March Patch Tuesday Commentary

There was an interesting start to March, with four Exchange Server exploits and an out of band update.      There is an additional Zero Day vulnerability being exploited in Internet Explorer and three publicly disclosed vulnerabilities to discuss this month. A total of 83 unique CVEs (Common Vulnerabilities and Exposures) have been resolved in Microsoft’s March Patch Tuesday update. Microsoft products affected this month include Windows OS, Office, Internet Explorer, Edge, Exchange Server, and Sharepoint, as well as many development tools and updates for Azure, Azure DevOps, and Azure Sphere

 

Exchange Zero Day Update:

Microsoft has provided a set of links to many relevant articles on the Exchange vulnerabilities, steps to identify if your environment has been compromised, mitigation options meant to protect environments short-term at the sacrifice of some functionality, and steps to take if you believe you have found indications of compromise. They also expanded the release with additional version\CU coverage.     

It is rare for Microsoft to update out of support versions of a product. This is an indication of the severity and reach of the attacks targeting the Exchange Server on-prem products. Revision note:

Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates that are out of support, including Exchange Server 2019 CU 6, CU 5, and CU 4 and Exchange Server 2016 CU 16, CU 15, and CU14.

Please see the following for more information on the Microsoft Exchange Server Vulnerabilities:

• MSRC Blog
• Hafnium Targeting Exchange
• Microsoft on the Issues
• Exchange Team Blog
• March 8 Exchange Team Blog
• Microsoft Exchange Server Vulnerabilities Mitigations

Exploited and Publicly Disclosed Vulnerabilities:

Internet Explorer and Edge (HTML-based) browsers are being targeted by attacks in the wild. This vulnerability has also been publicly disclosed, which would allow other threats. CVE-2021-26411 is a memory corruption vulnerability that could allow an attacker to target users with specially crafted content. An attacker could utilise specially crafted websites or websites that accept user-provided content or advertisements to host content designed to exploit this vulnerability.

 

A publicly disclosed vulnerability (CVE-2021-27077) exists in Windows Win32k that could allow an attacker to elevate privileges on the affected system. The vulnerability is rated as Important and carries a base score of 7.8, but the exposure of being publicly disclosed raises the potential risk.

 

A .Net Core update from February has been re-released to provide links to release notes. The vulnerability from February had been publicly disclosed and, if exploited, could allow Remote Code Execution (CVE-2021-26701). The vulnerability has been rated as Critical and affects Microsoft .Net 5.0, .Net Core 3.1 and 2.1 as well as Visual Studio 2019 and 2017 versions.

 

March Update Priorities:

• Exchange Server on-prem is the top priority
• Windows OS, Internet Explorer, Edge: The browser Zero Day and other critical and publicly disclosed vulnerabilities require priority attention.
• SharePoint Server: While not disclosed or exploited, CVE-2021-27076 is a Critical CVE and Microsoft has flagged it as Exploitation More Likely on their Exploitability Assessment.