Yesterday Microsoft patched 56 vulnerabilities as part of Patch Tuesday, 11 of which are critical, with one being exploited in the wild.
Keen to understand what this means for security people and engineers, our Labs team took a quick look at some of the most interesting ones to understand what they mean for organizations:
CVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore be used by an attacker to gain a system shell. As an IPV6 Link local attack, it would require the threat actor to already have a foothold in your network, but could, for example, ultimately lead to a high level of access on domain controllers. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.
CVE-2021-24078 targets Windows hosts running DNS. If exploited, an attacker could steal a lot of data by essentially altering the destination for organizational traffic; for example, by pointing internal appliances or Outlook Web Access at a malicious server.
The one listed by Microsoft as being exploited in the wild is CVE-2021-1732, a Local Privilege Escalation affecting Windows 10. It is not clear where it is being exploited; however, an attacker must already have user access on the host.
CVE-2021-24077 is arguably the outlier because it targets Windows Fax Service. I am very curious to know if any attackers have used Fax as an attack vector. To exploit this would require the service to be up and running, which is not likely to be very common nowadays.
There is a trio of Windows TCP/IP Remote Code Execution vulnerabilities in CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086 that affect any user and server devices exposed to the internet. These should be patched immediately. However, the release notes indicate that the exploit is ‘complex’, which means attempted attacks may cause systems to crash, giving it the potential to be used in a DOS attack.
Finally, something which could be of concern to consumer Internet users is CVE-2021-24093, an RCE in Windows Graphics Component. This is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.
As always, people should patch as soon as possible. If they are unable to update immediately, they should use the workarounds provided to mitigate exposure.
10 February 2021
Director of Cyber Threat Research,
Latest Blog posts
Patch Newsday: 14 September 2021 – Lousy Browsers and Arsey RCEs
15 September 2021
Analyzing the CVE-2021-40444 exploit
13 September 2021
Take the power back: Tool-up against a notorious global threat group with our new FIN7 series
13 September 2021
Episode 44: Rotten Apple or Privacy Nuts?
2 September 2021
Patch Newsday 10 August: Ironic exploitation and the spectre of PrintNightmare
10 August 2021
Kaseya supply chain attack: Prepare to respond with the Cyber Crisis Simulator
27 July 2021