Patch Newsday 10 August: Ironic exploitation and the spectre of PrintNightmare

Patch Tuesday once again rolled around too quickly this month. This particular update saw Microsoft fix a total of 51 vulnerabilities, with one being exploited in the wild:

• 17 Elevation of Privilege Vulnerabilities
• 0 Security Feature Bypass Vulnerabilities
• 13 Remote Code Execution Vulnerabilities
• 8 Information Disclosure Vulnerabilities
• 2 Denial of Service Vulnerabilities
• 4 Spoofing Vulnerabilities
• 7 Edge - Chromium Vulnerabilities

Those that stood out to us are below:

CVE-2021-36948: Ironically, the one bug being actively exploited this month is in a service for updating Win 10 called Windows Update Medic Service. CVE-2021-36948 is a privilege escalation vulnerability - the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts. In the case of ransomware attacks, they have also been used to ensure maximum damage.

CVE-2021-36947, CVE-2021-36936 and CVE-2021-3448: The spectre of PrintNightmare continues to haunt this patch Tuesday with three more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 and CVE-2021-34481. All three are listed as Remote Code Execution over the network, requiring a low level of access, similar to PrintNightmare. Microsoft has marked these as ‘Exploitation More Likely’ which, if the previous speed of POC code being published is anything to go by, is certainly true.

CVE-2021-34535: With today’s highly dispersed workforce, CVE-2021-34535, an RCE vulnerability in Remote Desktop Clients, should be a priority patch. Attackers increasingly use RDP access as the tip of the spear to gain network access, often combining it with privilege escalation to move laterally. These can be powerful as, depending on the method, it may allow the attacker to authenticate in the network in the same way a user would, making detection difficult.

CVE-2021-36942: A Windows LSA Spoofing Vulnerability is interesting. It fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host. These types of attacks are well known for lateral movement and privilege escalation, as has been demonstrated recently by a new exploit called PetitPotam. It is a post intrusion exploit - further down the attack chain - but still a useful tool for attackers. Microsoft has recently also released generic advice on how to mitigate this kind of attack in addition to patching.

CVE-2021-34480: A Scripting Engine Memory Corruption Vulnerability, should also be a priority. It is a low score in terms of CVSS, coming in at 6.8, but has been marked by Microsoft as ‘Exploitation More Likely’ because it is the type of attack commonly used to increase the success rate of spear phishing attacks to gain network access. Simple, but effective.

Kev Breen,
Director of Cyber Threat Research,
Immersive Labs

@kevthehermit