Ena Jovanovich
Security Analyst
Microsoft
The big news for August is that Microsoft addressed an RCE vulnerability in the Windows implementation of TCP/IP (CVE-2021-26424) with a CVSS score of 9.9, and a remote desktop client vulnerability (CVE-2021-34535) rated at a CVSS score of 8.8. The TCP/IP vulnerability enables attackers to send specially crafted TCP/IP packets from a Hyper-V guest machine to a vulnerable Hyper-V host using TCP/IP protocol stack to process the maliciously crafted packets. Interestingly, Microsoft issued patches for many older, deprecated products that may still be run as Guests on vulnerable Hyper-V hosts. Though no public attacks have been identified, the remote desktop client vulnerability was described as “more likely to be exploited” in two scenarios, either a victim making a remote desktop connection to an attacker-controlled server or a guest virtual machine on a Hyper-V host connecting as a guest to host.
Another update from Microsoft addresses the Windows Print Spooler Vulnerability (CVE-2021-36936 and CVE-2021-36947) identified by researchers over the past few months. However, it is not clear whether this Print Spooler vulnerability is a variant of the June (CVE-2021-1675) and July (CVE-2021-34481) PrintNightmare vulnerability or a unique one. Either way, attackers can use this to execute code on affected systems only requiring low privileges. Therefore, the current recommendation is to prioritize testing and deployment of patches as soon as possible.
Aside from these, Microsoft patched a total of 44 vulnerabilities this month, including one being actively targeted by malicious hackers. Exploit code for CVE-2021-36948 has been detected in the wild and rated a CVSS score of 7.8. This privilege escalation vulnerability affects the Windows Update Medic Service in Windows 10 and Windows Server 2019, and it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system. EoP vulnerabilities are the cornerstone of modern intrusions as they allow the attackers to elevate privileges on the compromised system and ensure maximum damage in the case of ransomware attacks.
Cisco
Earlier this month Cisco Security Advisory published that multiple vulnerabilities (cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy) are found in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers.
These vulnerabilities affect releases earlier than 1.0.03.22 and could, according to Cisco, allow an attacker to execute arbitrary code and commands, or cause a denial of service. The main advice is to patch and ensure that the web management console isn’t internet-facing. Anyone running these devices should ensure their web management console access is secured and access restricted to their systems. Cisco has released free software updates that address the vulnerabilities.