Microsoft Patch Tuesday Update - July 2021

Sean Tickle, Head of CyberGuard

The July 2021 Patch Tuesday has delivered 117 security patches for Microsoft products.

13 CVEs are considered to be critical, 6 of the CVEs are publicly known and 4 of the CVEs that have been fixed were recorded as being actively exploited. They have also patched 9 Zero-Day vulnerabilities.

Products impacted by Microsoft's latest security update, issued on July 13 2021, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB.


Some of the most interesting vulnerabilities resolved in this update are:

  • CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own.
  • CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability requires a victim to visit a malicious website or click a malicious link actively.
  • CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.
  • CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device assigned to a guest to tamper with PCIe associates potentially.

The latest round of patches comes just a week after Microsoft issued an emergency fix to rectify a security flaw nicknamed "PrintNightmare." Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released.

In total, four of the vulnerabilities - CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 - are listed as exploited in the wild.

 

Here’s a key summary of Patched Zero Day vulnerabilities:

Please be sure to review the ‘Security updates’ section, in the links included below.

Publicly Disclosed – Actively exploited Zero Days

CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability

  • Attack Vector: Network
  • Attack complexity: Low
  • Privileges required: Low
  • User interaction required: None
  • Exploit Code Maturity: functional
  • Evidence of previous exploit: Yes
  • Publicly disclosed: Yes

What type of information could be disclosed by this vulnerability?

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actively Exploited Windows Vulnerabilities which were not publicly disclosed

CVE-2021-33771 - Windows Kernel Elevation of Privilege Vulnerability

  • Attack Vector: Local
  • Attack complexity: Low
  • Privileges required: Low
  • User interaction required: None
  • Exploit Code Maturity: functional
  • Evidence of previous exploit: Yes
  • Publicly disclosed: No

What type of information could be disclosed by this vulnerability?

This CVE can be utilised by attackers to elevate their permissions in order to perform further exploits and gather information only accessible to privileged users.

CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability

  • Attack Vector: Network
  • Attack complexity: High
  • Privileges required: None
  • User interaction required: Required
  • Exploit Code Maturity: functional
  • Evidence of previous exploit: Yes
  • Publicly disclosed: No

What type of information could be disclosed by this vulnerability?

This vulnerability can be utilised to either perform a Denial of Service attacks or more commonly this type of vulnerability is exploited in order to perform a buffer overflow attack.

CVE-2021-31979 - Windows Kernel Elevation of Privilege Vulnerability

  • Attack Vector: Local
  • Attack complexity: Low
  • Privileges required: Low
  • User interaction required: None
  • Exploit Code Maturity: functional
  • Evidence of previous exploit: Yes
  • Publicly disclosed: No

What type of information could be disclosed by this vulnerability?

This CVE can be utilised by attackers to elevate their permissions to perform further exploits and gather information only accessible to privileged users.

Publicly disclosed - Non exploited Zero Day Vulnerabilities

CVE-2021-34492 - Windows Certificate Spoofing Vulnerability

  • Attack Vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction required: Required
  • Exploit Code Maturity: Unproven
  • Evidence of previous exploit: No
  • Publicly disclosed: Yes

What type of information could be disclosed by this vulnerability?

This could be used to evade Antivirus or could be utilised to trick a user into installing a malicious file.

CVE-2021-34523 - Microsoft Exchange Server Elevation of Privilege Vulnerability

  • Attack Vector: Local
  • Attack complexity: Low
  • Privileges required: None
  • User interaction required: None
  • Exploit Code Maturity: Unproven
  • Evidence of previous exploit: No
  • Publicly disclosed: Yes

What type of information could be disclosed by this vulnerability?

This CVE can be utilised by attackers to elevate their permissions to perform further exploits and gather information only accessible to privileged users.

CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability

  • Attack Vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction required: None
  • Exploit Code Maturity: Unproven
  • Evidence of previous exploit: No
  • Publicly disclosed: Yes

What type of information could be disclosed by this vulnerability?

This CVE would be utilised in order to execute code on a windows exchange server. This would allow the attackers to expose information or could be utilised to gain direct access to the server.

CVE-2021-33779 - Windows ADFS Security Feature Bypass Vulnerability

  • Attack Vector: Network
  • Attack complexity: Low
  • Privileges required: Low
  • User interaction required: None
  • Exploit Code Maturity: Unproven
  • Evidence of previous exploit: No
  • Publicly disclosed: Yes

What type of information could be disclosed by this vulnerability?

This vulnerability relates to Primary Refresh Tokens which are usually stored in TPM. These tokens are usually used for SSO for Azure AD accounts. The tokens are not encrypted in a strong enough manner, and an administrator with access to a vulnerable system could extract and potentially decrypt the token for reuse until the token expires or is renewed.

CVE-2021-33781 - Active Directory Security Feature Bypass Vulnerability

  • Attack Vector: Network
  • Attack complexity: Low
  • Privileges required: Low
  • User interaction required: None
  • Exploit Code Maturity: Unproven
  • Evidence of previous exploit: No
  • Publicly disclosed: Yes

What type of information could be disclosed by this vulnerability?

This Vulnerability allows the bypass of an Active Directory security feature is resolved with this vulnerability.

Protecting our customers 

As always, CyberGuard remain proactive creating rules for the above vulnerabilities to safe guard our customers. If you are an OGL patch management customer, these vulnerabilities will already be factored into your patch cycle.

Further information

For a full breakdown of all updates, mitigations, and workarounds, please visit Microsoft’s update guide: July 2021 Security Updates - Release Notes - Security Update Guide - Microsoft

 

Sources

https://msrc.microsoft.com

https://www.bleepingcomputer.com

https://www.zdnet.com/article/microsoft-july-2021-patch-tuesday-117-vulnerabilities-pwn2own-exchange-server-bug-fixed/

https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/microsoft-releases-july-2021-security-updates

https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html