Vulristics Microsoft Patch Tuesday July 2021: Zero-days EoP in Kernel and RCE in Scripting Engine, RCEs in Kernel, DNS Server, Exchange and Hyper-V

Hello everyone! For the past 9 months, I've been doing Microsoft Patch Tuesday reviews quarterly. Now I think it would be better to review the July Patch Tuesday while the topic is still fresh. And that will save us some time in the next Last Week’s Security news episode. So, July Patch Tuesday, 116 vulnerabilities.

The 2 most critical are the Windows Kernel Elevation of Privilege Vulnerabilities (CVE-2021-31979, CVE-2021-33771). These vulnerabilities are critical because they are used in real attacks according to Microsoft’s Threat Intelligence Center and Security Response Center. Tenable: "A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero."

Another vulnerability with a sign of exploitation in the wild is Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448). ZDI: "The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows."

A rare Windows Kernel Remote Code Execution Vulnerability (CVE-2021-34458). ZDI "This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly."

Next most critical 3 Remote Code Executions in Windows DNS Server (CVE-2021-33780, CVE-2021-34494, CVE-2021-34525). User interaction is not required for the exploitation. Tenable: "Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server."

RCE in Microsoft Exchange Server (CVE-2021-31206). It was disclosed during the last Pwn2Own contest. Nothing else is known about it. It is not yet clear whether this will be the second ProxyLogon. And there's a funny thing about Exchange as well. ZDI: "The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today." So, you understand, right? You are trying to figure out, based on the analysis of the CVE list, whether it is worth installing a particular patch. But it turns out that the information about what exactly fixes this patch is incomplete. Therefore, if possible, just install all patches regularly, rather than trying to choose what to install and what not.

And finally “Exploitation Less Likely” RCE vulnerability in Windows Hyper-V (CVE-2021-34450). Tenable: "It would allow an attacker who is authenticated to a guest virtual machine (VM) to send crafted requests to execute arbitrary code on the host machine (…) it is important to consider that malware variants commonly look to escape VMs and infect the host machine".

Full Vulristics report ms_patch_tuesday_july2021_report_avleonov_comments