Microsoft has issued fixes for 114 vulnerabilities as part of April 2021 patch Tuesday, including:
- 19 critical flaws
- 4 critical Microsoft Exchange Server bugs found by the National Security Agency (NSA)
- One zero-day bug in Desktop Window Manager
- Bugs impacting Edge browser, Microsoft Office, Azure and Azure DevOps Server, SharePoint Server, Hyper-V, Visual Studio, and Team Foundation Server.
While all the vulnerabilities pose risk, the zero-day in Desktop Window Manager was discovered to have been exploited in the wild.
Desktop Window Manager
The zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) is a Win32k elevation of privilege, and is the only CVE under active attack this month.
The zero-day in Desktop Window Manager is a bug that allows an attacker to escalate privileges by running a specially crafted program on a target system, which means that they will either need to log on to a system or trick a legitimate user into running the code on their behalf.
Of the 4 new Microsoft Exchange Server critical vulnerabilities, none are known to have been actively exploited.
CVE-2021-28480 and CVE-2021-28481 have a CVSS score of 9.8 (higher than the Exchange bugs exploited earlier this year) and require no authorization or user interaction to exploit; both have identical write-ups.
Considering the reporting source (NSA), these bugs have received Microsoft’s highest Exploit Index rating, so patching should be a priority.
Additionally, given that Microsoft lists the attack vector as “Network,” it’s likely they are wormable. At this time there is no evidence of being exploited in the wild, but Microsoft speculates that threat actors are likely to leverage the vulnerabilities as soon as they create an exploit.
CVE-2021-28482 and CVE-2021-28483 are both post-authentication vulnerabilities and are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. They can also be chained with CVE-2021-28480 and CVE-2021-28481
More information can be found in the Microsoft Tech Community article.
None of the 4 Exchange bugs this month indicate Office 365 versions are affected and only impact on-prem installations.
As of 4/14/2021, there were no disclosed proof-of-concept exploit scripts for any of the four newly disclosed Exchange Server vulnerabilities.
Four more vulnerabilities Microsoft states were publicly exposed but not exploited:
- CVE-2021-27091 – RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
- CVE-2021-28312 – Windows NTFS Denial of Service Vulnerability
- CVE-2021-28437 – Windows Installer Information Disclosure Vulnerability – PolarBear
- CVE-2021-28458 – Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
Desktop Windows Manager Zero-day
MS Tech Community: Exchange Server Security Updates