Microsoft’s August 2021 Patch Tuesday addressed a more compact established of bugs than common, which includes a lot more Print Spooler challenges, a zero-working day and seven critical vulnerabilities.
Microsoft has patched 51 security vulnerabilities in its scheduled August Patch Tuesday update, which includes 7 critical bugs, two issues that were being publicly disclosed but unpatched until finally now, and a single that is detailed as a zero-day that has been exploited in the wild.
Of be aware, there are 17 elevation-of-privilege (EoP) vulnerabilities, 13 distant code-execution (RCE) issues, 8 details-disclosure flaws and two denial-of-assistance (DoS) bugs.
The update also includes patches for 3 a lot more Print Spooler bugs, familiar from the PrintNightmare saga.
“Fortunately, it was a lighter month than common,” explained Eric Feldman, senior item advertising and marketing supervisor at Automox, in a Patch Tuesday evaluation from the seller. “This represents a 56 per cent reduction in general vulnerabilities from July, and 33 percent much less vulnerabilities on ordinary for every month so considerably this year. We have also found a comparable reduction in critical vulnerabilities this thirty day period, with 30 percent much less when compared to the month-to-month common.”
Windows Critical Security Vulnerabilities
The 7 critical bugs addressed in August are as follows:
- CVE-2021-26424 – Windows TCP/IP RCE Vulnerability
- CVE-2021-26432 – Windows Services for NFS ONCRPC XDR Driver RCE Vulnerability
- CVE-2021-34480 – Scripting Motor Memory Corruption Vulnerability
- CVE-2021-34530 – Windows Graphics Element RCE Vulnerability
- CVE-2021-34534 – Windows MSHTML System RCE Vulnerability
- CVE-2021-34535 – Distant Desktop Customer RCE Vulnerability
- CVE-2021-36936 – Windows Print Spooler RCE Vulnerability
The bug tracked as CVE-2021-26424 exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating units, which include servers.
“Despite its CVSS ranking of 9.9, this might prove to be a trivial bug, but it is continue to intriguing,” mentioned Dustin Childs of Development Micro’s Zero Day Initiative (ZDI) in his Tuesday assessment. “An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable class. Still, a successful attack would make it possible for the visitor OS to wholly choose around the Hyper-V host. Though not wormable, it’s nonetheless neat to see new bugs in new situations becoming located in protocols that have been all around for years.”
The subsequent bug, CVE-2021-26432 in Windows Solutions, is far more probably to be exploited given its reduced complexity status, according to Microsoft’s advisory it doesn’t call for privileges or consumer conversation to exploit, but Microsoft available no more particulars.
“This may possibly tumble into the ‘wormable’ group, at the very least between servers with NFS put in, primarily considering the fact that the open network computing remote method get in touch with (ONCRPC) consists of an Exterior Knowledge Representation (XDR) runtime developed on the Winsock Kernel (WSK) interface,” Childs mentioned. “That definitely seems like elevated code on a listening network service. Don’t dismiss this patch.”
Aleks Haugom, item advertising manager at Automox, included, “Exploitation benefits in complete reduction of confidentiality across all gadgets managed by the exact same security authority. Furthermore, attackers can make the most of it for denial-of-service attacks or to maliciously modify documents. So much, no further facts have been divulged by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi’anxin Team) that learned this vulnerability. Provided the wide probable influence, its label ‘Exploitation A lot more Likely’ and clear secrecy, patching should be finished ASAP.”
Meanwhile, the memory-corruption bug (CVE-2021-34480) arises from how the scripting motor handles objects in memory, and it also makes it possible for RCE. Working with a web-based attack or a malicious file, these kinds of as a malicious landing site or phishing email, attackers can use this vulnerability to just take regulate of an influenced program, install courses, look at or change information, or make new consumer accounts with entire user rights.
“CVE-2021-34480 should really also be a priority,” Kevin Breen, director of cyber-menace research at Immersive Labs, instructed Threatpost. “It is a very low rating in conditions of CVSS, coming in at 6.8, but has been marked by Microsoft as ‘Exploitation More Likely’ mainly because it is the sort of attack generally made use of to maximize the results amount of spear phishing attacks to obtain network entry. Simple, but productive.”
The Windows Graphic Element bug (CVE-2021-34530) lets attackers to remotely execute destructive code in the context of the present consumer, in accordance to Microsoft – if they can social-engineer a focus on into opening a specially crafted file.
Yet another bug exists in the Windows MSHTML platform, also regarded as Trident (CVE-2021-34534). Trident is the rendering engine (mshtml.dll) made use of by Internet Explorer. The bug impacts several Windows 10 variations (1607, 1809,1909, 2004, 20H2, 21H1) as properly as Windows Server 2016 and 2019.
But although it probably has an effect on a massive variety of buyers, exploitation is not trivial.
“To exploit, a risk actor would have to have to pull off a extremely complex attack with consumer conversation – still solely feasible with the complex attackers of today,” explained Peter Pflaster, technical solution promoting supervisor at Automox.
The bug tracked as CVE-2021-34535 impacts the Microsoft Distant Desktop Customer, Microsoft’s practically ubiquitous utility for connecting to distant PCs.
