Welcome to the February Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Patch Tuesday.
Microsoft has blessed us with a relatively light Patch Tuesday this month, with just 56 vulnerabilities addressed in this month’s release.
Eagle-eyed Windows users may have seen a notice this week about a zero-day exploit with a fix promised on Patch Tuesday. This transpired to be CVE-2021-1732, an escalation of privilege vulnerability in the Win32k component that allows an attacker to execute arbitrary code with higher privileges. The existence of functional exploit code and known attacks in the wild makes this important to patch quickly despite requiring the attacker to have a presence on the device already.
Of the highest rated CVE’s, another remote code execution bug in Windows DNS is notable. It’s a complex bug to take advantage of, requiring an attacker to send a spoofed root DNS lookup response to the victim DNS server after having triggered the lookup request themselves. Such a coordinated attack requires effort, however the increasing focus on DNS servers as a rich source of vulnerabilities makes it a high priority to patch.
Similarly, 3 distinct but related TCP/IP bugs are present in the Windows networking stack, all of which enable remote code execution in various ways. CVE-2021-24074 uses packet fragmentation and modified header information which, when the packets are reconstructed, cause an out-of-bounds memory condition which can expose memory for exploitation. The other two bugs - CVE-2021-24094 and CVE-2021-24086 – are present in IPv6 and also use packet fragmentation to trigger system errors that open the door for exploits
With Microsoft taking it relatively easy, Adobe have seized on the opportunity to drop a large number of updates for a range of products. Of note for enterprises are the updates for Acrobat & Reader covering 17 critical vulnerabilities including CVE-2021-21017, a buffer overflow bug being exploited in the wild, albeit in limited numbers.
Aside from these, updates are also released for Illustrator, Photoshop, Animate and Magento.
Cisco released Critical update advisories for a range of Small Business routers and VPN devices. These affect the web -based management console and allow an attacker to run code as root on the devices. While it’s highly unlikely users of these devices will have the management interface exposed to the internet, an attacker with a presence inside the network may be able to use these vulnerabilities to gain control of the perimeter device and thereby further their attack.
Similarly, a number of command injection vulnerabilities were announced for Cisco’s SD-WAN product range. These also include attacks on the web-based management console, but also encompass several bugs in the CLI interface that enable escalation of privilege to root, giving the attacker the ability to manipulate files and configuration on the system.