By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

Microsoft April 2021 Patch Tuesday Fixes 114 Vulnerabilities

Microsoft has issued fixes for 114 vulnerabilities as part of April 2021 patch Tuesday, including:

  • 19 critical flaws
  • 4 critical Microsoft Exchange Server bugs found by the National Security Agency (NSA)
  • One zero-day bug in Desktop Window Manager
  • Bugs impacting Edge browser, Microsoft Office, Azure and Azure DevOps Server, SharePoint Server, Hyper-V, Visual Studio, and Team Foundation Server.

 
What’s critical?

While all the vulnerabilities pose risk, the zero-day in Desktop Window Manager was discovered to have been exploited in the wild.


Desktop Window Manager

The zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) is a Win32k elevation of privilege, and is the only CVE under active attack this month. 

Impact

The zero-day in Desktop Window Manager is a bug that allows an attacker to escalate privileges by running a specially crafted program on a target system, which means that they will either need to log on to a system or trick a legitimate user into running the code on their behalf.


Exchange Server

Of the 4 new Microsoft Exchange Server critical vulnerabilities, none are known to have been actively exploited.

CVE-2021-28480 and CVE-2021-28481 have a CVSS score of 9.8 (higher than the Exchange bugs exploited earlier this year) and require no authorization or user interaction to exploit; both have identical write-ups.

Considering the reporting source (NSA), these bugs have received Microsoft’s highest Exploit Index rating, so patching should be a priority.

Additionally, given that Microsoft lists the attack vector as “Network,” it’s likely they are wormable. At this time there is no evidence of being exploited in the wild, but Microsoft speculates that threat actors are likely to leverage the vulnerabilities as soon as they create an exploit.

CVE-2021-28482 and CVE-2021-28483 are both post-authentication vulnerabilities and are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. They can also be chained with CVE-2021-28480 and CVE-2021-28481

More information can be found in the Microsoft Tech Community article.


Impact

None of the 4 Exchange bugs this month indicate Office 365 versions are affected and only impact on-prem installations.
 

POC

As of 4/14/2021, there were no disclosed proof-of-concept exploit scripts for any of the four newly disclosed Exchange Server vulnerabilities.

Four more vulnerabilities Microsoft states were publicly exposed but not exploited:

  • CVE-2021-27091 – RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
  • CVE-2021-28312 – Windows NTFS Denial of Service Vulnerability
  • CVE-2021-28437 – Windows Installer Information Disclosure Vulnerability – PolarBear
  • CVE-2021-28458 – Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability

 

Resources

Desktop Windows Manager Zero-day
https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/

MS Tech Community: Exchange Server Security Updates
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617

AE

Previous Post

An older vulnerability in Fortinet’s VPN operating system is seeing a new wave of attacks.

Next Post

Authentication Bypass Zero-Day in Pulse Connect Secure Awaits Patch

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.