VERT Threat Alert: June 2021 Patch Tuesday Analysis | The State of Security
Today’s VERT Alert addresses Microsoft’s June 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-947 on Wednesday, June 9th.
In-The-Wild & Disclosed CVEs
CVE-2021-31955
This is one of two vulnerabilities fixed in today’s patch drop which were reported by Kaspersky Lab after detecting exploitation by threat actor PuzzleMaker. This Windows Kernel Information Disclosure could allow an attacker to read kernel memory via a user mode process via a vulnerable function call related to SuperFetch. The vulnerability in ntoskrnl.exe has been exploited in the wild.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-31956
This is the second of two vulnerabilities fixed in today’s patch drop which were reported by Kaspersky Lab after detecting exploitation by threat actor PuzzleMaker. This vulnerability requires that an authenticated user execute code locally in order to exploit a heap-based buffer overflow in NTFS (ntfs.sys) that will allow for privilege escalation.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-33739
This CVE describes a publicly disclosed and exploited vulnerability in Desktop Window Manager (DWM) Core that could lead to privilege escalation via the execution of a malicious script or executable by an authenticated user.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-33742
Google’s Threat Analysis Group (TAG) reported this vulnerability in MSHTML that has been exploited in the wild to Microsoft. Microsoft has included an important to read FAQ entry on this vulnerability. They note that while Internet Explorer 11 is being retired on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying technology – MSHTML, EdgeHTML, and scripting platforms – are still supported. You can read more on the retirement in this Microsoft FAQ published last month. According to a tweet from Shane Huntley, this appears to be “a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting”
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-31201
This is the first of two vulnerabilities related to Adobe’s APSB21-29 security bulletin. A privilege escalation exists within the Microsoft Enhanced Cryptographic Provider that has been publicly exploited. Microsoft has indicate that you must install the June patch bundle in order to be protected against all three CVEs.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-31199
This is the second of two vulnerabilities related to Adobe’s APSB21-29 security bulletin. A privilege escalation exists within the Microsoft Enhanced Cryptographic Provider that has been publicly exploited. Microsoft has indicate that you must install the June patch bundle in order to be protected against all three CVEs.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-31968
This vulnerability has been disclosed but not publicly exploited and could allow a remote, unauthenticated attacker to perform a denial of service against Windows Remote Desktop Services.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
| Tag | CVE Count | CVEs |
| Windows DCOM Server | 1 | CVE-2021-26414 |
| .NET Core & Visual Studio | 1 | CVE-2021-31957 |
| Visual Studio Code – Kubernetes Tools | 1 | CVE-2021-31938 |
| Windows Bind Filter Driver | 1 | CVE-2021-31960 |
| Windows Cryptographic Services | 2 | CVE-2021-31199, CVE-2021-31201 |
| Windows Installer | 1 | CVE-2021-31973 |
| Windows Common Log File System Driver | 1 | CVE-2021-31954 |
| Windows Network File System | 3 | CVE-2021-31974, CVE-2021-31975, CVE-2021-31976 |
| Microsoft Scripting Engine | 1 | CVE-2021-31959 |
| Microsoft Office SharePoint | 7 | CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31965, CVE-2021-31966, CVE-2021-31948, CVE-2021-31950 |
| Microsoft Windows Codecs Library | 1 | CVE-2021-31967 |
| Microsoft Office Excel | 1 | CVE-2021-31939 |
| 3D Viewer | 3 | CVE-2021-31942, CVE-2021-31943, CVE-2021-31944 |
| Windows Kernel | 2 | CVE-2021-31951, CVE-2021-31955 |
| Role: Hyper-V | 1 | CVE-2021-31977 |
| Paint 3D | 3 | CVE-2021-31945, CVE-2021-31946, CVE-2021-31983 |
| Microsoft DWM Core Library | 1 | CVE-2021-33739 |
| Microsoft Office | 2 | CVE-2021-31940, CVE-2021-31941 |
| Windows Defender | 2 | CVE-2021-31978, CVE-2021-31985 |
| Windows Remote Desktop | 1 | CVE-2021-31968 |
| Windows NTLM | 1 | CVE-2021-31958 |
| Windows MSHTML Platform | 1 | CVE-2021-33742 |
| Windows Event Logging Service | 1 | CVE-2021-31972 |
| Windows Filter Manager | 1 | CVE-2021-31953 |
| Windows Drivers | 1 | CVE-2021-31969 |
| Microsoft Office Outlook | 1 | CVE-2021-31949 |
| Windows TCP/IP | 1 | CVE-2021-31970 |
| Windows Kerberos | 1 | CVE-2021-31962 |
| Windows Kernel-Mode Drivers | 1 | CVE-2021-31952 |
| Windows Print Spooler Components | 1 | CVE-2021-1675 |
| Windows HTML Platform | 1 | CVE-2021-31971 |
| Microsoft Edge (Chromium-based) | 1 | CVE-2021-33741 |
| Microsoft Intune | 1 | CVE-2021-31980 |
| Windows NTFS | 1 | CVE-2021-31956 |
Other Information
There were no advisories included in the June Security Guidance.
