Alexander Lewis
Cyber Assessment Services Technical Practice Lead
Welcome to the May patch roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, and the other major vendors, with a returning guest author, Softcat’s Principal Security Consultant, Alex Lewis.
Microsoft
This month’s edition is reassuringly lighter in both severity and number of vulnerabilities, with Microsoft releasing only 55 patches, only four of which are critical. Let’s drill down into those four critical vulnerabilities specifically:
1. CVE-2021-31166, a HTTP Protocol Stack RCE (remote code execution) vulnerability, means that an unauthenticated attacker could send a specially crafted packet to a targeted server, which could result in RCE. It is worth bearing in mind this attacker would require network access to a webserver running an unpatched asset, however. Whilst no exploits have yet been seen in the wild, this is likely to appear in the days that follow.
2. CVE-2021-28476, another RCE, but this time on Hyper-V. Interestingly given a CVSSv3 score of 9.9, Microsoft’s exploitability assessment rates this as ‘exploitation less likely.’ This vulnerability could enable a remote, unauthenticated threat actor to compromise a host via a guest virtual machine. The exploitation of this vulnerability could result in two conditions, either a denial of service (DoS), through forcing the kernel to read from an arbitrary/ potentially invalid address, or RCE, through further exploitation of the arbitrary address.
3. The fan favourite, Microsoft Exchange is back with four vulnerabilities, ranging from severity of 6.5-7.8. the most interesting of these is likely CVE-2021-31207, as this was one of the vulnerabilities discovered as part of Pwn2Own 2021. For those exchange admins out there, the four in question are below:
- CVE-2021-31209 – Server Spoofing Vulnerability
- CVE-2021-31195 – Remote Code Execution
- CVE-2021-31198 – Remote Code Execution
- CVE-2021-31207 – Security Feature Bypass
4. Finally, a pair of RCE SharePoint vulnerabilities are worth noting, both of which score 8.8 on the CVSSv3 scale. Whilst an attacker would need to be authenticated to exploit these flaws, Microsoft have graded these vulnerabilities as ‘exploitation more likely.’ Successful exploitation of these vulnerabilities would enable an attack to achieve RCE through the creation of a SharePoint site.
Finally, windows 10 1909 has now reached their end of life, and these versions are no longer supported, so will not receive security updates. Both education and enterprise editions of 1909 will remain supported until 11th May 2022, but our recommendation to plan and roll out upgrades remain unchanged to keep you ahead of the curve.
Adobe
With 44 vulnerabilities released for 12 of its solutions, Adobe on the other hand have been relatively busy – I’d recommend prioritising the updates for Adobe Acrobat & Reader (for windows and MacOS) first, as these solutions are often seen targeted by attackers and there are a number of critical and important vulnerabilities this month. Chief of which is CVE-2021-28550, which has been actively exploited in the wild.
Additionally, the Experience Manager product has two vulnerabilities, and should follow after as CVE-2021-21084 could allow attackers to execute arbitrary JavaScript in the user’s browser. Following this, the remaining patches should be applied in due course.