Patch Newsday: 12 October 2021 – Spooky Spooler and Sinister Scores

It’s the spookiest time of the year – and a few of the vulnerabilities in this month’s Patch Tuesday are just that. With 71 vulns, one of which is being actively exploited in the wild, we’ve got plenty to discuss, so get yourself a coffee and settle in for October’s Patch Newsday.

CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability

While the CVSS score for this one isn’t the highest we’ve seen this month with a rather pedestrian 7.8 out of 19, it is noted as ‘exploitation detected’, meaning attackers are already using it against organizations to gain admin rights. This makes it a priority to patch.

Gaining this level of access on a compromised host is the first step towards becoming a domain admin – and securing full access to a network. Almost every ransomware attack reported this year has included the use of one or more privilege escalation vulnerabilities as part of the attacker’s workflow, so this is serious stuff indeed.

CVE-2021-40487 – Microsoft SharePoint Server Remote Code Execution Vulnerability

With a respectable 8.1 out of 10 CVSS score, this one is marked as ‘exploitation more likely’ by Microsoft.

It requires an authenticated user on the domain, so it will be more difficult for an attacker to exploit; however, gaining remote code execution on a Sharepoint server opens up a lot of avenues for further exploitation. Internal SharePoint servers are often used to host company-sensitive documents and provide an intranet for staff to interact with. If an attacker could manipulate the content of these articles or replace valid documents with malicious ones, they could steal credentials or trick targeted users into installing additional malware.

CVE-2021-26427 – Microsoft Exchange Server Remote Code Execution Vulnerability

On the theme of CVSS score, this one is the proud bearer of the highest CVSS score this month, with a 9.0 out of 10. Even so, Microsoft has marked it as being ‘exploitation less likely’, perhaps due to the network adjacent vector. This means an attacker would already need access to your network in order to exploit this vulnerability.

Email servers will always be prime targets, simply due to the amount of data contained in emails and the range of possible ways attackers could use them for malicious purposes. While it’s not right at the top of my list of priorities to patch, it’s certainly one to be wary of.

CVE-2021-36970 - Windows Print Spooler Spoofing Vulnerability

The tale of the haunted printer returns just in time for Halloween! It seems the Windows Print Spooler is the scariest component of Windows at the moment as Microsoft unearths and patches yet another vulnerability. This one gets a score of 8.8 and is listed as ‘exploitation more likely’. Reading between the lines, this ‘spoofing vulnerability’ is probably another Privilege Escalation.

A new vulnerability has been found and patched in Print Spooler every month since Print Nightmare was first released in June 2021. We’ll be interested to see how this continues to progress.

Conclusion

As always, you know your own risk and what assets in your organization have the most exposure, so plan your updates accordingly. One thing worth considering, especially if you have critical services that rely on uptime, is your testing or roll-back process. We’ve seen several occasions where patches have unintended side effects, so take this into account in your planning process.

We always recommend patching anything that is being actively exploited first. Priv esc vulnerabilities always score lower than remote code execution, but are more commonly used by attackers once they have that initial access, so do not let the raw CVSS score be your priority order.

Kev Breen,
Director of Cyber Threat Research,
Immersive Labs

@kevthehermit