February 2021 Patch Tuesday Commentary

Second Patch Tuesday of 2021 is here and while the CVE counts are low there are a number of publicly disclosed and zero day vulnerabilities to be concerned about. Microsoft has fixed 56 new and re-released 2 vulnerabilities (CVEs) across the Windows Operating System, Office, .Net Framework, a host of OS components and system tools and development tools. Adobe has also released a priority 1 update for Adobe Acrobat and Reader resolving 23 CVEs, one of which is actively exploited (Zero Day). Here is a quick view of the more important items to prioritise in your maintenance this month:

 

Zero Days:

Microsoft has resolved an important vulnerability (CVE-2021-1732) in the Windows Kernel, which could allow an attacker to elevate their privileges on a system. The vulnerability affects Windows 10 and corresponding server editions of the Windows OS. The vulnerability has been detected in active exploits in the wild. This is a prime example of why Risk-based prioritisation is so important. If you base your prioritisation off of vendor severity and focus on Critical you could have missed this vulnerability in your prioritisation. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.

 

While this is a re-release from 2020, it warrants discussion. The Netlogon vulnerability (CVE-2020-1472) originally was resolved in August 2020. The update was planned to be a two-phase resolution. Initial update in August implemented the fix, but left it disabled. It also implemented auditing capabilities and guidance was provided for organisations to update and monitor the specific events to resolve any events that were legitimate then enable the enforcement when they were ready. February 2021 was defined as the date Microsoft would turn on enforcement. In September the vulnerability was exploited by threat actors and many organisations reacted quickly to enable enforcement. This re-release will turn on that enforcement for those who have not yet done so.

 

Adobe has resolved a Critical vulnerability in Adobe Acrobat and Reader (CVE-2021-21017) which has been exploited in limited attacks targeting Adobe Reader users on Windows systems. The vulnerability is a Heap-based Buffer Overflow that would allow the attacker to execute arbitrary code on the affected system. This vulnerability along with the 16 other Critical CVEs resolved in APSB21-09 should put Adobe Acrobat Reader into your priority bucket for remediation this month.

 

Publicly Disclosed:

*Public disclosure indicates information regarding a vulnerability has been exposed to the public. This could include proof-of-concept code or other information which give threat actors an advantage to develop an exploit. Public disclosure is a good metric to prioritise what vulnerabilities may warrant earlier attention.

Microsoft has resolved a vulnerability (CVE-2021-1733) in Sysinternals PsExec which could allow an attacker to elevate their privileges. PsExec is a commonly used tool by IT organisations but is also equally commonly used by threat actors utilising existing tools (Living off the land tactics).

Microsoft has resolved a pair of vulnerabilities in .Net Core (Remote Code Execution CVE-2021-26701) and .Net Core and Visual Studio (Denial of Service CVE-2021-1721) which have both been publicly disclosed. Development tools and the development supply chain are a rising concern and have been even before the recent Solarwinds breach. Development tools are updated regularly, and evaluation and update of these components should be part of every organisation's DevSecOps process.

Microsoft has resolved an Information Disclosure vulnerability in DirectX (CVE-2021-24106) which affects Windows 10 and Server 2016 and newer systems. An attacker could gain access to uninitialised memory and what information may be stored there.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Installer (CVE-2021-1727). The vulnerability affects Windows 7 and Server 2008 and newer operating systems.

Microsoft has resolved a Denial of Service vulnerability in Windows Console Driver. (CVE-2021-24098) In the vulnerability FAQ Microsoft provides some additional detail. The vulnerability would require user interaction to exploit. This could include user-provided content through a website or a specially crafted website designed to exploit the vulnerability.

 

February Priorities:

Urgent: Windows OS updates and Adobe Acrobat and Reader need immediate attention with the list of exploited and publicly disclosed vulnerabilities.

High Priority: Development tools and IT Tools need some attention. .Net Core and PsExec disclosures are a concern that should not go unaddressed. Because these development and IT tools do not follow the same update process as OS and Application updates it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components. For tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.