Yesterday was one of our favorite days of the month: Patch Tuesday. On this particular Patch Tuesday, which came a week after an out-of-band Exchange release, Microsoft fixed 82 CVEs, 10 of which were deemed 'critical' and four of which are actively being exploited in the wild.
This is what stood out to us:
CVE-2021-26411
Internet Explorer is being exploited in the wild, so this should be top of the list to patch. There is a social engineering element at play here, as an attacker would have to trick a user into visiting a site they control using, for example, a spear-phishing or malvertising campaign.
This affects both the older versions like IE11 (which should be put out to pasture) and the newer EdgeHTML-based versions.
This kind of exploit would give the attacker the same operating system permissions as the user visiting the website. So if you're browsing the internet as a standard user, the attacker will get user level access to your filesystem and limited access to the operating system. If you are browsing the internet as an admin, the attackers will get full unrestricted access to your filesystem and the operating system. This is why least privilege accounts and not browsing the internet as an admin is so vital to staying secure.
Local privilege escalation vulnerabilities
There are a lot of local privilege escalation (LPE) vulnerabilities patched as part of this release that affect a full range of MS products. These are just as important to patch as remote code execution (RCE) vulnerabilities. Attackers will almost always try to escalate permissions when they gain access to a compromised host. Gaining system-level access means they can run credential dumping tools like Mimikatz that will allow further exploitation and lateral movement across a network. An attacker can make use of LPE even if there is no initial vulnerability that was used to gain remote code execution. More traditional vectors like weaponized documents can be paired with an LPE to devastating effect by a well trained attacker.
Windows Graphics Components
Windows Graphics Components has several patches for privilege escalation and remote code execution. This is not the first time we have seen patches for this area of the operating system, but the interesting thing for me is how Microsoft determines ‘exploitability’ – this is where the MS notes get confusing:
Windows Graphics Component Remote Code Execution Vulnerability
- CVE-2021-26861 CVSS score of 6.8 ‘Exploitation less likely’
Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2021-26868 CVSS score of 6.8 ‘Exploitation more likely’
How do they assess the likelihood of the exploitation? The complexity ratings for both CVE-2021-26868 and CVE-2021-26861 are identical, as are the CVSS scores. What makes an attacker more likely to use a local exploit over a remote exploit? We can only assume that Microsoft has more detailed information that they won’t make public to make these decisions.
CVE-2021-27076 – Remote Code Execution SharePoint Server
This is listed as ‘exploitation more likely’ and suggests that an attacker can exploit the server to gain code execution over the network; however, the attacker would need to have ‘privileges’. The advisory states that a user would need the ability to create a site so this should reduce the number of accounts that could exploit this vulnerability. This again raises the importance of least privilege accounts. If a user doesn’t need permissions, don’t let them have them. This can be the difference between exploit attempt and exploit success while you wait to patch.
CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability
Another DNS vulnerability! It was only a few weeks ago that the proof of concept code for SIGRed – another RCE in DNS – was made public.
This is also listed as ‘exploitation more likely’, but as we saw with the SIGRed, there was a large time gap between the patches being made public and the exploit code entering the public domain. This means it can be hard to judge the exploitability based solely on Microsoft’s decision.
These attacks are not limited to external attackers – they also become a target for attackers who may already be inside your network. An attacker gaining access to manipulate a DNS server within your organization can have a significant impact on your overall security. Changing the hostnames and IPs for legitimate web portals like outlook web access or internal platforms like SAP could enable the attacker to steal legitimate credentials.
Zero-day exploits in Exchange Server
While not a part of the official Patch Tuesday release, it would be remiss of me to not mention the zero-day exploits in Exchange Server. Reported in December 2020, they were originally due to be released in this patch cycle, but were released a week early in an out-of-band update when Windows were made aware of public exploitation.
Final Thoughts
As always, do not delay patching your services. Understand your own networks and OS configurations so you can make an informed decision based on your knowledge of your networks tempered by the information made available by Microsoft.
If patching a system or set of systems is going to take longer than you would like, consider any mitigations that have been provided by Microsoft or that you can apply yourself like account and traffic restrictions.
We'll see you next Patch Tuesday!
Kev Breen
Director of Cyber Threat Research, Immersive Labs
@kevthehermit
Security bulletin: https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar
Full list:
https://msrc.microsoft.com/update-guide/