Patch Tuesday, May 2021: Microsoft Delivers 55 Fixed, Patches Four Critical Bugs and Three Zero-Day Vulnerabilities
Patch Tuesday, May 2021: Highlights
With May’s patching bout just about over, Microsoft managed to resolve 55 common vulnerabilities and exposures (CVEs), four of them being chalked down as critical. Patch Tuesday May roll also included three zero-day vulnerabilities. Microsoft stated that the closed zero days have yet to be exploited, but the investigation has yet to reach a (positive) conclusion in that regard. The discovered and fixed vulnerabilities are CVE-2021-31204 (.NET & Visual Studio privilege elevation), CVE-2021-31207 (Microsoft Exchange Server bypass vulnerability), and CVE-2021-31200 (RCE in Common Utilities), and CVE-2021-31166 (RCE in HTTP Protocol Stack).
Patch Tuesday, May 2021: Highlights
Microsoft’s May Patch Tuesday fixed 55 common and uncommon vulnerabilities. The fixes include Hyper-V, Internet Explorer, HTTP.sys, Microsoft’s Graphic Component, Office suite (i.e., Access, Excel, SharePoint, Word, Microsoft Projected File System FS Filter, RPD Client, SMB, Accessibility Insights for Web, and more. The full list of fixes can be found on Microsoft’s Security Update Guide website. All fixes rolled out as part of May security rollout impact Windows 10 (i.e., version 1909, Windows Server v.1909, version 1809, Windows Server 2019, Win 10 v.2004, Win Server v.2004, Win10 20H2, Win Server v.20H2, Win10 v.1607, Win Server 2016), Windows Server 2012, Win 8.1, Win Server 2012 R2, Win Server 2008 SP2, win 8.1 Windows Server 2012 R2, Win Server 2008 SP2, Win 7 SP1, Win Server 2208 R2, and Exchange Server, versions 2013 through 2019.
As indicated in the introduction, Microsoft has identified and patched zero-day vulnerabilities. No word yet on exploitation status, but research indicates that no threat actor has made use of these vectors. Below, you will find the summarized CVEs and Microsoft-prescripted mitigations.
CVE-2021-31204 – .NET & Visual Studio Privilege Elevation.
The identified bug leverages a vulnerability in . NET’s and Visual Studio’s privilege elevation mechanisms, possibly granting the attacker administrator or SYSTEM-type privileges. The attack vector is local- or remote-based only, with no network component involved. In theory, privilege elevation can also be achieved via user interaction, whereas a malicious actor illicitly obtains a user’s credentials by tricking him\her to open a malicious attachment. No alternative mitigations available; the only fix is to apply the vendor’s solution.
CVE-2021-31207 Microsoft – Microsoft Exchange Server Security Feature Bypass Vulnerability
The Third-party-identified Microsoft Exchange Server bug leverages a pre-existing Microsoft Exchange Server vulnerability for the purpose of bypassing security features and access control. The vulnerability was proven, yet the exploitation code has not been released. The network is used as the main attack vector. Given the attack’s complexity, the threat actor would require higher privileges in order to abuse the vulnerability. No alternative mitigations are available. The issue is covered by Microsoft’s latest cumulative security updates.
CVE-2021-31200 – Common Utilities Remote Code Execution
A vulnerability discovered in Common Utilities could have facilitated remote code execution for persistence, lateral movement, and data exfiltration purposes. Since it’s an RCE-based attack, the network is the likely entry point. Higher privileges are required to trigger actions on targets associated with CVE-2021-31200, privileges obtainable through phishing or other means. No alternative mitigations are available at this time. Microsoft’s latest updates thoroughly cover this vulnerability.
CVE-2021-31166 – HTTP Protocol Stack Remote Code Execution Vulnerability.
On the more exotic side, we have CVE-2021-31166, a bug that exploits the HTTP Protocol Stack. According to Microsoft, threat actors can leverage this vulnerability in order to execute malicious remote code with kernel-type privileges by sending crafted network packets to the target server. What makes this exploit even more dangerous is that the attacker does not need to be authenticated to trigger the anomalous server response. No alternative mitigations available, but CVE-2021-31166 is covered by Microsoft’s latest updates.
Heimdal™ Patch & Asset Management
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...
Other (patched) vulnerabilities of note:
- CVE-2020-24589 – Windows Wireless Networking Information Disclosure Vulnerability – allows an attacker to ‘see’ the contents of encrypted wireless network packets.
- CVE-2021-27068 – Visual Studio Remote Code Execution Vulnerability – allows an attacker to trigger remote malicious code execution by eliciting an anomalous response in Visual Studio 2019.
- CVE-2021-28476 – Hyper-V Remote Code Execution vulnerability. The attacker might be able to trigger malicious code execution remotely by enforcing a Hyper-V-level debugging session.
Additional cybersecurity tips & references
Here are some additional cybersecurity tips that will help your increase overall security.
- Timely patch/update deployment. Official patches, hotfixes, and cumulative security updates should be delivered and applied as soon as possible. If your organization’s running WSUS, SCCM, or similar tools, you may want to configure deployment & delivery for all time zones.
- Automatic patch management. The patch-deployment process can be fast-tracked using automatic tools such as Heimdal™ Patch & Asset Management. Such set-and-forget solution comes with multiple user- and admin-oriented features such as advanced update scheduling, silent background installation, ability to deploy multiple types of updates & patches (e.g., Microsoft, 3rd party, or in-house), force rebooting, and more.
- Last Patch Tuesday article.
- Asset Management FAQ article.
- Basics of asset management.
- Asset management tools.
Patch Tuesday, May 2021 fixed 55 Microsoft vulnerabilities, including three zero-days, one vulnerability labeled as ‘critical’, and delivered various other fixes and improvements.