The August 2021 Security Update Review
August 10, 2021 | Dustin ChildsIt’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.
Adobe Patches for August 2021
For August, Adobe released two patches addressing 29 CVEs in Adobe Connect and Magento. The update for Connect is rated Important and fixes a single security feature bypass and two cross-site scripting bugs. The Critical-rated patch for Magento fixes a wide range of bugs, the worst of which could allow remote code execution.
None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.
Microsoft Patches for August 2021
For August, Microsoft released patches today for 44 CVEs in Microsoft Windows and Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, and Microsoft Dynamics. This is in addition to seven CVEs patched in Microsoft Edge (Chromium-based) earlier this month. A total of eight of these bugs were submitted through the ZDI program. Of the 44 CVEs patched today, seven are rated Critical and 37 are rated Important in severity. This is the smallest release for Microsoft in 2021 and could be due to resource constraints since Microsoft spent so much time in July responding to events like PrintNightmare and PetitPotam. In fact, this is the smallest release since December 2019. It will be interesting to see if the September patch volume rebounds to triple digits or remains on the smaller side.
According to Microsoft, two of these bugs are publicly known and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s listed as under active attack:
- CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability
This bug could allow a local privilege escalation through the Windows Update Medic Service – a new feature introduced in Windows 10 designed to repair Windows Update components from damage so that the computer can continue to receive updates. An attacker would need to log on to an affected system and run a specially crafted program to escalate privileges. Microsoft does not say how widespread the attacks are, but they are most likely targeted at this point.
- CVE-2021-36942 - Windows LSA Spoofing Vulnerability
Speaking of PetitPotam, Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface. This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.
- CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
Another month, another remote code execution bug in the print spooler. This bug is listed as publicly known, but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug.
UPDATE: Microsoft has released KB5005652 to provide guidance on managing new Point and Print default driver installation behavior. This is an update for CVE-2021-34481, which was originally released in July, 2021. Sysadmins should review this KB along with applying the Print Spooler related updates in this release.
- CVE-2021-34535 - Remote Desktop Client Remote Code Execution Vulnerability
Before you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server. However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.
Here’s the full list of CVEs released by Microsoft for August 2021:
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2021-36948 | Windows Update Medic Service Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
CVE-2021-36936 | Windows Print Spooler Remote Code Execution Vulnerability | Critical | 8.8 | Yes | No | RCE |
CVE-2021-36942 | Windows LSA Spoofing Vulnerability | Important | 9.8 | Yes | No | Spoofing |
CVE-2021-34535 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | 9.9 | No | No | RCE |
CVE-2021-34480 | Scripting Engine Memory Corruption Vulnerability | Critical | 6.8 | No | No | RCE |
CVE-2021-34530 | Windows Graphics Component Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2021-34534 | Windows MSHTML Platform Remote Code Execution Vulnerability | Critical | 6.8 | No | No | RCE |
CVE-2021-26432 | Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
CVE-2021-26424 | Windows TCP/IP Remote Code Execution Vulnerability | Critical | 9.9 | No | No | RCE |
CVE-2021-26423 | .NET Core and Visual Studio Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2021-34485 | .NET Core and Visual Studio Information Disclosure Vulnerability | Important | 5 | No | No | Info |
CVE-2021-34532 | ASP.NET Core and Visual Studio Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2021-33762 | Azure CycleCloud Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2021-36943 | Azure CycleCloud Elevation of Privilege Vulnerability | Important | 4 | No | No | EoP |
CVE-2021-26430 | Azure Sphere Denial of Service Vulnerability | Important | 6 | No | No | DoS |
CVE-2021-26429 | Azure Sphere Elevation of Privilege Vulnerability | Important | 7.7 | No | No | EoP |
CVE-2021-26428 | Azure Sphere Information Disclosure Vulnerability | Important | 4.4 | No | No | Info |
CVE-2021-36949 | Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | Important | 7.1 | No | No | SFB |
CVE-2021-36950 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No | No | XSS |
CVE-2021-34524 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Important | 8.1 | No | No | RCE |
CVE-2021-36946 | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | Important | 5.4 | No | No | XSS |
CVE-2021-34478 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2021-36940 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 7.6 | No | No | Spoofing |
CVE-2021-34471 | Microsoft Windows Defender Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-36941 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2021-34536 | Storage Spaces Controller Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-36945 | Windows 10 Update Assistant Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
CVE-2021-34537 | Windows Bluetooth Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-36938 | Windows Cryptographic Primitives Library Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2021-36927 | Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-26425 | Windows Event Tracing Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-34486 | Windows Event Tracing Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-34487 | Windows Event Tracing Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2021-34533 | Windows Graphics Component Font Parsing Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2021-36937 | Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2021-34483 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-36947 | Windows Print Spooler Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2021-26431 | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-26433 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2021-36926 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2021-36932 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2021-36933 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2021-26426 | Windows User Account Profile Picture Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2021-34484 | Windows User Profile Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2021-30590 | Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks | High | N/A | No | No | RCE |
CVE-2021-30591 | Chromium: CVE-2021-30591 Use after free in File System API | High | N/A | No | No | RCE |
CVE-2021-30592 | Chromium: CVE-2021-30592 Out of bounds write in Tab Groups | High | N/A | No | No | RCE |
CVE-2021-30593 | Chromium: CVE-2021-30593 Out of bounds read in Tab Strip | High | N/A | No | No | Info |
CVE-2021-30594 | Chromium: CVE-2021-30594 Use after free in Page Info UI | High | N/A | No | No | RCE |
CVE-2021-30596 | Chromium: CVE-2021-30596 Incorrect security UI in Navigation | Medium | N/A | No | No | SFB |
CVE-2021-30597 | Chromium: CVE-2021-30597 Use after free in Browser UI | Medium | N/A | No | No | RCE |
You’ll notice this month’s table includes the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign a CVSS score, so none is listed in the table.
Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system. One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note it needs neither privileges or user interaction to be exploited. This may fall into the “wormable” category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface. That certainly sounds like elevated code on a listening network service. Don’t ignore this patch.
Another interesting Critical-rated bug affects the TCP/IP stack. Despite its CVSS rating of 9.9, this may prove to be a trivial bug, but it’s still fascinating. An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it’s still cool to see new bugs in new scenarios being found in protocols that have been around for years.
The remaining patches for RCE bugs primarily address open-and-own types of bugs in Microsoft Dynamics (on-prem), Office, Word, and Windows media components. For example, the vulnerability in Word would require someone to open a specially crafted Word doc with an affected version, resulting in code execution at the logged-on user lever. There’s also an Important-rated RCE bug in the print spooler, however, it’s not clear why this one is rated Important while the other is rated Critical. Both have the exact same CVSS rating. One is publicly known, but that shouldn’t affect severity. Best to treat both print spooler bugs as Critical, just to be on the safe side.
There are a total of 16 Elevation of Privilege (EoP) patches in this month’s release. Most of these exist in Windows components and require an attacker to log on to an affected system and execute their specially crafted program. Six of these bugs were reported through the ZDI program by Abdelhamid Naceri (halov) and deal with improper link resolution before file access (Link Following) vulnerabilities. For example, by creating a directory junction, an attacker can abuse the Windows Update Assistant to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the Administrator. Altogether, there are EoP fixes for Windows Defender, Azure Sphere and CycleCloud, Storage Spaces, the Update Assistant, the Bluetooth service, Windows Event Tracing, and the aforementioned Print Spooler.
Looking at the eight information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is the patch for .NET Core and Visual Studio that could disclose data inside the targeted website like IDs, tokens, nonces, and other sensitive information. Microsoft does not specify what information is disclosed by the bug in the Windows Cryptographic Primitives Library, but judging by the title alone, it’s possible (though unlikely) that an attacker could recover plaintext data from encrypted content. Let’s hope we receive more information on this bug in the future.
Only two patches this month result in Denial-of-Service (DoS) conditions, but you likely only need to act on one. The update for Azure Sphere should have been automatically delivered to your device provided it is connected to the Internet. The other patch fixes a DoS bug in .NET Core and Visual Studio and needs to be installed as per usual.
There are also just two security feature bypasses getting fixes this month. The first is for Azure Active Directory Connect, but you’ll need to do more than just patch to prevent a Man-in-The-Middle (MiTM) attack between your Azure AD Connect server and a domain controller. You will also need to disable NTLM as laid out in this document. The other spoofing bug occurs in SharePoint Server and likely manifests as a cross-site scripting (XSS) issue. Speaking of XSS bugs, this month’s release is rounded out by two patches for XSS vulnerabilities in Microsoft Dynamics.
As expected, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.
Looking Ahead
The next Patch Tuesday falls on September 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!