VERT Threat Alert: July 2021 Patch Tuesday Analysis


Today’s VERT Alert addresses Microsoft’s July 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-954 on Wednesday, July 14th.

In-The-Wild & Disclosed CVEs

CVE-2021-34527

The vulnerability dubbed PrintNightmare was patched prior to the Tuesday patch drop, but it is still worth including here. This vulnerability also generated a bit of confusion. There is confusion around the CVE associated with the vulnerability. CVE-2021-1675 was patched in June and the PrintNightmare proof of concept worked on systems with that update. Articles indicated that the patch was broken or it had been bypassed, but Microsoft clarified this in the FAQ for CVE-2021-34527. This vulnerability is distinct from CVE-2021-1675 and existed before the June patch, which is why we now have two CVEs and a lot of confusion in discussions around PrintNightmare.

The vulnerability itself allows an authenticated user to execute code as SYSTEM and as such there are concerns that it could be incorporated into malware for the purpose of lateral movement. It is important to note that there is a registry key that could return a system to a vulnerable state. Additionally, this vulnerability has been publicly disclosed and has been actively exploited.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-33771

This CVE describes an actively exploited elevation of privilege vulnerability in the Windows kernel.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-34448

In order to exploit this vulnerability in a scripting engine, a user would have to visit a malicious page or open a specially crafted file. This vulnerability has seen active exploitation.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-31979

This CVE describes an actively exploited elevation of privilege vulnerability in the Windows kernel.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-34473

This code execution vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 and has been publicly disclosed but is not currently seeing active exploitation. It is important to note that this vulnerability was actually patched in the April patch drop, but Microsoft forgot to include it in the April 2021 Security Updates.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-34492

This vulnerability describes a publicly disclosed certificate spoofing vulnerability that impacts all modern Microsoft platforms.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-34523

This elevation of privilege vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 and has been publicly disclosed but is not currently seeing active exploitation. It is important to note that this vulnerability was actually patched in the April patch drop, but Microsoft forgot to include it in the April 2021 Security Updates.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-33779

A publicly disclosed bypass in Windows ADFS resolved by this update. The vulnerability is related to Primary Refresh Tokens stored in TPM. The tokens are used for SSO with AzureAD and prior to this update are stored with weak encryption that could potentially allow a malicious administrator to extract and decrypt the tokens.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-33781

A publicly disclosed vulnerability that allows the bypass of an Active Directory security feature is resolved with this vulnerability.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

Tag CVE Count CVEs
Windows Installer 3 CVE-2021-31961, CVE-2021-33765, CVE-2021-34511
Windows Partition Management Driver 1 CVE-2021-34493
Windows Remote Assistance 1 CVE-2021-34507
Windows Storage Spaces Controller 6 CVE-2021-33751, CVE-2021-34509, CVE-2021-34460, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513
Microsoft Windows Media Foundation 3 CVE-2021-34441, CVE-2021-34439, CVE-2021-34503
Microsoft Scripting Engine 1 CVE-2021-34448
Microsoft Office SharePoint 5 CVE-2021-34467, CVE-2021-34468, CVE-2021-34519, CVE-2021-34520, CVE-2021-34517
Windows Authenticode 1 CVE-2021-33782
Microsoft Windows Codecs Library 8 CVE-2021-31947, CVE-2021-33740, CVE-2021-33760, CVE-2021-34521, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778
Visual Studio Code 3 CVE-2021-34528, CVE-2021-34479, CVE-2021-34529
Windows Cloud Files Mini Filter Driver 1 CVE-2021-33784
Common Internet File System 1 CVE-2021-34476
Microsoft Office Excel 2 CVE-2021-34501, CVE-2021-34518
Windows Key Distribution Center 1 CVE-2021-33764
Dynamics Business Central Control 1 CVE-2021-34474
Microsoft Graphics Component 5 CVE-2021-34496, CVE-2021-34498, CVE-2021-34438, CVE-2021-34489, CVE-2021-34440
Windows Event Tracing 1 CVE-2021-33774
Windows File History Service 1 CVE-2021-34455
Windows Security Account Manager 1 CVE-2021-33757
Windows Kernel 7 CVE-2021-33771, CVE-2021-34500, CVE-2021-31979, CVE-2021-34458, CVE-2021-34508, CVE-2021-34461, CVE-2021-34514
Role: Hyper-V 3 CVE-2021-33755, CVE-2021-33758, CVE-2021-34450
Windows Remote Access Connection Manager 6 CVE-2021-33761, CVE-2021-33763, CVE-2021-33773, CVE-2021-34445, CVE-2021-34456, CVE-2021-34457
Windows Shell 1 CVE-2021-34454
Microsoft Office 3 CVE-2021-34452, CVE-2021-34469, CVE-2021-34451
Windows Address Book 1 CVE-2021-34504
Active Directory Federation Services 1 CVE-2021-33779
Windows AppContainer 1 CVE-2021-34459
Windows Defender 2 CVE-2021-34464, CVE-2021-34522
Windows Projected File System 1 CVE-2021-33743
Windows Desktop Bridge 1 CVE-2021-33759
Windows AppX Deployment Extensions 1 CVE-2021-34462
Windows Active Directory 1 CVE-2021-33781
Windows Local Security Authority Subsystem Service 2 CVE-2021-33786, CVE-2021-33788
Windows MSHTML Platform 2 CVE-2021-34447, CVE-2021-34497
Microsoft Exchange Server 7 CVE-2021-31196, CVE-2021-31206, CVE-2021-34523, CVE-2021-34473, CVE-2021-33766, CVE-2021-33768, CVE-2021-34470
Power BI 1 CVE-2021-31984
Windows Secure Kernel Mode 1 CVE-2021-33744
Role: DNS Server 10 CVE-2021-33780, CVE-2021-34442, CVE-2021-34444, CVE-2021-34494, CVE-2021-33745, CVE-2021-33749, CVE-2021-33750, CVE-2021-33752, CVE-2021-33756, CVE-2021-34525
Windows Win32K 3 CVE-2021-34491, CVE-2021-34449, CVE-2021-34516
Windows TCP/IP 3 CVE-2021-31183, CVE-2021-33772, CVE-2021-34490
OpenEnclave 1 CVE-2021-33767
Microsoft Bing 1 CVE-2021-33753
Windows Print Spooler Components 1 CVE-2021-34527
Microsoft Windows DNS 3 CVE-2021-34499, CVE-2021-33746, CVE-2021-33754
Windows HTML Platform 1 CVE-2021-34446
Windows Hello 1 CVE-2021-34466
Windows PFX Encryption 1 CVE-2021-34492
Windows AF_UNIX Socket Provider 1 CVE-2021-33785
Visual Studio Code – .NET Runtime 1 CVE-2021-34477
Windows Console Driver 1 CVE-2021-34488
Windows SMB 1 CVE-2021-33783

Other Information

There was an update to an existing advisory in the July security guidance.

Microsoft Guidance for Addressing Security Feature Bypass in GRUB [ADV200011]

Microsoft has updated ADV200011 with details around vulnerabilities that were patched in March related to the “There’s a Hole in the Boot” vulnerability that allowed for Secure Boot bypass with GRUB.

Kerberos KDC Security Feature Bypass Vulnerability [CVE-2020-17049]

Microsoft has released version 6 of this security guidance as the default settings have now changed to Enforcement mode. It is now required that all domain controllers have the December update installed. The PerformTicketSignature registry key setting is now ignored and you cannot override Enforcement mode. You can find more details in KB4598347.



Source link