“With today’s hugely dispersed workforce, CVE-2021-34535, an RCE vulnerability in Distant Desktop Purchasers, must be a precedence patch,” claimed Breen. “Attackers increasingly use RDP access as the tip of the spear to acquire network obtain, frequently combining it with privilege escalation to transfer laterally. These can be highly effective as, depending on the approach, it may well enable the attacker to authenticate in the network in the very same way a user would, producing detection challenging.”
It is not as hazardous of a bug as BlueKeep, according to Childs, which also afflicted RDP.
“Before you begin acquiring flashbacks to BlueKeep, this bug affects the RDP customer and not the RDP server,” he said. “However, the CVSS 9.9 bug is almost nothing to overlook. An attacker can choose above a system if they can influence an affected RDP shopper to link to an RDP server they handle. On Hyper-V servers, a destructive software managing in a visitor VM could result in visitor-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the a lot more probably state of affairs and the cause you should take a look at and deploy this patch swiftly.”
Windows Print Spooler Bugs – Yet again
The final critical bug is CVE-2021-36936, a Windows Print Spooler RCE bug that’s listed as publicly identified.
Print Spooler built headlines past thirty day period, when Microsoft patched what it imagined was a minimal elevation-of-privilege vulnerability in the service (CVE-2021-1675). But the listing was updated afterwards in the 7 days, right after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be applied for RCE – requiring a new patch.
It also disclosed a next bug, similar to PrintNightmare (CVE-2021-34527) and a third, an EoP issue (CVE-2021-34481).
“Another month, another distant code-execution bug in the Print Spooler,” mentioned ZDI’s Childs. “This bug is stated as publicly identified, but it is not very clear if this bug is a variant of PrintNightmare or a distinctive vulnerability all on its very own. There are quite a handful of print-spooler bugs to continue to keep keep track of of. Both way, attackers can use this to execute code on influenced devices. Microsoft does state small privileges are demanded, so that must place this in the non-wormable group, but you should really nonetheless prioritize testing and deployment of this critical-rated bug.”
The critical vulnerability is just 1 of three Print Spooler issues in the August Patch Tuesday launch.
“The specter of the PrintNightmare proceeds to haunt this patch Tuesday with 3 much more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 and CVE-2021-34481,” claimed Breen. “All three are outlined as RCE around the network, necessitating a minimal level of accessibility, very similar to PrintNightmare. Microsoft has marked these as ‘Exploitation More Likely’ which, if the previous pace of POC code staying printed is just about anything to go by, is surely correct.”
RCE Zero-Working day in Windows Update Medic Provider
The actively exploited bug is tracked as CVE-2021-36948 and is rated as crucial it could pave the way for RCE by way of the Windows Update Medic Support in Windows 10 and Server 2019 and newer working systems.
“Update Medic is a new services that makes it possible for customers to repair service Windows Update factors from a ruined state such that the unit can continue to obtain updates,” Automox’ Jay Goodman explained. “The exploit is the two minimal complexity and can be exploited without having consumer interaction, generating this an quick vulnerability to include in an adversary’s toolbox.”
Immersive’s Breen additional, “CVE-2021-36948 is a privilege-escalation vulnerability – the cornerstone of modern day intrusions as they make it possible for attackers the level of accessibility to do things like hide their tracks and develop user accounts. In the situation of ransomware attacks, they have also been made use of to make sure greatest problems.”
Although the bug is currently being noted as getting exploited in the wild by Microsoft, exercise appears to stay confined or focused: “We have witnessed no proof of it at Kenna Security at this time,” Jerry Gamblin, director of security investigation at Kenna Security (now part of Cisco) explained to Threatpost.
Publicly Known Windows LSA Spoofing Bug
The second publicly regarded bug (following the Print Spooler issue protected previously) is tracked as CVE-2021-36942, and it’s an critical-rated Windows LSA (Neighborhood Security Authority) spoofing vulnerability.
“It fixes a flaw that could be utilised to steal NTLM hashes from a area controller or other vulnerable host,” Immersive’s Breen explained. “These forms of attacks are nicely acknowledged for lateral motion and privilege escalation, as has been shown just lately by a new exploit identified as PetitPotam. It is a publish-intrusion exploit – more down the attack chain – but however a valuable software for attackers.”
Childs offered a bit of context all-around the bug.
“Microsoft released this patch to even further shield versus NTLM relay attacks by issuing this update to block the LSARPC interface,” he stated. “This will affect some techniques, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA purpose. You ought to apply this to your Domain Controllers very first and follow the further direction in ADV210003 and KB5005413. This has been an ongoing issue considering the fact that 2009, and, very likely, this isn’t the final we’ll listen to of this persistent issue.”
Microsoft’s upcoming Patch Tuesday will slide on September 14.
Apprehensive about the place the upcoming attack is coming from? We have obtained your back. Register NOW for our approaching are living webinar, How to Believe Like a Danger Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and uncover out precisely exactly where attackers are targeting you and how to get there very first. Sign up for host Becky Bracken and Uptycs scientists Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this Are living discussion.
Some sections of this write-up are sourced from: