A SAFE DIGITAL JOURNEY

Threat Response: High risk Windows vulnerabilities

11-02-2021

On Tuesday the 9th of February Microsoft published security updates for multiple critical vulnerabilities. These vulnerabilities affect the Windows TCP/IP implementation and the Windows DNS-server.

Description

The vulnerabilities in the Windows TCP/IP implementation contain 2 Remote Code Execution vulnerabilities(CVE-2021-24074 [1] , CVE-2021-24094 [2]) and a Denial of Service vulnerability(CVE-2021-24086 [3]). Microsoft indicates on the MSRC blog[4] that the RCE vulnerabilities are complex, and aren’t likely to result in a functioning exploit in the short term. Nevertheless, Microsoft expects that attackers are able to created a DoS exploit for these vulnerabilities in the short term.
Furthermore there is a RCE vulnerability in the Windows DNS-server (CVE-2021-24078 [5]).

Impact

The RCE vulnerabilities enables an attacker to run arbitrary commands on the victim system and thus access any data or functionality on it.

The Denial of Service exploits would enable the attacker to stop the specific service. This may result in a system crash.

The vulnerabilities in the TCP/IP implementation affect all versions of Windows.

Due to the potential for remote code execution, we consider the impact of this vulnerability to be high.

Risk

No public exploit code is available currently. Since there are no credentials required and the attack could be executed remotely, Northwave considers the risk of this vulnerability to be high. Microsoft’s expectations of short term exploitation are also taken into account.

Mitigation

There are updates available for these vulnerabilities. It is recommended to apply these as soon as possible.

If applying these updates is not possible, Microsoft published a workaround for the vulnerabilities in the Windows TCP/IP implementation [1][2][3]. This workaround may have a negative affect on the network stack; some packets might be dropped.

What does Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086
[4] https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24078

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.