THE THREAT
On May 11th, 2021, Microsoft released scheduled security patches for fifty-five separate vulnerabilities impacting a variety of Microsoft products [1]. Four vulnerabilities (CVE-2021-31166, CVE-2021-26419, CVE-2021-28476, CVE-2021-31194) are tracked as critical and should be immediate priority for patching. Additionally, Microsoft announced a high impact vulnerability (CVE-2021-31207) affecting on premises Microsoft Exchange servers that may allow threat actors to bypass Microsoft security features.
At this time, there is no indication that any of the vulnerabilities from this month’s release have been exploited in attacks in the wild. Organizations are strongly recommended to review Microsoft’s Patch Tuesday release and apply the available security patches.
What we’re doing about it
- MVS will automatically add the relevant plugins for these vulnerabilities once details are made available
- eSentire security teams continue to track these vulnerabilities for additional information and detection measures
What you should do about it
- After performing a business impact review, apply the relevant security patches provided by Microsoft
Additional information
CVE-2021-31166 (CVSS: 9.8): HTTP Protocol Stack Remote Code Execution Vulnerability
- This vulnerability impacts Windows Server versions 20H2 and 2004, as well as multiple versions of Windows 10. An unauthenticated attacker may exploit this vulnerability via a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack, resulting in code execution on the vulnerable device. CVE-2021-31166 is especially concerning as it is considered to be wormable, meaning an attacker could create malicious software that automatically propagates between vulnerable systems.
CVE-2021-26419 (CVSS: 7.5): Scripting Engine Memory Corruption Vulnerability
- CVE-2021-26419 impacts Internet Explorer versions 9 and 11. In an attack scenario, a remote and unauthenticated attacker could host a malicious website and trick end users into visiting the malicious page. If visited via a vulnerable Internet Explorer browser, the attacker can execute malicious code on the victim device. Microsoft has stated that Proof-of-Concept (PoC) exploit code exists but is not publicly available at this time.
CVE-2021-28476 (CVSS: 9.9): Hyper-V Remote Code Execution Vulnerability
- This vulnerability impacts multiple versions of Windows 10 and Windows servers and may be exploited to cause either Denial of Service (DoS) or Remote Code Execution (RCE). Exploitation requires prior authentication.
CVE-2021-31194 (CVSS: 8.8): OLE Automation Remote Code Execution Vulnerability
- CVE-2021-31194 impacts multiple versions of Windows 10 and Windows servers. Exploitation may result in remote code execution. Exploitation requires prior authentication.
CVE-2021-31207 (CVSS: 6.6): Microsoft Exchange Server Security Feature Bypass Vulnerability
- This vulnerability was discovered in and reported by a contestant in the 2021 Pwn2Own contest. Microsoft Exchange Server 2019, 2016, and 2013 are impacted. Successful exploitation may allow adversaries to bypass Microsoft security features. Exploitation requires prior authentication.
For additional details and information on the rest of the vulnerabilities covered in the May Patch Tuesday release, please see the full release from Microsoft.
References:
[1] https://msrc.microsoft.com/update-guide/vulnerability
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166
[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26419
[4] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28476
[5] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31194
[6] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
