Patch Newsday: April 13, 2021

It's our favorite time of the month: Patch Tuesday! Kev Breen, our Director of Cyber Threat Research, shares his thoughts and priorities from yesterday’s release.

With a total of 119 CVEs, 57 of which are Remote Code Execution, organizations will be doing more than their fair share of prioritization and patching.

CVE-2021-28480 through to CVE-2021-28483 are a collection of vulnerabilities for Exchange Server found by the NSA.

It’s interesting to see the agency come out strongly on Patch Tuesday and warn of the risks. This underlines the criticality of cybersecurity to entire nations, as well as the continued blurring of the lines between nation states, intelligence services and enterprise security. With a number of high-profile attacks affecting well-used enterprise software recently, the NSA are obviously keen to step up and play a proactive role.

There are 30 Remote Procedure Call Runtime RCEs in this release, covering everything from Win7 servers from 2008, all the way up to Win10 servers in 2019. Disclosed by a third party, the huge range of targets this covers could make it very appealing to attackers. However, with no associated POC code it will require work to weaponize.

CVE-2021-28310 is an actively exploited escalation of privilege vulnerability in Win32k which would be a useful part of the attacker toolkit for moving laterally while removing any signs of existence. With the ability to create admin level access, it would allow a threat actor to wipe log files and other forensic markers to increase dwell time and reduce chances of detection.

A set of 10 Remote Code Execution vulnerabilities affect Microsoft’s free source code editor, Visual Studio Code, and its plugins. With developer environments increasingly in vogue with attackers, given their potential to amplify attacks into multiple users, I would not be surprised to see APT groups focusing on weaponizing these.

While patching is not as simple as it seems, software updates occasionally have unforeseen consequences that require due diligence prior to deployment. This should not stop you applying them. To mitigate any such consequences, security teams should identify their risk exposure and test patches in a development area before pushing them live.

It is also important to invest some time and effort in enabling your SOC / NOC to quickly review patch notes so you can triage effectively based on your environment. Active exploits in the wild should be a higher priority, as should those that pose the highest risk and exposure.

As always, thanks for tuning in – we'll see you next Patch Tuesday for more!

Kev Breen,
Director of Cyber Threat Research
@kevthehermit