MS PatchTuesday February 2021

M$ Patch Tuesday February 2021 fixes 56 bugs which include a ZeroDay, and a high priority DNS (Domain Name Service) Vulnerability patch.

ZeroDay CVE-2021-1732 is an elevation of privilege bug that comes in with a slightly lower CVSS of 7.8, due to the attacker already needing some sort of access on the targeted host. Once exploited the attacker elevates from standard user to System Level access, this ZeroDay was supposedly used by a threat actor known as Bitter as far back as May 2020.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732

DNS heavy hitter CVE-2021-24078, a critical vulnerability in Windows DNS server 2008-2019, all versions are affected. This bug could be used to remotely install malicious software simply by an end user visiting an infected website, so came in at a high CVSS of 9.8.
Krebs on Security stated-Recorded Future says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). Kevin Breen of Immersive Labs notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization’s web traffic — such as pointing internal appliances or Outlook email access at a malicious server.”
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24078

TCP/IP stack bugs CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086 are patch now vulnerabilities, the first two listed RCEs coming in at 9.8 CVSS and the last Denial of Service CVE was CVSS of 7.5.
From Microsoft on the TCP/IP CVEs “The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely [to be exploited] in the short term.” “We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release,” “Thus, we recommend customers move quickly to apply Windows security updates this month.”
In Microsoft’s quote they state the RCEs are complex to exploit, however in the official update-guide linked below the Complexity is listed as low. Either way don’t wait to find out on these, its the TCP/IP stack, just patch as soon as possible.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086

Other CVEs to note
CVE-2021-1733 – Sysinternals PsExec Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1733
CVE-2021-26701 – .NET Core Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701
CVE-2021-1727 – Windows Installer Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1727

ZeroLogon Reminder- CVE-2020-1472 Second patch Round
As a friendly reminder this month is when MS is releasing its Domain Controller patch to enforce Secure NetLogon communications. Previous patches released in August 2020 fixed the flaw on Windows Server systems however did not stop devices from attempting to use insecure NetLogon. With that initial patch the Windows Event IDs 5827-5831 which help to identify any of those legacy systems reaching out with insecure NetLogon requests.
For a more in depth look in ZeroLogon and Event IDs refer to: https://weistercreekinfosec.com/2021/01/23/zerologon-last-minute-need-to-know/

Patch em if you got them!!

Weister Creek Information Security – February 10 2021

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: