Actively Exploited Windows Zero-Day Gets a Patch

Microsoft has patched 51 security vulnerabilities in its scheduled August Patch Tuesday update, including seven critical bugs, two issues that were publicly disclosed but unpatched until now, and one that’s listed as a zero-day that has been exploited in the wild.

Of note, there are 17 elevation-of-privilege (EoP) vulnerabilities, 13 remote code-execution (RCE) issues, eight information-disclosure flaws and two denial-of-service (DoS) bugs.

The update also includes patches for three more Print Spooler bugs, familiar from the PrintNightmare saga.

“Fortunately, it was a lighter month than usual,” said Eric Feldman, senior product marketing manager at Automox, in a Patch Tuesday analysis from the vendor. “This represents a 56 percent reduction in overall vulnerabilities from July, and 33 percent fewer vulnerabilities on average for each month so far this year. We have also seen a similar reduction in critical vulnerabilities this month, with 30 percent less compared to the monthly average.”

Windows Critical Security Vulnerabilities

The seven critical bugs addressed in August are as follows:

• CVE-2021-26424 – Windows TCP/IP RCE Vulnerability
• CVE-2021-26432 – Windows Services for NFS ONCRPC XDR Driver RCE Vulnerability
• CVE-2021-34480 – Scripting Engine Memory Corruption Vulnerability
• CVE-2021-34530 – Windows Graphics Component RCE Vulnerability
• CVE-2021-34534 – Windows MSHTML Platform RCE Vulnerability
• CVE-2021-34535 – Remote Desktop Client RCE Vulnerability
• CVE-2021-36936 – Windows Print Spooler RCE Vulnerability

The bug tracked as CVE-2021-26424 exists in the TCP/IP protocol stack identified in Windows 7 and newer Microsoft operating systems, including servers.

“Despite its CVSS rating of 9.9, this may prove to be a trivial bug, but it’s still fascinating,” said Dustin Childs of Trend Micro’s Zero Day Initiative (ZDI) in his Tuesday analysis. “An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it’s still cool to see new bugs in new scenarios being found in protocols that have been around for years.”

The next bug, CVE-2021-26432 in Windows Services, is more likely to be exploited given its low complexity status, according to Microsoft’s advisory; it doesn’t require privileges or user interaction to exploit, but Microsoft offered no further details.

“This may fall into the ‘wormable’ category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface,” Childs said. “That certainly sounds like elevated code on a listening network service. Don’t ignore this patch.”

Aleks Haugom, product marketing manager at Automox, added, “Exploitation results in total loss of confidentiality across all devices managed by the same security authority. Furthermore, attackers can utilize it for denial-of-service attacks or to maliciously modify files. So far, no further details have been divulged by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi’anxin Group) that discovered this vulnerability. Given the broad potential impact, its label ‘Exploitation More Likely’ and apparent secrecy, patching should be completed ASAP.”

Meanwhile, the memory-corruption bug (CVE-2021-34480) arises from how the scripting engine handles objects in memory, and it also allows RCE. Using a web-based attack or a malicious file, such as a malicious landing page or phishing email, attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights.

“CVE-2021-34480 should also be a priority,” Kevin Breen, director of cyber-threat research at Immersive Labs, told Threatpost. “It is a low score in terms of CVSS, coming in at 6.8, but has been marked by Microsoft as ‘Exploitation More Likely’ because it is the type of attack commonly used to increase the success rate of spear phishing attacks to gain network access. Simple, but effective.”

The Windows Graphic Component bug (CVE-2021-34530) allows attackers to remotely execute malicious code in the context of the current user, according to Microsoft – if they can social-engineer a target into opening a specially crafted file.

Another bug exists in the Windows MSHTML platform, also known as Trident (CVE-2021-34534). Trident is the rendering engine (mshtml.dll) used by Internet Explorer. The bug affects many Windows 10 versions (1607, 1809,1909, 2004, 20H2, 21H1) as well as Windows Server 2016 and 2019.

But while it potentially affects a large number of users, exploitation is not trivial.

“To exploit, a threat actor would need to pull off a highly complex attack with user interaction – still entirely possible with the sophisticated attackers of today,” said Peter Pflaster, technical product marketing manager at Automox.

The bug tracked as CVE-2021-34535 impacts the Microsoft Remote Desktop Client, Microsoft’s nearly ubiquitous utility for connecting to remote PCs.

“With today’s highly dispersed workforce, CVE-2021-34535, an RCE vulnerability in Remote Desktop Clients, should be a priority patch,” said Breen. “Attackers increasingly use RDP access as the tip of the spear to gain network access, often combining it with privilege escalation to move laterally. These can be powerful as, depending on the method, it may allow the attacker to authenticate in the network in the same way a user would, making detection difficult.”

It’s not as dangerous of a bug as BlueKeep, according to Childs, which also affected RDP.

“Before you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server,” he said. “However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.”

Windows Print Spooler Bugs – Again

The final critical bug is CVE-2021-36936, a Windows Print Spooler RCE bug that’s listed as publicly known.

Print Spooler made headlines last month, when Microsoft patched what it thought was a minor elevation-of-privilege vulnerability in the service (CVE-2021-1675). But the listing was updated later in the week, after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE – requiring a new patch.

It also disclosed a second bug, similar to PrintNightmare (CVE-2021-34527); and a third, an EoP issue (CVE-2021-34481).

“Another month, another remote code-execution bug in the Print Spooler,” said ZDI’s Childs. “This bug is listed as publicly known, but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print-spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this critical-rated bug.”

The critical vulnerability is just one of three Print Spooler issues in the August Patch Tuesday release.

“The specter of the PrintNightmare continues to haunt this patch Tuesday with three more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 and CVE-2021-34481,” said Breen. “All three are listed as RCE over the network, requiring a low level of access, similar to PrintNightmare. Microsoft has marked these as ‘Exploitation More Likely’ which, if the previous speed of POC code being published is anything to go by, is certainly true.”

RCE Zero-Day in Windows Update Medic Service

The actively exploited bug is tracked as CVE-2021-36948 and is rated as important; it could pave the way for RCE via the Windows Update Medic Service in Windows 10 and Server 2019 and newer operating systems.

“Update Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates,” Automox’ Jay Goodman explained. “The exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary’s toolbox.”

Immersive’s Breen added, “CVE-2021-36948 is a privilege-escalation vulnerability – the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts. In the case of ransomware attacks, they have also been used to ensure maximum damage.”

Though the bug is being reported as being exploited in the wild by Microsoft, activity appears to remain limited or targeted: “We have seen no evidence of it at Kenna Security at this time,” Jerry Gamblin, director of security research at Kenna Security (now part of Cisco) told Threatpost.

Publicly Known Windows LSA Spoofing Bug

The second publicly known bug (after the Print Spooler issue covered earlier) is tracked as CVE-2021-36942, and it’s an important-rated Windows LSA (Local Security Authority) spoofing vulnerability.

“It fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host,” Immersive’s Breen said. “These types of attacks are well known for lateral movement and privilege escalation, as has been demonstrated recently by a new exploit called PetitPotam. It is a post-intrusion exploit – further down the attack chain – but still a useful tool for attackers.”

Childs offered a bit of context around the bug.

“Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface,” he said. “This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.”

Microsoft’s next Patch Tuesday will fall on September 14.

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How toThink Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on**Aug. 17 at 11AM EST for this LIVE discussion**.