Let’s dive straight in, shall we?
First up, I should give some airtime to the printer in the room. CVE-2021-34527 or PrintNightmare was initially confused with CVE-2021-1675, which was very closely related but didn’t have the same impact as the revised CVE. It picked up a lot of attention and was patched out-of-band in early July before the Patch Tuesday release. It is pretty bad, but as we covered it in one of our recent episodes of Cyber Humanity, I'm not going to go over it again here. Still, it’s worth noting that there were some potential methods to bypass the patch for local privilege escalation, so check your exposure again.
Moving on from PrintNightmare, there are 3 CVEs being flagged as exploited in the wild so let’s take a look at these first
CVE-2021-34448 – Scripting Engine Memory Corruption Vulnerability
For me, this is the standout vulnerability. The information released by Microsoft suggests that with this vulnerability, an attacker can gain Remote Code Execution on a target host by getting the target to visit a web domain that has been compromised by the attacker.
While this relies on social engineering, attackers have been observed compromising legitimate domains or employing malvertising techniques to exploit these vulnerabilities without relying on users navigating to unknown sites.
We have also seen that modern attackers are more than capable of generating domains that look legitimate with valid TLS certificates and spoofed or cloned content to add an air of authenticity. A single click to visit the domain is all that is required.
The scripting engine is not confined to only processing content in web navigation; we often see attackers sending files like .js, .hta in targeted phishing emails. This format may also trigger this vulnerability.
CVE-2021-33771 & CVE-2021-31979 – Windows Kernel Elevation of Privilege Vulnerability
This pair of privilege escalation vulnerabilities should also be top of the list for patching as they are being actively exploited in the wild. They are both listed as “Local Vector”, meaning the attacker must already have some level of access and this exploit will bump them from user to system or administrator levels.
This escalation pathway can be observed in almost every ransomware attack or compromise that has been reported. After gaining an initial foothold, attackers will almost always try to gain higher levels of access, often creating themselves new accounts when they do so. As such, auditing account creations and activities will help spot these types of attacks.
What else is going on this month?
Stepping away from the known exploits in the wild, there are a lot more patches in this month’s release in comparison to previous months.
There are too many to detail here but we can see three remote code execution vulnerabilities that will be appealing to attackers wanting to compromise an organization:
CVE-2021-34473 affecting Exchange Servers. Based on the details released by Microsoft as part of the advisory, this is a network-based attack that requires no authentication and gains code execution on the target server. As these are typically internet-facing and contain sensitive information for large organizations, any compromise here could have a devastating effect. If an attacker can gain access to your emails, they could act on your behalf, performing password resets for third-party services or, in the case of financially motivated attackers, making requests to finance on behalf of the CEO.
CVE-2021-33780 DNS Server – Based on the details released by Microsoft as part of the advisory, this is a network-based attack that requires no authentication and gains code execution on the target server. The DNS server is vital to security within large organizations running local active directory services. If an attacker was able to compromise a DNS server they could affect the way users interact with internal and possibly external services. Often referred to as DNS Hijacking, extreme examples could include modifying the DNS entries for Microsoft’s Office 365 Cloud so that when users navigate to the domain they end up on a website controlled by the attacker.
CVE-2021-34467 Sharepoint Server – This exploit requires a low level of permissions on the sharepoint server, either standard user “view” accounts or accounts with permissions to update or modify existing content. An attacker could leverage this as yet unknown level of access to move laterally across the network. If the sharepoint is being used as an intranet, it could be possible for an attacker to replace legitimate documents with malicious versions that would then end up being opened by users within the organization.
To wrap it all up...
As we have seen with recent zero-day activity, attackers are quick to abuse unpatched services in organizations. Where possible, you should patch quickly and prioritize anything that is actively being exploited.
That being said, patching is a personal affair that is unique to each organization. You know what services exist in your infrastructure, how pivotal they are to business operations, and the level of risk you are willing to accept (if any). Applying patches are not without risk, so if you are updating a critical appliance, ensure you understand the potential impact or if restarts are required. Ideally, test patches on non-production servers before deploying more widely across the network infrastructure.
Kev Breen,
Director of Cyber Threat Research,
Immersive Labs
@kevthehermit