July Patch Tuesday Commentary from Ivanti

July Patch Tuesday is shaping up to be a busy one. With the recent PrintNightmare out-of-band update, the upcoming Oracle quarterly CPU, a lineup of updates from Adobe including Acrobat and Reader, Mozilla Firefox and Firefox ESR, and the typical lineup of Microsoft monthly updates, there will be a lot to prioritize for your vulnerability remediation efforts this month.

 

Starting with PrintNightmare CVE-2021-34527, which was identified after the June patch Tuesday update as another vulnerability in the Print Spooler that needed to be resolved, Microsoft quickly released out-of-band security updates for most operating systems. Updates are available for Windows 7 and Server 2008/2008 R2 if you have an Extended Security Update (ESU) subscription. They also provided a support article on how the updates work and some additional configuration options. If you have not already deployed the out-of-band update you can just update the July OS updates to resolve the three new Zero Day vulnerabilities along with this CVE.

 

Microsoft resolved 117 unique CVEs, 10 of which are rated as Critical. There are three Zero Day vulnerabilities, and five public disclosures. There is a small bit of good news. All three Zero Day vulnerabilities and three of five of the publicly disclosed vulnerabilities are resolved by deploying the July OS updates. The updates this month affect the Windows OS, Office 365, Sharepoint, Visual Studio, and a number of modules and components (details can be found in the release notes).

 

Risk-Based Prioritization:

 

As you look at the vulnerabilities resolved by vendors in this Patch Tuesday update it is important to consider more than Vendor Severity and CVSS score in your assessment. If you do not have additional metrics to determine risk it is very possible you could be missing some of the more impactful updates. A good example of how the vendor algorithms used to define severity can give a bit of false sense of security can be found in this month’s Zero Day lineup. Two of the CVEs are only rated by Microsoft as Important, yet they were actively being exploited before the update was released. The CVSSv3 score for the Critical CVE is actually lower than the two Important CVEs. According to analysts like Gartner, adopting a risk-based approach to vulnerability management can reduce the number of data breach incidents each year by up to 80% (Gartner Forecast Analysis: Risk-Based Vulnerability Management 2019).

 

Zero Day Vulnerabilities:

 

CVE-2021-31979 is an Elevation of Privilege vulnerability in the Windows Kernel. This vulnerability has been detected in attacks in the wild. Microsoft severity for this CVE is rated as Important and CVSSv3 score is 7.8. The vulnerability affects Windows 7, Server 2008 and later Windows OS versions.

 

CVE-2021-33771 is an Elevation of Privilege vulnerability in the Windows Kernel. This vulnerability has been detected in attacks in the wild. Microsoft severity for this CVE is rated as Important and CVSSv3 score is 7.8. The vulnerability affects Windows 8.1, Server 2012 R2 and later Windows OS versions.

 

CVE-2021-34448 is a Memory Corruption vulnerability in Windows Scripting Engine that could allow an attacker to target a user to remotely execute code on the affected system.

 

In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

 

Microsoft severity for this CVE is rated as Critical and CVSSv3 score is 6.8. The vulnerability affects Windows 7, Server 2008 and later Windows OS versions.

Publicly Disclosed:

• CVE-2021-33781 is a Security Feature Bypass in the Active Directory Service. This vulnerability has been publicly disclosed. Microsoft severity for this CVE is rated as Important and CVSSv3 score is 8.1. The vulnerability affects Windows 10, Server 2019 and later Windows OS versions.
• CVE-2021-33779 is a Security Feature Bypass in the Windows ADFS Security. This vulnerability has been publicly disclosed. Microsoft severity for this CVE is rated as Important and CVSSv3 score is 8.1. The vulnerability affects Server 2016, 2019, 2004, 20H2 and Core Windows Server versions.
• CVE-2021-34492 is a Certificate Spoofing vulnerability in the Windows OS. This vulnerability has been publicly disclosed. Microsoft severity for this CVE is rated as Important and CVSSv3 score is 8.1. The vulnerability affects Windows 7, Server 2008 and later Windows OS versions.
• CVE-2021-34473 is a Remote Code Execution vulnerability in Microsoft Exchange Server. This vulnerability has been publicly disclosed. Microsoft severity for this CVE is rated as Critical and CVSSv3 score is 9.0.  The vulnerability affects Exchange Server 2013u23, 2016u19, 2016u20, 2019u8, 2019u9.
• CVE-2021-34523 is an Elevation of Privilege vulnerability in Microsoft Exchange Server. This vulnerability has been publicly disclosed. Microsoft severity for this CVE is rated as Important and CVSSv3 score is 9.1.  The vulnerability affects Exchange Server 2013u23, 2016u19, 2016u20, 2019u8, 2019u9.

 

Third Party Updates:

 

Oracle will be releasing their quarterly Critical Patch Update or CPU on July 20^th. This will include updates for Oracle Java SE, MySQL, Fusion Middleware, and many other Oracle products. These will all include security fixes, CVSSv3.1 details including attack complexity, if it is remotely exploitable and other details that can help understand how to prioritize urgency of applying these updates.

 

Adobe released updates for five products as part of their July Patch Tuesday update. The updates for Adobe Bridge, Dimension, Illustrator, and Framemaker are rated by Adobe as Priority 3. Each resolves at least one Critical CVE. Adobe’s priority takes into account severity of the vulnerabilities as well as the likelihood of an attacker targeting the product they apply to. Adobe Priority 1 indicates at least one CVE included in the release is actively being exploited. Priority 3 are products less likely to be targeted and low history of previously exploited vulnerabilities. While not urgent, these four product updates should be resolved in a reasonable timeframe. The urgency this month would be the Adobe Acrobat and Reader update (APSB21-51) which resolves 19 CVEs, 14 of which are rated as Critical. The Priority set by Adobe on this update is Priority 2. Three of the Critical CVEs are rated as 8.8 CVSSv3 and if exploited could allow remote code execution. While none of the CVEs are known to be exploited, Acrobat and Reader are more widely available on systems for a threat actor to target.

 

Mozilla released updates for Firefox and Firefox ESR including fixes for 9 CVEs. Mozilla rates five of the CVEs as High impact. More details can be found in MFSA2021-28.

 

Recommended Priorities:

• The top priority this month is the Windows OS update. Three additional Zero Day vulnerabilities being resolved, and for those who have not yet deployed the out-of-band PrintNightmare fix, that would make four Zero Days along with three publicly disclosed vulnerabilities.
• Microsoft Exchange has two publicly disclosed vulnerabilities and CVE-2021-31206 which was first made known as part of the Pwn2Own contest a few months back. So while Exchange has had a short reprieve after some hard back-to-back months of updates, this one should be investigated and resolved as soon as practical.
• Third Party Updates for Adobe Acrobat and Reader, and Mozilla Firefox should be a priority. PDF and Browser applications are easy targets for attackers to target by exploiting a user with phishing attacks and other user targeted methods.