn points.

1130 - DEVCORE targeting Microsoft Exchange in the Server category

SUCCESS - The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.

1300 - The researcher who goes by OV targeting Microsoft Teams in the Enterprise Communications category

SUCCESS - OV combined a pair of bugs to demonstrate code execution on Microsoft Teams. In doing so, we earns himself $200,000 and 20 points towards Master of Pwn

1430 - Team Viettel targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - The team used an integer overflow in Windows 10 to escalate from a regular user to SYSTEM privileges. This earns them $40,000 and 4 points towards Master of Pwn.

1530 - The STAR Labs team of Billy, Calvin and Ramdhan targeting Parallels Desktop in the Virtualization category

FAILURE - The STAR Labs team could not get their exploit to work within the time allotted.

1630 - Ryota Shiga of Flatt Security Inc targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS - Ryota used an OOB access bug to go from a standard user to root on Ubuntu Desktop. He earns $30,000 and 3 Master of Pwn points in his Pwn2Own debut.

1730 - The STAR Labs team of Billy, Calvin and Ramdhan Oracle VirtualBox in the Virtualization category

FAILURE - The STAR Labs team could not get their exploit to work within the time allotted.

Wednesday, April 7

Miss any of the attempts? You can watch the full replay of Day Two here.

0900 - Jack Dates from RET2 Systems targeting Parallels Desktop in the Virtualization category

SUCCESS - Jack combined three bugs - an uninitialized memory leak, a stack overflow, and an integer overflow to escape Parallels Desktop and execute code on the underlying OS. He earns $40K and 4 more Master of Pwn points. His two day total is now $140,000 and 14 points.

1000 - Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) targeting Google Chrome and Microsoft Edge (Chromium) in the Web Browser category

SUCCESS - The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.

1130 - Team Viettel targeting Microsoft Exchange in the Server category

PARTIAL - Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.

1300 - Daan Keuper and Thijs Alkemade from Computest targeting Zoom Messenger in the Enterprise Communications category

SUCCESS - Daan Keuper and Thijs Alkemade from Computest used a three bug chain to exploit Zoom messenger and get code execution on the target system - all without the target clicking anything. They earn themselves $200,000 and 20 Master of Pwn points.

Zero clicks needed to pop calc

Zero clicks needed to pop calc

1430 - Tao Yan (@Ga1ois) of Palo Alto Networks targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - Tao Yan used a Race Condition bug to escalate to SYSTEM on the fully patched Windows 10 machine. He earns himself $40,000 and 4 points towards Master of Pwn.

1530 - Sunjoo Park (aka grigoritchy) targeting Parallels Desktop in the Virtualization category

SUCCESS - Sunjoo Park (aka grigoritchy) used a logic bug to execute code on the underlying operating system through Parallels Desktop. He wins $40,000 and 4 points towards Master of Pwn.

1630 - Manfred Paul targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS - Manfred used an OOB Access bug to escalate to a root user on Ubuntu Desktop. The Pwn2Own veteran earns himself $30,000 and 3 points towards Master of Pwn.

1730 - The researcher known as z3r09 targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - z3r09 used an integer overflow to escalate his permissions up to NT Authority\SYSTEM. His impressive display nets him $40,000 and 4 points towards Master of Pwn.

Thursday, April 8

0900 - Benjamin McBride from L3Harris Trenchant targeting Parallels Desktop in the Virtualization category

SUCCESS - Ben used a memory corruption bug to successfully execute code on the host OS from within Parallels Desktop. He earns $40,000 and 4 Master of Pwn points.

1000 - Steven Seeley of Source Incite targeting Microsoft Exchange in the Server category

PARTIAL - Although Steven did use two unique bugs in his demonstration, this attempt was a partial win due to the Man-in-the-Middle aspect of the exploit. It's still great research though, and he earns 7.5 Master of Pwn points.

1130 - The STAR Labs team of Billy targeting Ubuntu Desktop in the Local Escalation of Privilege category

PARTIAL - Although Billy was able to successfuolly escalate privileges to root, the bug he used was known to the vendor and will be patched soon. The demonstration does earn him 2 additional Master of Pwn points.

1230 - Fabien Perigaud of Synacktiv targeting Windows 10 in the Local Escalation of Privilege category

PARTIAL - Despite the excellent use of ASCII art during his demonstration, it turns out Microsoft was aware of the bug he used. He still earns 2 Master of Pwn points for the partial win.

1330 - Alisa Esage targeting Parallels Desktop in the Virtualization category

PARTIAL - Despite the great demonstration (replete with ASCII art), the bug used by Alisa had been reported to the ZDI prior to the contest, making this a partial win. It's still great work, and we're thrilled she broke ground as the 1st woman to participate as an independent researcher in Pwn2Own history. Her efforts do result in two points towards Maser of Pwn.

1430 - Vincent Dehors of Synacktiv targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS - Despite admitting this was the first exploit he had written for Linux, Vincent had no issues escalating to root through a double free bug. He earns himself $30,000 and 3 Master of Pwn points.

1530 - Da Lao targeting Parallels Desktop in the Virtualization category

SUCCESS - The researcher known as Da Lao used an OOB Write to successfully complete his guest-to-host escape in Parallels. He earns $40,000 and 4 points towards Master of Pwn.

1630 - Marcin Wiazowski targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - Marcin used a Use After Free (UAF) bug to escalate to SYSTEM on Windows 10. He wins himself $40,000 and 4 Master of Pwn points.

Thanks again to our partners Tesla, Zoom, and Adobe as well as our sponsor VMware. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities reported.

