April Patch Tuesday Commentary
Microsoft has released updates for the Windows OS, Office and O365, Exchange Server, Edge (Chromium), Visual Studio, Azure DevOps, Azure AD Web Sign-in, Azure Sphere, and many other components. A total of 110 unique vulnerabilities have been resolved this month including one Zero Day (CVE-2021-28310), and four publicly disclosed vulnerabilities (CVE-2021-28458, CVE-2021-28437, CVE-2021-28312, CVE-2021-27091). 19 of the CVEs are rated as Critical, but that does not include the Win32k Zero Day.
Microsoft Release
Zero Day: Microsoft has resolved an Important vulnerability in Win32k, which could allow an Elevation of Privilege on Windows 10 systems (CVE-2021-28310). While only rated as Important, this vulnerability has been detected in attacks in the wild. Details from open source exploits site attackerkb.com shows the CVE as reserved and last updated on March 12, 2021, so this may have been exploited by threat actors for a month or more at this point. This is a good example of the importance of using a risk-based prioritisation approach. If you are basing your prioritisation off of vendor severity and looking at just the Critical CVEs, you may have missed this one. Fortunately for those organisations, this is part of the Windows 10 cumulative this month — which also includes Critical CVEs — but broadening your prioritisation metrics to include risk metadata like exploited, publicly disclosed, and other indicators will help to ensure you prioritise the best possible set of updates to remediate in a timely fashion.
Publicly Disclosed: A vulnerability exists in Windows Installer that could allow for Information Disclosure CVE-2021-28437. The vulnerability has been publicly disclosed, meaning enough information has been made publicly available to give threat actors a head start on developing a functional exploit. The CVE affects all Windows Operating Systems back to Windows 7 and Server 2008. Information Disclosure exploits in Windows Installer often allow an attacker to gain access to additional information to assist in further compromise of the system. The CVE is rated as Important. Exploit code was marked as unproven at the time of release.
Publicly Disclosed: A vulnerability exists in RPC Endpoint Mapper Service which could allow an attacker to Elevate Privileges (CVE-2021-27091). The vulnerability has been publicly disclosed, meaning enough information has been made publicly available to give threat actors a head start on developing a functional exploit. The CVE affects older Windows 7, Server 2008 R2 and Server 2012 systems. The CVE is rated as Important, but Proof-of-Concept code is available which could allow an attacker to more quickly develop a working exploit.
Publicly Disclosed: An Elevation of Privilege vulnerability has been identified in Azure ms-rest-nodeauth Library (CVE-2021-28458). The vulnerability has been publicly disclosed, meaning enough information has been made publicly available to give threat actors a head start on developing a functional exploit. The vulnerability has been rated as Important. No other release notes or articles are linked to this CVE at this time.
Publicly Disclosed: A vulnerability exists in Windows NTFS which could allow a Denial of Service attack CVE-2021-28312. The vulnerability has been publicly disclosed, meaning enough information has been made publicly available to give threat actors a head start on developing a functional exploit. The CVE affects Windows 10 1809 and Server 2019 and later versions. The CVE is only rated as moderate, but functional exploit code is available. This CVE should be treated as a higher risk than the severity implies.
Exchanges Server: Microsoft Exchange Server is getting another update this month, and based on the Pwn2Own results, there will likely be more on the way. The four CVEs resolved this month were all discovered by the NSA. All four CVEs are rated as Critical. None have a proven exploit at this time, but on the heels of serious exploit activity on Microsoft Exchange you can expect if security analysts at the NSA are finding more vulnerabilities as well as security researchers proving out exploits in the Pwn2Own competition, threat actors are also swarming around Microsoft Exchange to see what more they can find as well.
Low Key Month for Third Party Updates
This month, Adobe had four updates for Photoshop, Digital Editions, Bridge, and Robohelp and all rated as Priority 3. A total of 10 CVEs were resolved across the four updates and all but the RoboHelp update include Critical CVEs.
The reasoning behind Adobe’s prioritization is because this update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.
This is one of the challenges of vendor severity ratings – since these applications are less likely to be targeted by threat actors, Adobe set the severity of the vulnerability lower, regardless of how many vulnerabilities are resolved or what severity those vulnerabilities may be. While historical evidence reflects Adobe’s assessment accurately, it does not remove all risk. Photoshop has had as many as nine exploited CVEs over the years, the most recent being the CVEs in 2015. Of these four updates, Photoshop is the riskiest, but all are low risk and can be resolved in the course of regular maintenance.
Priorities this Month:
There are a lot of vulnerabilities being resolved this month. The good news is most of them are in the OS, including the Zero Day, and three of four of the Publicly Disclosed vulnerabilities. Knocking the OS out quickly will reduce a significant amount of risk this month. Top priorities this month should include the Windows OS, Edge (Chromium), and Exchange Server.
Keep on the Lookout
The Zero Day Initiative’s yearly Pwn2Own challenge concluded last week. The fallout from this event will begin to occur over the 90 days following the event as vendors have this window to address the vulnerabilities exploited during the event before they are made public. As these release over the next few months, you should watch for and resolve them as quickly as possible. Products affected are:
- Zoom: which was reportedly the nastiest of exploits executed in the competition. This exploit only requires that the user be attending a meeting. No other interaction by the user is necessary. Zoom has reportedly already made a server-side change to mitigate the vulnerability but is expected to make additional changes to better secure against this attack.
- Microsoft Exchange experienced a completed take-over utilising a combination of an authentication bypass and local privilege escalation. Expect an Exchange Server and possibly an OS fix over the next few months to respond to this one. With recent 0-day exploits of Exchange Server, there will likely be a prompt response from Microsoft and likely corresponding response from attackers to take advantage.
- Microsoft Teams was exploited by use of a pair of vulnerabilities allowing for the researcher to exploit code in Microsoft Teams.
- As always, browsers are hot targets. Expect security updates for Chrome and Microsoft Edge (Chromium) using the v8 JavaScript engine, and an integer overflow in Safari which allowed an out-of-bounds write to get kernel-level code execution.
- The Parallels Desktop was highly targeted in the virtualisation category and saw two successful exploits including multiple flaws.
- For Operating Systems, Windows 10 and Ubuntu were both successfully exploited both to escalate privileges from user to System in the case of Win 10 and from a standard user to root in the case of Ubuntu.