Threat Response – Multiple critical zero day vulnerabilities in Microsoft Windows

14-07-2021

A SAFE DIGITAL JOURNEY

On Tuesday July 13th (“Patch Tuesday”) Microsoft released patches for multiple vulnerabilities, among which nine zero-day vulnerabilities. Of these, four are actively being exploited [1]. We advise to install these patches as soon as possible.

Description

On Tuesday July 13th Microsoft released patches for a large number of vulnerabilities, of which seven zero-day vulnerabilities. The zero-day vulnerabilities are tracked under the following CVE-numbers:

  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Meanwhile also known as Printnightmare and included in the threat responses of 30th of June and the 7th of July)
  • CVE-2021-33771 – Windows Kernel Elevation of Privilege Vulnerability
  • CVE-2021-34448 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2021-31979 – Windows Kernel Elevation of Privilege Vulnerability
  • CVE-2021-34492 – Windows Certificate Spoofing Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-33779 – Windows ADFS Security Feature Bypass Vulnerability
  • CVE-2021-33781 – Active Directory Security Feature Bypass Vulnerability

In [2] you can find an overview of all patched vulnerabilities including their CVSS-score. Microsoft’s official release notes can be found at [3]. In addition, Microsoft recommends limiting the installation of printer drivers and checking some registry settings after patching CVE-2021-34527[4]. If the registry keys have the wrong values set the system could still be vulnerable to CVE-2021-34527 after the patch. This CVE is also known as ‘Printnightmare’ and was included in the threat responses of the 30th of June and the 7th of July)

Impact

Of the patched vulnerabilities, several are critical. Some of them, at least four, are actively being exploited.
Therefore, we assess the impact as high.

Risk

Because some of these vulnerabilities are under active abuse, we estimate the risk as high.

What should you do?

Install the updates that were released yesterday as soon as possible.

What will Northwave do?

Northwave is researching the possibilities of monitoring for exploit attempts. When possible, we will add these capabilities to the Northwave Detection Platform.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2021-patch-tuesday-fixes-9-zero-days-117-flaws/
[2]: 
https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/July-2021.html
[3]: https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul
[4]: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.