Pwn2Own 2021 - Schedule and Live Results

The March 2021 Security Update Review

9 March 2021 at 18:31

It’s the third second Tuesday of the year, which means we get the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for March 2021

For March, Adobe released three patches covering eight CVEs in Adobe Connect, Creative Cloud Desktop, and Framemaker. Two of these CVEs came through the ZDI program. The update for Framemaker fixes a single Out-of-Bounds (OOB) read vulnerability that could lead to remote code execution. The update for Creative Cloud addresses three different Critical-rated CVEs. Two of these bugs could lead to code execution while the third could allow a privilege escalation. The final Adobe patch for March covers one Critical and three Important-rated vulnerabilities in Adobe Connect. The Critical-rated bug could lead to arbitrary code execution while the other bugs addressed are all reflective cross-site scripting (XSS) bugs). None of the issues addressed by Adobe are listed as publicly known or under active attack at the time of release.

Updated March 10:

After the initial release, Adobe also shipped patches for PhotoShop and Animate to address nine additional CVEs. The Animate patch fixes two Critical and five Important-rated bugs. The Critical bugs are buffer overflows that could allow code execution while the Important-rated bugs could allow information disclosure. The patch for PhotoShop addresses two Critical rated bugs that could allow code execution. None of the issues are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2021

Microsoft started the March patch cycle early by shipping an emergency patch for Exchange last week covering seven unique CVEs. Four of these bugs are listed as under active attack, which is why the patch was released outside the normal, patch Tuesday cycle. There has already been a mountain of information published about these vulnerabilities, so I won’t cover the bugs in more detail here. However, if you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible. Microsoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.

For all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. These 89 CVEs include the seven Exchange CVEs released last week. A total of 15 of these bugs came through the ZDI program. Of these 89 bugs, 14 are listed as Critical and 75 are listed as Important in severity. According to Microsoft, two of these bugs are listed as publicly known while five are listed as under active attack at the time of release.

Please note these CVE counts do not include the CVEs patched in the recent update to the Chromium version of the Edge browser. Last week, Version 89 of this browser was released.

 Let’s take a closer look at some of the more interesting updates for this month, starting with the other bug listed as being under active attack:

 -       CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based) that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file. Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.

 -        CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability
This is the second straight month with a DNS server RCE vulnerability, and this month’s bug has company. A total of 5 bugs are listed as DNS Server Remote Code Execution Vulnerabilities, but this CVE is the only one listed as Critical. All note that Secure Zone Updates lessen the likelihood of successful exploitation but are not a full mitigation. This implies dynamic updates may be involved in the exploitation of these bugs. All five of these bugs are listed as a CVSS 9.8, and there is the outside chance this could be wormable between DNS servers. Definitely prioritize the testing and deployment of these updates.

 -       CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow an authenticated attacker to execute code on the underlying Hyper-V server. While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system. Microsoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.

 -       CVE-2021-27076 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a code execution bug originally submitted through the ZDI program. For an attack to succeed, the attacker must be able to create or modify Sites with the SharePoint server. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions. This is similar to some other SharePoint bugs we have blogged about in the past, and we’ll have additional details about this vulnerability on our blog in the near future.

Here’s the full list of CVEs released by Microsoft for March 2021.

CVE Title Severity CVSS Public Exploited DOS
CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No Yes RCE
CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.8 No Yes RCE
CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability Critical 6.2 No No RCE
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability Critical 9.3 No No RCE
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No No RCE
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability Important 6.8 No No Info
CVE-2021-24095 DirectX Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9.1 No No RCE
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability Important 7.7 No No Info
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability Important 4.6 No No Spoof
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability Important 7 No No SFB
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26886 User Profile Service Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important Unlisted No No RCE
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26879 Windows NAT Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP

Moving on to the remaining Critical-rated patches, two affect Azure Sphere, but you likely won’t need to take any action. Devices running Azure Sphere are connected to the Internet receive automatic updates. If your devices are isolated, you should make sure these updates are applied. There are four patches to correct bugs in the HEVC Video Extensions, and these updates are available from the Windows Store. There’s a patch for a bug in OpenType Fonts that could be exploited by viewing a specially crafted font. Finally, there’s an intriguing update for Git for Visual Studio that fixes a bug that requires no privileges but some level of user interaction. The attack complexity is also listed as low, so we may hear more about this vulnerability in the future.

Shifting to the Important-rated patches, there are still a bunch of code execution bugs to look at. In fact, 45 of the 90 bugs patched this month are listed as some form of remote code execution. Many of the affected components have matching Important updates to go with their Critical counterparts. These include Exchange, DNS Server, HVEC Video Extensions, and IE. This month’s release included five RCE bugs impacting Visual Studio. Most are straightforward, however, the update for the Quantum Development Kit for Visual Studio must be manually downloaded. This can be done through the extensions page within Visual Studio. There are also the expected updates for Office and Office components. Similar to last month, users of Microsoft Office 2019 for Mac will need to wait for their update to be made available.

Looking at the 30 Elevation of Privilege (EoP) bugs addressed in this month’s release, most require an attacker to log on to an affected system and run specially crafted code to escalate privileges. Almost all of these patches impact the Windows kernel and various Windows components. One bug to note had previously been disclosed by ZDI as Microsoft stated it did not meet their bar for servicing. At some point after we published our advisory, Microsoft changed course and produced a patch to address this issue. We’re glad they changed their mind.

This month’s release includes patches for six information disclosure bugs. Usually, these types of cases only lead to leaks consisting of unspecified memory contents. That’s true for three of these bugs, but the others leak some significant info. The vulnerability in Azure Virtual Machine could allow a low-privileged user to gain virtual machine credentials as well as credentials to extensions associated with the virtual machine. Speaking of credentials, the bug in Microsoft Power BI could expose NTLM hashes, which could then be brute-forced to reveal plaintext passwords. Finally, according to the Microsoft write-up, the info leak in SharePoint Server could allow an attacker access to an “organizational's email, sites, filename, url of file...” There’s nothing more than this generic description listed, but assume valuable information could be exposed by an attacker.

