First of all, I would be remiss not to mention 21 Nails, the set of critical vulnerabilities in Exim SMTP Server. It's not in the standard cycle for patch management, but we are seeing active exploit development so wide scale exploitation could be close behind. If you have Exim installed and have not already done so, patch it quickly.
CVE-2021-26419 – Scripting Engine Memory Corruption Vulnerability
Internet Explorer needs to die – and I’m not the only one that thinks so. Aside from the pain of a number of exploit kits capitalizing on IE11 exploits, many web developers across the globe shudder at the thought of building web applications to support this old and decrepit technology stack.
CVE-2021-26419 is a vulnerability in the Scripting Engine for IE11. To trigger the vulnerability, a user would have to visit a site that is controlled by the attacker, although Microsoft also recognises that it could be triggered by embedding ActiveX controls in Office Documents.
If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.
CVE-2021-31166 – HTTP Protocol Stack Remote Code Execution Vulnerability
The fact that this one is just 0.2 points away from a perfect 10 CVSS score should be enough to identify just how important it is to patch. CVE-2021-31166 is an unauthenticated Remote Code Execution vulnerability, meaning an attacker only has to be able to send packets to the server to trigger it. Worryingly, Microsoft have indicated that this vulnerability has the potential to be wormable; it could be used to self-replicate across the internal network and affect internal services that may not have been exposed.
For ransomware operators, this kind of vulnerability is a prime target for exploitation. Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, so any organization using HTTP.sys protocol stack should prioritize this patch.
CVE-2021-31188, CVE-2021-31170 and CVE-2021-28474: Priv Esc
Responsibly disclosed by the ZeroDayInitiative, CVE-2021-31188 and CVE-2021-31170 are a pair of Local Privilege Escalation vulnerabilities in the Windows Graphics Component. They are listed by Microsoft as more likely to be exploited. This could be due to the nature of the disclosure by ZDI, who typically follow their disclosures with technical and detailed blog posts on the discovery and exploitation of these vulnerabilities, which makes it easier for attackers to leverage once the full details emerge. This kind of vulnerability is often used by attackers after they have already gained a foothold through an initial infection vector, like phishing or via another exploit like the RCE in HTTP.sys (CVE-2021-31166). The attackers are looking to increase their privileges so they can move laterally across a network or gain access to other accounts that may have access to more sensitive information.
CVE-2021-28474 allows an authenticated attacker to run code on remote SharePoint Servers. As this is post-authentication, this is likely to be used as part of the post-exploitation and lateral movement phases of an attack, rather than the initial infection vector. Attackers could gain access to sensitive documents or even replace real documents with weaponized versions, enabling the compromise of more user devices across the organization’s network.
An Accidental Zero Day?
When we talk about patching vulnerabilities, we are typically referring to those made public by responsible disclosure or through active exploitation. With Microsoft running more open source projects, accidental zero days can and do happen. Interestingly, CVE-2021-31200 is one such vulnerability found in Microsoft’s NNI Toolkit, which is used for machine learning and neural networks. A public commit to this repository in December reveals a YAML Deserialization Vulnerability.
There are a handful of exploits this month that affect Office. Even though Microsoft have listed them as ‘less likely to be exploited’, Office is still a significant vector for delivering ransomware, so this should be patched quickly.
As always, organizations should know what their architecture looks like and how much risk is carried by devices, applications and their availability. No patch is without risk and there have been occasions where patches have had unintended consequences. This is not a reason to unnecessarily delay the deployment of updates – it’s just another good reason to make sure you know your architecture. This is especially true when we see that motivated threat groups have been known to take advantage of exploits with mature POCs within hours of the code being made public.
If you are not able to patch, then ensure that your security teams have the technical capability and support to add enhanced logging and alerting around critical devices while patches are tested and made ready for deployment.
12 May 2021
Director of Cyber Threat Research,
Latest Blog posts