Welcome to the July Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors. This month’s blog has been written by guest contributor and Softcat Security Consultant Violet Birtwistle.
Microsoft have had a busy week with around 117 vulnerabilities, 13 of which were marked as critical, meaning deploying the updates to your estate promptly is as important as ever. Keeping this as concise as possible, lets dive right into them:
Most prominently, CVE-2021-34527 presents a Windows Print Spooler RCE vulnerability, and the security updates released after July 6, 2021 contain protections for CVE-2021-1675 alongside the additional RCE exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527. As of July 7th, the security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. It’s recommended that you install these updates immediately along with the additional checks, outlined in CVE-2021-34527’s executive summary.
CVE-2021-31979 and CVE-2021-33771 present a Windows Kernel elevation of privilege vulnerability, both of which have been exploited in the wild as zero-days, according to Microsoft. If left unpatched a local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions.
CVE-2021-34448 presents a scripting engine memory corruption vulnerability, which again has been exploited in the wild as a zero-day attack according to Microsoft. This vulnerability requires an attacker to lure a user into visiting a malicious domain which could be done through phishing emails or similar messaging services. Because of the required user interaction, this was given a lower CVSSv3 of 6.8.
CVE-2021-34458 presents a Windows kernel remote code execution vulnerability. This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings, that are attached to other guests or to the root. You will be vulnerable if you implement the following:
· Your Windows instance is hosting virtual machines
· Your Server includes the required hardware with SR-IOV devices
CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 all present Microsoft Exchange server remote code execution (RCE) vulnerabilities, while CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 present Exchange elevation of privilege vulnerabilities. CVE-2021-34473 is the highest rated, receiving a CVSSv3 score of 9.1 and is more likely to be exploited according to Microsoft’s Exploitability Index. Several of these updates were released back in April, however were “inadvertently omitted” from the security update guide, according to Microsoft.
CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494, CVE-2021-34525 all present Windows DNS server RCE vulnerabilities scored at 8.0 or higher. Exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Similarly, CVE-2021-33749, CVE-2021-33750, CVE-2021-33756, CVE-2021-33752 all present a Windows DNS Snap-in RCE vulnerability. For an attacker to exploit this, an administrator would need to view a malicious record in the DNS Snap-in.
CVE-2021-34450 presents a Windows Hyper-V RCE vulnerability where an attacker who is authenticated to a guest virtual machine (VM) would be able to send crafted requests to execute arbitrary code on the host machine. While Microsoft rates this as “Exploitation Less Likely,” it is important to consider that malware variants commonly look to escape VMs and infect the host machine.
CVE-2021-34464 and CVE-2021-34522 are Microsoft Defender RCE vulnerabilities. While Microsoft has highlighted this as less likely in their scoring, Tenable has rightly highlighted them due to previous in-the-wild exploitation of a similar flaw, CVE-2021-1647, back in January. Although the Security product has automatic updates, it is still advised to verify that these have been properly patched.
CVE-2021-34467 and CVE-2021-34468 presents a SharePoint server RCE vulnerability and Microsoft have released patches them both. These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches it has been noted that CVE-2021-34520 should be prioritized for patching.
For the full list of vulnerabilities, the SANS ISC InfoSec Forum have published a helpful blog with a nice visual breakdown of all the patches by severity. This can be found here.
Adobe addressed just under 30 CVEs this Patch Tuesday, with 22 of them rated as critical severity impacting multiple Adobe products: Acrobat and Reader have updates fixing 19 different bugs. Several of these were noted to lead to code execution but require the attacker to lure a user into opening a malicious PDF attachment. Illustrator has patches to fix three vulnerabilities. Two of these allow for code execution to occur during the processing of PDF and JPEG2000 files. These issues result from the lack of proper validation of user-supplied data, which can result in a buffer overflow attack.
In addition, Bridge, Framemaker and Dimension also receive patches, though it should be noted that none of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.