Three components receive patches to fix security feature bypasses (SFB) this month. The bypasses for Windows Extensible Firmware Interface and the Windows Admin Center receive patches but no documentation. The SFB for Visio does get some additional information, but the attack scenario seems far from common. Systems would be affected only with a specific Group Policy Object. An attacker would still need to modify a macro-enabled template that ships with Excel. If those two conditions occur and the user runs a malicious file on a system affected by that Group Policy, some form of bypass can occur. Based on the write-up, it doesn’t read like imminent danger, but still probably best to roll out the patch.

This month’s release is rounded out by four denial-of-service (DoS) bugs and a spoofing vulnerability. The spoofing bug occurs in the SharePoint server, but no further information is provided. Two of the DoS bugs impact the DNS Server service, and they have the same caveats as the previously mentioned code execution bugs. There’s also a DoS in the NAT Server service. For these bugs, it’s not clear if the service can just be restarted or if a full system reboot is required. The final DoS was reported through the ZDI program, but it doesn’t impact a service. Instead, it notes a bug in the User Profile Service. By creating a junction, an attacker can abuse the service to overwrite the contents of a chosen file, thus creating a DoS condition.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on April 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The March 2021 Security Update Review

The February 2021 Security Update Review

9 February 2021 at 18:26

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2021

For February, Adobe released six patches addressing 50 CVEs in Adobe Dreamweaver, Illustrator, Animate, Photoshop, Magento, and Reader. A total of 14 of these bugs came through the ZDI program. The update for Adobe Reader fixes a total of 23 CVEs, 17 of which are rated Critical, and eight of which were reported through the ZDI program. CVE-2021-21017, a heap-based buffer overflow, is listed as being under “limited” active attacks on Reader for Windows. Definitely prioritize the testing and deployment of this update.

The update for Magento is also significant as it patches 18 bugs, seven of which are rated Critical. In the worst-case scenario, successful exploitation could lead to arbitrary code execution at the level of the current process. The update for Dreamweaver fixes a single, Important-rated info disclosure bug. The patch for Illustrator fixes two Out-Of-Bounds (OOB) write bugs that could lead to code execution. There’s also an OOB write being fixed in the patch for Animate. The patch for Photoshop fixes five Critical-rated bugs that could allow code execution.

Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2021

For February, Microsoft released patches for 56 CVEs covering Microsoft Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender. Seven of these CVEs were submitted through the ZDI program. Of these 56 CVEs, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity. According to Microsoft, one bug is known to be actively exploited and six other bugs are listed as being publicly known at the time of release. This is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs. Microsoft provides no information on where these CVEs were publicly exposed.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-1732 - CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

-       CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

-       CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

-       CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for February 2021.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 Yes No DoS
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability Important 5.5 Yes No DoS
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24111 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 No No Info
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability Important 5.4 No No Spoof
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability Important 8 No No Spoof
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Moderate 6.8 No No EoP
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability Moderate 6.5 No No DoS

You’ll notice we have added the CVSS scores to the table. This is to provide further detail on the severity of the patches since Microsoft is now relying on CVSS scores so heavily. We recommend balancing the Microsoft severity (i.e., Critical, Important, Moderate, etc…) with the CVSS score to help determine prioritization for your enterprise.

Moving on to the remaining Critical-rated patches, two involve codec libraries and were reported by ZDI vulnerability researcher Hossein Lotfi. Both of these bugs are OOB Writes that result from the lack of proper validation of user-supplied data. This can lead to a write past the end of an allocated buffer and allow an attacker to execute code in the context of the current user. There are two Critical-rated bugs impacting the Fax Service, but the Windows Fax and Scan feature needs to be enabled for a system to be affected by this vulnerability. There’s a patch for the Windows graphics component to correct a bug that allows code execution when viewing a specially crafted image. The Windows Spooler service also receives a Critical-rated patch to prevent remote code execution, although the exploit path is not as clear here. The final Critical-rated bug addresses a vulnerability in the .NET Core for Linux. In this case, a .NET application utilizing libgdiplus on a non-Windows system could allow code execution if an attacker sends a specially crafted request.

Shifting our focus to Important-rated updates, there are nine bugs that could result in remote code execution. The most interesting of these are two that impact the SharePoint Server. One of these came from an anonymous contributor to our program and could allow code execution if an authenticated user can trigger through deserialization of untrusted data by tampering with client-side data. There are four patches for Excel – two that came through our program – that would allow code execution when opening a specially crafted file in Excel. Note that the updates for Microsoft Office 2019 for Mac are not currently available. Hopefully, Microsoft gets those out soon.

There are a couple of updates to Visual Studio addressing code execution bugs. In one case, a user would need to clone a malicious repository from inside Visual Studio Code. Once completed, attacker code would execute once the targeted user viewed contents of the repository. That’s not the most likely scenario. The Windows Address Book gets a patch for a bug found by ZDI vulnerability researcher Mat Powell. The bug results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Finally, there’s a significant bug in the Windows package manager that can only be addressed by reconfiguring installation tools and workflows. Microsoft provides several resources with additional information on this vulnerability and how to mitigate it. It is highly recommended to read and heed all information here. Considering the complexity in resolving this issue, this is a bug that could stick with us for a while.

There are only 11 Elevation of Privilege (EoP) bugs addressed in this month’s release, and we’ve already covered the one under active attack. Two are publicly known, and the more interesting of those impacts Sysinternals PsExec. If you’re not familiar with this tool, it’s a lightweight utility that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It’s also often used by red teams when penetrating a network. We’ll likely see this bug end up in different toolkits should an exploit become available. The other publicly known bug impacts Windows Installer, but there’s no additional information about this vulnerability. Other EoP fixes of note include one for PKU2U, which is a peer-to-peer authentication protocol. Although systems not running PKU2U are not affected, Microsoft still recommends installing this update to all potentially impacted OSes.

