September 2020 Patch Tuesday—A Higher Count of Critical Vulnerabilities

This patch Tuesday release is like the last few—less than 100 vulnerabilities fixed, with a few high severity vulnerabilities, and a mix of operating system and other application vulnerabilities. What’s really eye-catching this month is a group of four vulnerabilities Microsoft released the week before that seem to be part of a chained attack against Exchange servers. If you haven’t already, make sure to patch your Exchange servers as it’s an immediate priority.

All in all, Microsoft fixed 82 vulnerabilities (plus the four from March 2). Ten of them are marked as Critical, with the rest listed as Important. Let’s review some details of the Exchange attack, then we’ll review the critical patches and a few others that warrant your attention this month.

Exchange zero day

On March 2, Microsoft disclosed and issued fixes for four vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. These vulnerabilities were observed in a chained attack executed by Hafnium, a China-attributed APT group, to install web shells and execute code on an Exchange server that had port 443 open and available. A day later, CISA issued an emergency directive for all organizations to deploy the patches and to look for any indicators of compromise. At this time,  Microsoft has published guidance and scripts to use to check to see if you have been compromised. Our own Lewis Pope, senior technical product marketing manager, has created some automation manager objects you can use to look for initial evidence that the first vulnerability (CVE-2021-26855) was exploited. You can find the object for N‑central^®here and for RMM here. If you discover you have been impacted (after applying the patches, of course), the FBI has asked you to contact them to assist with the investigations. This type of cooperation can help improve cybersecurity efforts and protections in the future.

Operating systems

Moving back to patch Tuesday, here are the operating system patches listed as Critical.

CVE-2021-26897 is a Windows DNS Server Remote Code Execution Vulnerability that Microsoft lists as Exploitation More Likely. This is a low complexity attack that requires no user interaction. This vulnerability affects Server 2008 up to the current versions of Windows Server that have the DNS server role enabled. This vulnerability has a CVSS score of 9.8. According to Microsoft, enabling Secure Zone updates may mitigate the risk, but only applying the patch can fully prevent exploitation.

CVE-2021-26867 is titled Windows Hyper-V Remote Code Execution Vulnerability. An attacker could exploit this vulnerability on the Hyper-V client and execute code on the Hyper-V server with no user interaction. While this has a high CVSS score of 9.9, Microsoft has listed this one as Exploitation Less Likely. You should note Microsoft states that Hyper-V is only vulnerable if it’s using the Plan 9 file system.

The next critical patches are a trio of fixes for a HEVC Video Extensions Remote Code Execution Vulnerability. CVE-2021-27061, CVE-2021-24089, and CVE-2021-26902 have the same description and details. They’re found in the HEVC video extensions used by apps from the Windows Store. Microsoft lists these as Exploitation Less Likely, and it should be noted that Windows Store apps are self-updating.

The last critical operating system vulnerability is CVE-2021-26876, an OpenType Font Parsing Remote Code Execution Vulnerability. This CVSS 8.8 vulnerability requires user interaction, such as visiting a malicious website or opening a malicious document and would grant the attacker full control over the target system. This vulnerability affects all supported versions of Windows 10, including Server.

Browsers

The lone critical fix in the browser category is an Internet Explorer Memory Corruption Vulnerability, CVE-2021-26411. Microsoft lists this as Exploitation Detected and it has a CVSS score of 8.8. It affects Internet Explorer 9, Internet Explorer 11, and the Edge-HTML version of Microsoft Edge.

On March 4, Microsoft published a list of 33 CVE numbers that are fixed in the most recent version of their Chromium-based Microsoft Edge. They were fixed in the master Chromium branch, and will be updated automatically—simply ensure you’re running at least version 89.0.774.45 of Edge.

Other applications

CVE-2021-21300 is a remote code execution vulnerability in Git for Visual Studio. It’s a low complexity attack with a CVSS of 8.8 and affects the developer tools on all supported versions of Windows 10 and Server.

Microsoft also released fixes for two vulnerabilities in Azure Sphere for IoT devices. Any device running Azure Sphere services will be automatically updated, so no action is required.

Important but needs attention

There are two other vulnerabilities this month with attributes that warrant attention, even if they aren’t listed as critical. First we have CVE-2021-26863, which is a Windows Win32k Elevation of Privilege Vulnerability. While no user interaction is required, you should know that executing this vulnerability requires access to the system, meaning a bad actor would have to use another method to gain a foothold (such as a chained attack). This vulnerability affects all supported versions of Windows 10 up to current, including Server and Core. Microsoft lists this as Exploitation More Likely.

Finally, we have a Microsoft SharePoint Server Remote Code Execution Vulnerability, CVE-2021-27076. This vulnerability would allow an attacker to create a site on SharePoint and execute arbitrary code. While this is also listed as Exploitation More Likely, it does require the attacker to have access to credentials that would allow them to create a site on the server.

Summary

I cannot stress this enough—if you’re running on-premises Exchange, patching those systems should be your absolute priority today. Once that’s done, run the detection scripts to see if your or your customers’ servers were affected. If they were not, continue with the rest of the priorities. If you detect any indicators of compromise, contact the FBI and consider bringing in security specialists to examine your environments for other indicators that bad actors are present.

For the rest of the patches, I recommend you start by focusing on your DNS servers and any Hyper-V servers. Then turn your attention to workstations to address the elevation of privilege vulnerabilities and the browser vulnerabilities.

As always, stay safe out there!

 

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd