Lucene search

K
rapid7blogAdam BunnRAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E
HistoryMay 11, 2021 - 11:44 p.m.

Patch Tuesday - May 2021

2021-05-1123:44:00
Adam Bunn
blog.rapid7.com
158
microsoft
patch tuesday
may 2021
cve-2021-31166
http protocol stack
remote code execution
vulnerability
hyper-v
microsoft
patch
microsoft accessibility insights for web
scripting engine memory corruption
visual studio
security feature bypass
exchange server

EPSS

0.971

Percentile

99.8%

Patch Tuesday - May 2021

Here we are again with another installment of Patch Tuesday. When compared to the past few months this one feels a bit light both in severity and number of vulnerabilities addressed. Microsoft has only released patches for 55 CVEs this month, less than half of the usual volume, with only 4 of them being scored as critical. Let’s dive into the details.

HTTP Protocol Stack Remote Code Execution Vulnerability - [[CVE-2021-31166](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166&gt;)](<https://blog.rapid7.com/p/a0284057-0a58-48f2-89f5-a9b1d04661c3/CVE-2021-31166&gt;)

The hottest vulnerability this month is in the HTTP.sys library. If an attacker has network access to a webserver running on an unpatched asset they may be able to send a specially crafted packet which could result in RCE. This was found internally by Microsoft and has not yet been observed in the wild. However, it is only a matter of time before someone figures out how to craft that special packet and we start to see widespread use against Windows 10 and Windows Server machines. Rated at 9.8, this potentially wormable vulnerability should be a high priority for remediation.

Hyper-V Remote Code Execution - CVE-2021-28476

There is some debate whether this vulnerability deserves its assigned 9.9 severity score. The limited details indicate that the most likely use of this bug is to cause a DoS on the Hyper-V host. This can cause a good amount of trouble for anyone running virtual machines but is not as damaging as the theoretical RCE this vulnerability could provide. In either case this is a good patch to put at the top of the todo-list.

Exchange Server Security Feature Bypass - CVE-2021-31207

Not to be outdone, Exchange Server is back again with yet another patch. This one is not nearly as high profile as the recent vulnerability which saw widespread use, but still an important patch to apply given that Exchange Servers are almost always exposed to the internet. There are a few other less severe vulnerabilities this month for Exchange which were disclosed at Pwn2Own in April. We expect to see a continued focus on Exchange Server in the months to come.

Summary Tables

Azure Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-31936 Microsoft Accessibility Insights for Web Information Disclosure Vulnerability No No 7.4 Yes

Browser ESU Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-26419 Scripting Engine Memory Corruption Vulnerability No No 7.5 Yes

Developer Tools Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-27068 Visual Studio Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-31213 Visual Studio Code Remote Containers Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31211 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31214 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability No Yes 7.3 No

Exchange Server Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-31209 Microsoft Exchange Server Spoofing Vulnerability No No 6.5 Yes
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability No Yes 6.6 Yes
CVE-2021-31198 Microsoft Exchange Server Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-31195 Microsoft Exchange Server Remote Code Execution Vulnerability No No 6.5 No

Microsoft Dynamics Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-28461 Dynamics Finance and Operations Cross-site Scripting Vulnerability No No 6.1 No

Microsoft Office Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-26421 Skype for Business and Lync Spoofing Vulnerability No No 6.5 No
CVE-2021-26422 Skype for Business and Lync Remote Code Execution Vulnerability No No 7.2 No
CVE-2021-28478 Microsoft SharePoint Spoofing Vulnerability No No 7.6 No
CVE-2021-31172 Microsoft SharePoint Spoofing Vulnerability No No 7.1 No
CVE-2021-26418 Microsoft SharePoint Spoofing Vulnerability No No 4.6 No
CVE-2021-28474 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-31173 Microsoft SharePoint Server Information Disclosure Vulnerability No No 5.3 Yes
CVE-2021-31181 Microsoft SharePoint Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-31171 Microsoft SharePoint Information Disclosure Vulnerability No No 4.1 Yes
CVE-2021-31175 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31176 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31177 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31179 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31178 Microsoft Office Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-31180 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31174 Microsoft Excel Information Disclosure Vulnerability No No 5.5 Yes

Open Source Software Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability No Yes 7.2 Yes

Windows Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-31187 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability No No 4.3 Yes
CVE-2021-31191 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability No No 7.3 No
CVE-2021-31170 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31185 Windows Desktop Bridge Denial of Service Vulnerability No No 5.5 No
CVE-2021-31165 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31167 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31168 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31169 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31208 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31190 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-28479 Windows CSC Service Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-28465 Web Media Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-31166 HTTP Protocol Stack Remote Code Execution Vulnerability No No 9.8 Yes

Windows ESU Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2020-24588 Windows Wireless Networking Spoofing Vulnerability No No 6.5 No
CVE-2020-26144 Windows Wireless Networking Spoofing Vulnerability No No 6.5 No
CVE-2020-24587 Windows Wireless Networking Information Disclosure Vulnerability No No 6.5 Yes
CVE-2021-31193 Windows SSDP Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31186 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability No No 7.4 Yes
CVE-2021-31188 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-31194 OLE Automation Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-31184 Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-31182 Microsoft Bluetooth Driver Spoofing Vulnerability No No 7.1 No
CVE-2021-28476 Hyper-V Remote Code Execution Vulnerability No No 9.9 Yes

Windows Microsoft Office ESU Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-28455 Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability No No 8.8 Yes

Summary Graphs

Patch Tuesday - May 2021Patch Tuesday - May 2021Patch Tuesday - May 2021Patch Tuesday - May 2021