Two different security feature bypasses receive fixes this month. The first covers a bypass in PowerShell, although no further information on what is bypassed is provided. The second covers a bypass in PFX encryption. When exporting a SID-protected PFX file, keys encrypted using AES are not properly protected. You’ll need to do more than just patch here as well. Any SID-protected PFX files using AES for key encryption should be regenerated and exported after this update is installed and all copies of the original PFX files must be securely destroyed.

There are 10 different patches for information disclosure bugs in this month’s release. The info leak impacting DirectX is another of the publicly known bugs. While most of these cases only lead to leaks consisting of unspecified memory contents, some do yield some interesting data. The bug fixed in the patch for Edge for Android could disclose personally identifiable information (PII) and payment information of a user. The vulnerability in Microsoft Dataverse could expose underlying datasets in Dataverse, which could include PII. This vulnerability in Microsoft Teams iOS exposes the Skype token value in the preview URL for images in the Teams iOS app. The SharePoint bug leaks SQL table columns that would normally be restricted. Finally, the bug in Mobile Device Management could allow an attacker to read from the file system.

There are a handful of notable Denial-of-Service (DoS) bugs patched this month, and the fix for TCP/IP leads the way. Similar to CVE-2021-24094, this bug also involves IPv6 fragmentation, although there’s no patch to code execution here. Disallowing IPv6 UDP fragmentation at the perimeter could have some side effects but implementing the workaround to drop out-of-order packets seems more reasonable. Still, this should be tested before updating production systems. The DoS bugs impacting .NET Core and the Windows Console Driver are listed as publicly known, but Microsoft provides no further details. There’s a patch for a DoS vulnerability in Skype for Business and Lync. If you’re still using either of those messaging tools, definitely look to patch soon.

Speaking of Skype for Business and Lync, these also receive a patch to fix a spoofing bug. Microsoft doesn’t indicate what is spoofed, but they do note user interaction is required. There’s also a spoofing bug in Exchange that dates back to September of 2020. Since the bug was in the Exchange Server installer, it could only be addressed in a complete release as opposed to a cumulative update. Microsoft allowed time for customers to move to the September release before disclosing the vulnerability. The other Exchange spoofing bug comes from Pwn2Own winner Steven Seeley and allows an authenticated attacker to leak a CERT file, which would allow an attacker to forge CSRF tokens. The final spoofing bug for this month fixes a SharePoint bug that could allow an authenticated attacker to manipulate the SharePoint blog sharing functionality to produce a bogus message or link.

The only cross-site scripting (XSS) bug in this month’s release impacts Microsoft Dynamics Business Central. Rounding out this month’s release are Moderate-rated bugs in Azure Kubernetes and the Windows Trust Verification API. Those using the Azure Kubernetes Service should be automatically updated to an unaffected version, but you should still verify your version number to be sure.  

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on March 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The February 2021 Security Update Review

The January 2021 Security Update Review

12 January 2021 at 18:27

Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. 

Adobe Patches for January 2021

This month, Adobe released seven updates addressing eight CVEs in Adobe Campaign Classic, Photoshop, Illustrator, Animate, InCopy, Captivate, and Bridge. Two of these bugs came through the ZDI program. The patch for Campaign Classic fixes a single Server-side request forgery (SSRF) vulnerability. The Photoshop patch fixes a single heap-based buffer overflow. The update for Illustrator corrects a Critical-rated uncontrolled search path element vulnerability. That’s the same story for the Animate and InCopy patches. The update for Captivate also fixes an uncontrolled search path element bug, but this one is only rated Important. The final Adobe patch for January fixes two Out-Of-Bounds (OOB) write bugs in Bridge. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2021

For January, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Seven of these CVEs were submitted through the ZDI program. Of these 83 CVEs, 10 are listed as Critical and 73 are listed as Important in severity. According to Microsoft, one bug is publicly known, and one other bug is known to be actively exploited at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

 -       CVE-2021-1647 - Microsoft Defender Remote Code Execution Vulnerability
This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch. Microsoft does not state how wide-spread the active attacks are.

 -       CVE-2021-1648 - Microsoft splwow64 Elevation of Privilege Vulnerability
This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref. The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.

 -       CVE-2021-1677 - Azure Active Directory Pod Identity Spoofing Vulnerability
This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.

 -       CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible.  

Here’s the full list of CVEs released by Microsoft for January 2021. 

CVE Title Severity Public Exploited Type
CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability Critical No Yes RCE
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability Important Yes No EoP
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability Critical No No RCE
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability Important No No DoS
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability Important No No Spoofing
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability Important No No Info
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1691 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1692 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability Important No No Tampering
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability Important No No Info
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability Important No No DoS
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability Important No No Info
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability Important No No Info
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1669 Windows Remote Desktop Services ActiveX Client Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability Important No No EoP

Of the remaining Critical-rated patches, five involve remote code execution (RCE) bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important. Similarly, there’s a Critical-rated patch for HEVC Video Extensions that is documented the same as the Important-rated patch for HEVC Video Extensions. Either way, you’ll get the update for both through the Microsoft Store. Those who use either the Microsoft Store for Business or the Microsoft Store for Education will be able to get this update through their organizations. Rounding out the Critical-rated patches is an update for Edge and patch for GDI+. 

Moving on to the other patches, the update for the Active Template Library (ATL) stand out. Back in 2009, multiple bulletins and advisories were required to correct a typo. It’s not clear if the situation is that dire with this update, but if you created anything using ATL, you will likely need to apply the patch then recompile your program. That’s also like true for the patch to fix an EoP in the Windows Runtime C++ Template Library.

