Note: This post has been updated to include information on CVE-2021-36958 - Windows Print Spooler Remote Code Execution Vulnerability and is up-to-date as of Thursday, August 12, 2021.
Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
August 2021 Overview
Eric Feldman - General Overview
Fortunately, it was a lighter month than usual with only 51 vulnerabilities addressed from Microsoft, 7 of which are rated as critical, and only 1 being actively exploited in the wild. This represents a 56% reduction in overall vulnerabilities from July, and 33% fewer vulnerabilities on average for each month so far this year. We have also seen a similar reduction in critical vulnerabilities this month, with 30% less compared to the monthly average.
We reported on 7/23/2021 about the Windows HiveNightmare (SeriousSAM) Vulnerability that is easily exploitable and impacts Windows 10 build 1809 and up and has no current patch. Until a fix is released, Microsoft has advised administrators to employ two workarounds for risk mitigation that is outlined in our blog.
This month's vulnerabilities seem to follow a trend, impacting components in Microsoft Windows that perform network communications, internet connections, printing, file repair, and remote connections. Several of these components have had a number of vulnerabilities reported so far this year. As the summer begins to wind down, returning to physical offices appears to be less likely for many segments of the workforce. The trend is that remote work is here to stay, making the prioritization of patching these components all the more vital.
Peter Pflaster - Adobe Overview
Adobe issued just two security bulletins this month for Magento Commerce and Open, as well as Connect. Mercifully, a lighter month compared to July for Adobe products. We’ll highlight the vulnerabilities affecting Magento Commerce and Open, due to the severity of the vulnerabilities. The most serious vulnerabilities include arbitrary code execution and security feature bypass outlined in APSB21-64 affecting Magento Commerce and Open Source versions 2.4.3, 2.4.2-p2 and 2.3.7-p1 on all platforms. A handful of the vulnerabilities sport CVSS scores over 9, so we recommend patching within 72 hours.
Critical Vulnerability Breakdown
Jay Goodman - CVE-2021-26424 - Windows TCP/IP Remote Code Execution Vulnerability - Critical
CVE-2021-26424 is a critical remote code execution vulnerability in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including server flavors. TCP/IP protocol is commonly targeted, making this a highly likely vulnerability to be exploited. The vulnerability can be remotely triggered by a malicious guest sending an ipv6 ping to the host. The adversary could send a specially crafted packet using the TCP/IP Protocol Stack to process the malicious packet. The attack comes from the Hyper-V guest to host, limiting the scope of this attack vector, but making it a viable avenue to move laterally across an environment. Remote code execution vulnerabilities are particularly problematic since they enable attackers to run malicious code on the exploited systems. When combined with other vulnerabilities allowing escalation of privileges, attackers can quickly and easily take full control of the target system and use it to either exfiltrate data or move laterally within the organization’s infrastructure.
Aleks Haugom - CVE-2021-26432 - Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability - Critical
CVE-2021-26432 is a critical, remote code execution vulnerability with way too many acronyms. To break it down; Network File System (NFS), Open Network Computing Remote Procedure Call (ONCRPC), External Data Representation (XCR). Acronyms aside, this vulnerability is more likely to be exploited given its low complexity status and that it does not require privileges or user interaction. Exploitation results in total loss of confidentiality across all devices managed by the same security authority. Furthermore, attackers can utilize it for denial of service attacks or to maliciously modify files. So far, no further details have been divulged by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi'anxin Group) that discovered this vulnerability. Given the broad potential impact, its label “exploitation more likely” and apparent secrecy, patching should be completed asap.
Chris Hass - CVE-2021-34480 - Scripting Engine Memory Corruption Vulnerability - Critical
CVE-2021-34480 is a scripting engine memory corruption remote code execution vulnerability. The vulnerability is in how Microsoft’s scripting engine handles objects in memory and can lead to remote code execution.This vulnerability is bound to the network stack, and requires user interaction to take advantage of a vulnerable system, which include versions of Windows all the way back to Windows 7. Using a web-based attack or a malicious file, such as a malicious landing page or phishing email, attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights.
Justin Knapp - CVE-2021-34530 - Windows Graphics Component Remote Code Execution Vulnerability - Critical
CVE-2021-34530 is a Critical Remote Code Execution (RCE) vulnerability within the Windows Graphic Component that introduces a potential avenue for attackers to remotely execute malicious code in the context of the current user. The Windows Graphics Component has already seen multiple security fixes this year that address a range of Elevation of Privilege and RCE vulnerabilities. Even though successful exploitation of this newest vulnerability requires a low level of attack complexity, an attacker would need to find a way to bait the user into opening a specially crafted file. While exploitation is less likely, Automox recommends immediately patching all critical vulnerabilities within a 72 hour window and ensuring that previous vulnerabilities affecting the same component have been sufficiently addressed.
Peter Pflaster - CVE-2021-34534 - Windows MSHTML Platform Remote Code Execution Vulnerability - Critical
CVE-2021-34534 is a critical remote code execution vulnerability affecting the Windows MSHTML platform, also known as Trident. Trident is the rendering engine (mshtml.dll) used by Internet Explorer and succeeded by EdgeHTML (EdgeHTML.dll), the engine for the new(ish) Microsoft Edge browser. Many businesses still use Internet Explorer for compatibility reasons, so the vulnerability is important to patch and likely affects a large set of users. Sporting a CVSS:3.0 of 6.8/5.9, the vulnerability is critical and affects many Windows 10 versions (1607, 1809,1909, 2004, 20H2, 21H1) as well as Windows Server 2016 and 2019. To exploit, a threat actor would need to pull off a highly complex attack with user interaction - still entirely possible with the sophisticated attackers of today - so what we’re saying is, you should patch this.
Eric Feldman - CVE-2021-34535 - Remote Desktop Client Remote Code Execution Vulnerability - Critical
CVE-2021-34535 is a critical remote code execution vulnerability that impacts the Microsoft Remote Desktop Client. Microsoft Remote Desktop clients let you use and control a remote PC just as you would a physical PC, including using applications and accessing files and network resources. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client, install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. Due to the prevalence of Remote Desktop Clients in Microsoft Windows, Automox recommends prioritization in applying this patch.
Chad McNaughton - CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability - Critical
Is your Windows print spooler running? If so, you’d better go catch it...and immediately patch it! CVE-2021-36936 is a low-privilege/low-complexity, network-level remote code execution (RCE) vulnerability that requires no user interaction. Exploiting this vulnerability would allow an attacker to execute remote code on the targeted Windows device. Another point of note: by this time in the vulnerability’s lifecycle, the exploit-level of the remote-code maturity is fully-functional. Microsoft has released official remediation, as this has been a widely-disclosed vulnerability, which in some cases makes exploitation less likely. Between the publicity and the official Microsoft solution, CVE-2021-36936 may still be a critical vulnerability, however, there are remediation steps to take. If you haven’t already done so, your Windows Print Spooler should be patched within the next 72hrs.
Jay Goodman - CVE-2021-36958 - Windows Print Spooler Remote Code Execution Vulnerability
Microsoft announced a late addition to the Patch Tuesday workload on Wednesday with CVE-2021-36958, an important vulnerability discovered in the Windows Printer Spooler that could allow remote code execution. The vulnerability exists when the Windows Print Spooler service improperly performs file operations. An adversary could run arbitrary code with system level privileges in a successful attack. This would allow the attacker to install programs, manipulate data, or create new accounts with full user rights. The workaround for this vulnerability is stopping and disabling the Print Spooler service. Due to the number of Printer Spooler related issues recently, it is no surprise that Microsoft released this guidance without an associated patch to fully remediate to fully address the vulnerability.
Jay Goodman - CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability - High and Exploited
CVE-2021-36948 is an important privilege escalation vulnerability in the Windows Update Medic Service. The vulnerability is in Windows 10 and Server 2019 and newer operating systems with the Update Medic Service. Update Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates. The exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox. This particular vulnerability has been seen exploited in the wild and it is crucial that organizations move quickly to patch and remediate this vulnerability.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.