In looking at the Important-rated bugs that could allow RCE, the SharePoint bug should not be ignored. It does require authentication, but it could allow an authenticated user to take complete control of the system. The patch for Visual Studio also stands out. This update fixes a bug in Cure53 DOMPurify, which is an open-source library used by Visual Studio. The fix for this has been available since September, so you should treat this as though it was publicly disclosed. The remaining code execution bugs cover “Open-and-Own” bugs in Office components. An attacker would need to send a specially crafted file and convince a user to open it with an affected component. That would allow the attacker to execute code of their choice at the level of the logged-on user.

Similar to last month, there are multiple security feature bypasses being fixed this month. In addition to the two already mentioned, there are three impacting the Bluetooth component and one impacting NTLM. CVE-2021-1638 is definitely intriguing as it requires no authentication and no user interaction. The other Bluetooth bugs do require some level of user interaction. The bypass for NTLM requires some level of user interaction but no authentication. Again, without executive summaries, we can only speculate the true severity of these bypasses.

There are a total of 34 EoP bugs getting patches this month. For almost all of these, an attacker would need to log on to a system then execute specially crafted code to elevate their permissions. Most of these are in various Windows, but the ones in Hyper-V and SharePoint stand out. Speaking of SharePoint, this month’s release also includes patches to fix a tampering bug and two spoofing bugs in SharePoint.   

This month includes four patches to correct Denial-of-Service (DoS) bugs. Two of these bugs are in Hyper-V, and one is in .NET Core and Visual Studio. The last of these bugs resides in the Windows CryptoAPI and can be reached remotely. According to the CVSS rating, there is some level of user interaction involved, but no authentication is needed. 

Rounding out this release are 11 patches fixing information disclosure bugs. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, the info leak in Windows Docker is a bit more severe. This vulnerability could allow an attacker to decrypt data that was encrypted by the data protection API (DPAPI). It’s not clear if you need to re-encrypt data after applying this patch, but this has been required for similar bugs in the past. Without specifics on the bug, it’s tough to offer specific guidance. The other info disclosure bug that piques curiosity is the bug impacting the Bot Framework SDK. For this component, we’re just told the information leaked is “sensitive information.” Still, if you use the SDK, make sure you get an unaffected version.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The January 2021 Security Update Review

The December 2020 Security Update Review

8 December 2020 at 18:24

December is upon us and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for December 2020

Adobe kicked off their December patch release with four CVEs fixed with updates for Adobe Prelude, Experience Manager, and Lightroom. The patch for Prelude fixes a Critical-rated uncontrolled search path vulnerability that could lead to remote code execution. The Experience Manager patch addresses a cross-site scripting (XSS) bug and an information disclosure bug caused by a blind server-side request forgery. The update for Lightroom addresses a Critical-rated uncontrolled search path element vulnerability that could lead to arbitrary code execution. None of these bugs are listed as publicly known or under active attack at the time of release.

Interestingly, Adobe also noted they will be releasing an update for Acrobat and Reader at some point this week. This blog will be updated once they do.

Update: The update for Acrobat and Reader was released on December 9, 2020. I fixes a single CVE that could lead to information disclosure.

Microsoft Patches for December 2020

For December, Microsoft released patches to correct 58 CVEs and one new advisory in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere. December is historically a light month of patches from Microsoft and this remains true for 2020. It also brings their CVE total to 1,250 for the year. It will be interesting to see if these trends continue in 2021.

Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug found by multiple researchers:

-       CVE-2020-17132 - Microsoft Exchange Remote Code Execution Vulnerability
This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

-       CVE-2020-17121 - Microsoft SharePoint Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.

-       CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release. However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9. 

-       CVE-2020-16996 - Kerberos Security Feature Bypass Vulnerability
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. We do know this impacts Kerberos Resource-Based Constrained Delegation (RBCD), as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article. This likely helps to protect against RBCD attacks such as the one detailed here. This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers. This will be enforced in a future update in February. 

Here’s the full list of CVEs released by Microsoft for December 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability Important No No Spoof
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure Important No No Info
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability Important No No Info
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability Important No No Info
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability Important No No Info
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17140 Windows SMB Information Disclosure Vulnerability Important No No Info
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability Moderate No No SFB
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability Moderate No No Spoof
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability Moderate No No Spoof

Looking at the remaining Critical-rated updates, only one (surprisingly) impacts the browser. That patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season. There are two patches for Dynamics 365 for Finance and Operations (on-premises), but both are listed as post-authentication. There’s another SharePoint patch, and multiple additional Exchange patches. Interestingly, there are two Important-rated Exchanges patches that are documented as being identical to the Critical rated ones. They have the same CVSS score, same FAQs, and affected products. Be on the safe side and count those as Critical-rated bugs, too.

Moving on to the Important-rated updates, we find 10 Office bugs impacting Outlook, PowerPoint, and Excel. Most are Excel open-and-own types of bugs, although there is also an Excel SFB that requires a group policy to be set. While these types of bugs aren’t typically all that exciting, there are currently no updates for Office 2019 for Mac. If you’re using that edition, be extra vigilant about clicking links until the update arrives.

There are a surprising number of security feature bypass (SFB) bugs getting patched this month. In addition to those previously mentioned, the Azure SDK for both C and Java receive patches. Azure Sphere also gets an SFB fixed, although this should have been automatically applied to IoT devices running Sphere. You only need to take action on that one if your devices are isolated from the update service. There’s an SFB-related patch for the Windows Overlay Filter. There’s no information about it from Microsoft but given the researcher who found it, we’ll likely see some details soon. Perhaps the most interesting SFB this month is in the Windows lock screen. An attacker with physical access could bypass the lock screen of someone who had logged in and locked their session. I’m sure this bug will be a favorite for on-site red teams for years to come.

There are a handful of information disclosure bugs getting patched this month. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, there is a bug in the Windows Error Reporting service that could allow an attacker to read from the file system. The info disclosure bug in SharePoint could allow an attacker to view SQL table columns that are normally hidden. There’s a mysterious info disclosure bug being patched in Exchange. Microsoft simply states the information disclosed is “sensitive information.” With no further information to work with, assume a successful attacker could expose any email on the server.

The December release also contains a fair number of Elevation of Privilege (EoP) fixes. The majority of these are found in the Windows Backup Engine and the Cloud Files Mini Filter Driver. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a handful of spoofing bugs receiving fixes this month, but without a description, it’s difficult to guess what these might be. The release is rounded out by a Cross-Site Scripting (XSS) bug in Dynamics CRM Webclient.

Looking at the new advisory for December, ADV200013 provides guidance on a spoofing vulnerability in the DNS Resolver. While they provide no information on whether this is being exploited in the wild, they recommend limiting the UDP buffer size to 1221. Implementing this will cause larger DNS queries to switch to TCP, so it seems a relatively safe change to make. The other advisory for this month is the monthly revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The first Patch Tuesday for 2021 falls on January 12, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!

The December 2020 Security Update Review

The November 2020 Security Update Review

10 November 2020 at 18:25

November is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for November 2020

Adobe kicked off their November patch cycle a bit early by releasing an update for Acrobat and Reader last Tuesday. The patch fixes 14 CVEs, four of which were reported through the ZDI program. Four of these CVEs are rated as Critical and could lead to code execution if a user opened a specially crafted PDF.

Today, Adobe released patches for Reader for Android and Connect fixing three total CVEs. The update for Reader for Android fixes an info disclosure bug. The two CVEs addressed by the Connect patch cover reflective cross-site scripting (XSS) bugs. None of the CVEs fixed by Adobe this or last week were listed as publicly known or under active attack at the time of release.

Microsoft Patches for November 2020

For November, Microsoft released patches to correct 112 CVEs in Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer (IE), Edge (EdgeHTML-based and Chromium-based), ChakraCore, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. After a brief dip in October, we’re back into the 110+ CVEs per month volume of patches again. That makes eight months this year with this level of patches, so we really need to think of this as the new normal.

Of these 112 patches, 17 are rated as Critical, 93 are rated as Important, and two are rated Low in severity. A total of six of these bugs came through the ZDI program. Only one bug is listed as publicly known and under active attack. You’ll notice some big changes in the documentation for this month’s release (see below for details). Microsoft has decided to withhold the amount of information it publishes about the bugs being patched. Consequently, you’ll see less detail in this blog as well. We’ll still do what we can to parse the release with what data Microsoft does publish and our deep knowledge of bug reports. We do see quite a few of them. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug currently being exploited:

-       CVE-2020-17087 - Windows Kernel Local Elevation of Privilege Vulnerability
This privilege escalation bug was publicly disclosed by Google in late October. They noted it was combined with a Chrome bug to escape the browser sandbox and execute code on the target system. While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly.

-       CVE-2020-17084 - Microsoft Exchange Server Remote Code Execution Vulnerability
This patch corrects a code execution bug in Exchange that was reported by Pwn2Own Miami winner Steven Seeley. With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned. It is very likely he will his publish the details of these bugs soon. Microsoft rates this as Important, but I would treat it as Critical, especially since people seem to find it hard to patch Exchange at all.

-       CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
With no description to work from, we need to rely on the CVSS to provide clues about the real risk from this bug. At a 9.8, it’s about as critical as a bug can get. Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.

-       CVE-2020-17040 - Windows Hyper-V Security Feature Bypass Vulnerability
Here’s another bug that could be helped by a description. It’s not clear which security feature in Hyper-V is being bypassed or how an attacker can abuse it. Again, the attack complexity is low, authentication is not required, and there is no user interaction. Additional details are needed to accurately judge the risk from this bug, but the title and CVSS values alone put this bug on everyone’s radar.

Here’s the full list of CVEs released by Microsoft for November 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability Important Yes Yes EoP
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability Critical No No EoP
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability Important No No DoS
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16983 Azure Sphere Tampering Vulnerability Important No No Tampering
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-17054 Chakra Scripting Engine Memory Corruption Vulnerability Important No No RCE
CVE-2020-16998 DirectX Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17090 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17006 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17018 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17021 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability Important No No DoS
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability Important No No Spoof
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-16979 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17017 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17060 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17020 Microsoft Word Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability Important No No Info
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17104 Visual Studio Code JSHint Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17100 Visual Studio Tampering Vulnerability Important No No Tampering
CVE-2020-17102 WebP Image Extensions Information Disclosure Vulnerability Important No No Info
CVE-2020-17010 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17013 Win32k Information Disclosure Vulnerability Important No No Info
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability Important No No Info
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability Important No No Info
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability Important No No Info
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17045 Windows KernelStream Information Disclosure Vulnerability Important No No Info
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability Important No No Info
CVE-2020-17047 Windows Network File System Denial of Service Vulnerability Important No No DoS
CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability Important No No Info
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-1599 Windows Spoofing Vulnerability Important No No Spoof
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17037 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16999 Windows WalletService Information Disclosure Vulnerability Important No No Info
CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17015 Microsoft SharePoint Spoofing Vulnerability Low No No Spoof
CVE-2020-17046 Windows Error Reporting Denial of Service Vulnerability Low No No DoS

You’ll notice this month’s patch table does not contain the Exploitability Index (XI) rating. Originally, XI was intended to help sysadmins prioritize which patches to test and deploy first. The thought was that some would prioritize Important-rated bugs likely to be exploited over Critical-rated bugs that were unlikely to be exploit. Since that time, security patches from Microsoft have become cumulative. Today, it is rare that you apply one patch for one component – you apply the monthly rollup that fixes many CVEs. Therefore, you have to treat all bugs in that update as though it has the highest XI rating, provided at least one bug fixed has the highest rating. Therefore, it doesn’t make sense to call out the few XI=1 when the whole update should be treat as XI=1. The exploitability index was a good initiative when it was introduced [PDF] back in 2008. These days, it’s an outdated rating that has run its course.

The other big change this month relates to Microsoft’s removal of the description section of the CVE overview. In Microsoft’s examples on their blog explaining the change, they pick some simple cases to review. In those cases, an accurate CVSS is really all you need. After all, there’s only so much you can say about another SharePoint cross-site scripting (XSS) bug or a local privilege escalation that requires you to log on and run a specially crafted program. However, CVSS itself is not flawless. For example, “Privileges Required” and “User Interaction” are relatively straightforward to answer. Other fields, such as “Attack Complexity” does have gray areas where people can disagree on the rating. From Microsoft’s perspective, I’m sure they think they know best about how to rate a bug. There have been times when the researcher who found the bug disagreed.

As someone who has written many bulletins myself, I understand the repetitive nature of these descriptions. I have literally forgotten how many kernel EoP bugs I have written up - and they were all almost identical. However, there are those outlier cases where a description does matter. Two examples are above. Another example is CVE-2020-17049. What security feature in Kerberos is being bypassed? What is the likelihood? As a network defender, I have defenses to mitigate risks beyond just applying security patches. Should I employ those other technologies while the patches roll out? Until I have some idea of the answers to those questions, I can’t accurately assess the risk to my network from this or any of the other bugs with outstanding questions. Hopefully, Microsoft will decide to re-add the executive summaries in future releases.

Back to the actual patches…

Looking at the Critical-rated updates, most involve either one of the browsers or a video codec. We’re seeing more and more research into the multitude of codecs available for Windows, so expect this trend to continue. There’s also a code execution bug in the print spooler that could be worrying. There are quite a few bugs related to Azure Sphere, including a Critical rated one. However, you most likely won’t need to take any action on these bugs. IoT devices running Azure Sphere connected to the Internet check for updates every day and have likely already applied the patches. You only need to take action if your devices are not connected to the Internet or if you are a device manufacturer.

There are a relatively high number of remote code execution bugs getting fixes this month. Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults. It does require user interaction, so remind your kids not to click on links from strangers. There’s also another Exchange Server code execution bug, but this one has a lower CVSS than the one previously mentioned. Steven has been a busy guy.

There are a total of 37 elevation of privilege (EoP) bugs getting fixes this month. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a couple of exceptions, such as CVE-2020-17012. IN this case, the specific flaw exists within the bindflt.sys driver. A crafted request with an IOCTL of 0x220000 can perform remapping of directories. This was reported through the ZDI program, so we do have a good understanding of this bug.

There are a significant number of information disclosure bugs being addressed this month as well. For the most part, the information leaked consists of unspecified memory contents. There are a couple of exceptions. The first impacts Azure Sphere and could allow attackers to find device information like resource IDs, SAS tokens, user properties, and other sensitive information. There’s also a bug in SharePoint that could allow attackers to read from the file system.

Six patches address spoofing bugs, but without a description, it’s difficult to guess what these might be. The spoofing bugs in SharePoint typically indicate XSS, but CVE-2020-1599 title “Windows Spoofing Vulnerability” could be just about anything. The same could be said for the tampering fixes for Azure Sphere and Visual Studio. The November release is rounded out by four patches to address XSS in Microsoft Dynamics 365.

The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The final Patch Tuesday for 2020 falls on December 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!

The November 2020 Security Update Review

Pwn2Own Tokyo (Live from Toronto) – Day Three Results and Master of Pwn

8 November 2020 at 16:24

Pwn2Own Tokyo (Live from Toronto) has completed, but not without its fair share of drama and excitement. The third and final day of the competition saw us award $37,500 for 6 bugs across 4 devices. Here’s a quick video recapping the day’s events:

Our day began with the DEVCORE team successfully demonstrating their code execution bug chain on the Western Digital My Cloud Pro Series PR4100 NAS. They used a six-bug chain to get their root shell, but two of these bugs has been previously reported. They still earn $17,500 and 1.5 points towards Master of Pwn.

Figure 1 - Demonstrating the root shell on the Western Digital NAS

Figure 1 - Demonstrating the root shell on the Western Digital NAS

Next up, Team Bugscale targeted the LAN interface of the NETGEAR Nighthawk R7800 router. Unfortunately, they could not get their exploit to work within the time allotted.

Figure 2 - Team Bugscale could not get their exploit to work in the time allotted

Figure 2 - Team Bugscale could not get their exploit to work in the time allotted

Following that, Pwn2Own newcomer Gaurav Baruah targeted the Western Digital My Cloud Pro Series PR4100. He was able to demonstrate getting a root shell on the device. However, the bug he used had been previously reported during the contest. He still earns 1 point towards Master of Pwn.

Figure 3 - Gaurav Baruah watches his demonstration gain a root shell

Figure 3 - Gaurav Baruah watches his demonstration gain a root shell

The Viettel Cyber Security team returned for their second attempt of the contest. This time, the Sony X800 smart TV was their focus. They were able to read sensitive files from a fully patched device. However, the bug they used was publicly known. This partial win does result is 1 point towards Master of Pwn.

Figure 4 - Disclosing sensitive files from a Sony smart TV

Figure 4 - Disclosing sensitive files from a Sony smart TV

In the final entry of the contest, the STARLabs team returned to target the Synology DiskStation DS418Play NAS. They combined a race condition and an Out-Of-Bounds (OOB) Read to get a root shell on the device. This successful demonstration earned them $20,000 and 2 Master of Pwn points.

Figure 5 - The STARLabs team observes the ZDI Bug Extraction Crew demonstrate their root shell on the Synology NAS

Figure 5 - The STARLabs team observes the ZDI Bug Extraction Crew demonstrate their root shell on the Synology NAS

And thus ends another exciting Pwn2Own event. After counting all the points, Team Flashback, also known as Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro), came out on top and were crowned the Master of Pwn for the event. Congratulations to the duo of researchers. Here’s how the final standings look:

MoP Standings-Day 3.jpg

For the entire competition, we award $136,500 for 23 unique bugs across six different devices. As always, vendors have received the details of these bugs, and they now have 120 days to produce security patches to address the issues we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting research we saw this week. 

Special Thanks

We wanted to be sure to thank everyone who participated in this year’s competition. There were definitely unique challenges to overcome, but everyone came together to not just make it happen – they made it fabulous. We want to thank the participants for trusting us with their research and allowing us to run each attempt. We want to thank vendors for their support and for dialing in throughout the disclosure process. Their continued involvement in coordinated disclosure and security response processes helps the entire community. Special thanks also go out to our partners Facebook for their continued support before and during the contest.

Our next competition will be in Vancouver, where enterprise applications and tools will be put to the test. We hope to see you there. Until then, you can follow the team for the latest in exploit techniques and security patches.

Pwn2Own Tokyo (Live from Toronto) – Day Three Results and Master of Pwn

Pwn2Own Tokyo (Live from Toronto) - Day Two Results

7 November 2020 at 14:26

We’ve wrapped up the second day of the 2020 edition of Pwn2Own Tokyo (Live from Toronto). Again, this year, our talented crew in the Toronto office is running the exploit attempts, while the contestants connect via a Zoom call to observe and troubleshoot as needed. For today, we awarded $59,000 for 10 bugs across five devices. Here’s a quick video with a recap of the day’s events: 

The second day began the same way the first day ended, with Team Flashback compromising the WAN interface on a wireless router. This time, they used three bugs to get arbitrary code execution on the TP-Link AC1750 Smart WiFi router. Their effort earned them another $20,000, which brings their two-day winnings to $40,000. It also puts them in the lead for Master of Pwn with 4 total points.

Figure 1 - Showing the shell gained on the TP-Link router

Figure 1 - Showing the shell gained on the TP-Link router

Next up, Team Bugscale targeted the Western Digital My Cloud Pro Series PR4100 NAS server. While they were able to successfully exploit the NAS, the bugs they used had been previously reported during the contest. This does count as a partial win, but no Master of Pwn points were awarded.

Figure 2 - Team Bugscale watches their exploit succeed

Figure 2 - Team Bugscale watches their exploit succeed

The next contestant was 84c0, who returned to target the LAN interface of the NETGEAR Nighthawk R7800 router. He used three different bugs to get a root shell on the device. However, one of the three bugs had previously been submitted. This is another partial win, with 84c0 earning $4,000 and .5 Master of Pwn points.

Figure 3 - 84c0 observes his exploit get a shell on the NETGEAR Nighthawk WiFi router

Figure 3 - 84c0 observes his exploit get a shell on the NETGEAR Nighthawk WiFi router

Pwn2Own veterans F-Secure Labs targeted the Samsung Q60T television and wasted no time in getting a reverse shell on the fully patched smart TV. However, the bug they used was publicly known, which means this is another partial win. They do earn 1 point towards Master of Pwn for their efforts.

Figure 4 - Showing the reverse shell from the Samsung Q60T smart TV

Figure 4 - Showing the reverse shell from the Samsung Q60T smart TV

Sam Thomas of Pentest Ltd followed with an exploit chain targeting the Western Digital My Cloud Pro Series PR4100 NAS. He was able to gain arbitrary code execution through a combination of two bugs. However, one of the bugs had been previously submitted earlier in the contest. This results in another partial win, as Sam earns $10,000 and 1 Master of Pwn point.

Figure 5 - Sam Thomas of Pentest Ltd watches exploit on the Western Digital NAS succeed

Figure 5 - Sam Thomas of Pentest Ltd watches exploit on the Western Digital NAS succeed

In the penultimate attempt of Day Two, the team from Synacktiv used a trio of unique bugs to get a root shell via the LAN interface of the TP-Link AC1750 Smart WiFi router. They also gained some styled points by having the router’s light flash on and off in a showy display. The successful entry earned them $5,000 and 1 point towards Master of Pwn.

Figure 6 - The successful demonstration from the Synacktiv team included a light show on the router

Figure 6 - The successful demonstration from the Synacktiv team included a light show on the router

The final entry of day two was filled with drama as the DEVCORE team targeted the Synology DiskStation DS418Play NAS. Their first attempt failed, and their second try needed more than three and a half minutes before their elegant heap overflow provided them with root access to the server. Their effort earns them $20,000 and 2 Master of Pwn points.

Figure 7 - The DEVCORE team notches a win with just 1:24 left in the second attempt

Figure 7 - The DEVCORE team notches a win with just 1:24 left in the second attempt

Here are the current Master of Pwn standings:

MoP Standings-Day 2.jpg

Day Three starts with the DEVCORE team targeting the Western Digital NAS. A fully successful exploit would put them in a tie with Team Flashback for Master of Pwn. A failure or partial win would mean Team Flashback can’t be caught and will win. It should be an exciting demonstration. The attempt will happen at 10:00 Eastern (UTC-4). 

Until then, stay tuned to our Twitter feed and this blog for tomorrow's results as we wrap up the 2020 edition of Pwn2Own Tokyo (Live from Toronto).

Pwn2Own Tokyo (Live from Toronto) - Day Two Results

❌