Microsoft has recently released the patched vulnerabilities roll which includes 56 system and operating system vulnerabilities and security updates for Windows 10. The complete patching list includes over 1000 items, 300 of them having been flagged as “critical”. Note that the items in question have been addressed separately by Microsoft, as part of the January-February security update series and cumulative updates.
The latest vulnerability patching roll addresses issues found in Azure’s IoT, .NET Frameworks, Edge on Chromium, Bluetooth Driver, Office Excel, MS Office SharePoint, DNS Server, Windows Codecs Library, Windows Kernel, Windows TCPIP, DirectX, Windows MDM, Windows PFX Encryption. In addition, Microsoft has also identified and fixed a zero-day vulnerability that has been abused since May 2020 by APT Bitter to attack targets in China and Pakistan.
Highlighting in this patch Tuesday article some of the most important and impactful patches released by Microsoft.
CVE-2021-1722 – Windows Fax Service Remote Code Execution Vulnerability
Microsoft identified a vulnerability in the Windows Fax Service that could potentially allow threat actors to trigger remote code execution on the victim’s machine without admin-type privileges. The vulnerability, which was earmarked CVE-2021-1722, has a base score of 8.1 and a temporal score of 7.1. Microsoft’s proposed workaround is to verify the status of the Windows Fax service. To see if the Fax service is running on your machine, follow these steps:
- Click the “Start” button or press the Windows key.
- Type in “Run” and press enter.
- In the Run window, type in “services. msc” and press the enter key.
- Navigate the list until you find the Fax service.
If the Fax service does not appear in this list, it means that your machine is not vulnerable to this exploit, since the service was not deployed on your machine. On the other hand, if the Fax services appear on the list but flagged as inactive, you should remove the Fax service, otherwise, it might be used as an attack vector via a remote service start.
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability
The vulnerability mainly affects machines running one or all SCOM components – Management Server, Microsoft Monitoring Agent, and Gateway. CVE-2021-1728 can be fixed by installing Update Rollup 2 For SCOM 2019. According to Microsoft, the fix should be applied only if the features “Enable Service Log on” or “Interactive Log on” are enabled in your SCOM. This vulnerability, which received an 8.8/ 7.7 score, could have been used to obtain elevated privileges on the target machine for the purpose of remote code execution andor recon.
CVE-2021-1732 Windows 32K Elevation of Privilege (Zero-Day) Vulnerability
Disclosed back May 2020 by DBAPPSecurity, the vulnerability, which would later be earmarked CVE-2021-1732, was loosely associated with the modus operandi of Bitter, the threat group believed to be responsible for several attacks launched against Chinese and Pakistani targets. The complete report, readily available on the cybersecurity’s company official website, classified the aggressions as “sophisticated”, bearing the distinctive marks of a zero-day threat.
The report states that the threat group exploited a Win32k bug in order to gain system-level privileges. CVE-2021-1732 affected machines running the 1909 Windows 10 build (64-bit version) and the 20H2 64-bit Windows build. The issues were addressed and fixed by Microsoft’s latest cumulative updates.
CVE-2021-24074 & CVE-2021-24094 TCPIP Remote Code Execution Vulnerabilities
Both remote code execution vulnerabilities exploit the IP protocol – CVE-2021-24074 exploits ipv4, while CVE-2021-24094 exploits ipv6. The vulnerabilities allowed threat actors to remotely take over Windows machines operating under ipv4 and ipv6. Microsoft has also issued workarounds for both vulnerabilities.
To fix CVE-2021-24074, please follow these steps:
- Open a Command Prompt window with administrator rights.
- Type in the following command line:
Netsh int ipv4 set global sourceroutingbehavior=drop
3. Press Enter to confirm
Clarification: the above fix will tell the system that ipv4 source routing is unsafe and instruct the system to drop all requests.
To fix CVE-2021-24094, please follow the steps below:
- Run Command Prompt with admin privileges.
- Type in the following command line:
Netsh int ipv6 set global reassemblylimit=0
Clarification: the above fix will force the system to disable the packet reassembly process, meaning that any packed labeled as out-of-order will be discarded. This workaround comes with its own warning label: dropping all out-of-order packets may result in packet loss. Testing is recommended before scaling.
As always, Heimdal™ Security recommends that all critical security updates & patches should be deployed with the utmost urgency. Your system administrators should prioritize machines running legacy software and servers containing backups andor sensitive databases.
Automating your patching and updating flow will eliminate downtimes, improve overall patchupdate deployment security, and ensure that all the vital updates and patches have been deployed on all machines.
Heimdal™ Security’s Patch & Asset Management solution is the safest and quickest way to download and deploy critical Microsoft or 3rd Party updates and patches. On top of that, our solution also covers the patching and updating process for proprietary software. Other advantages include P2P network distribution, encrypted HTTPS transfers, advanced updatepatch scheduler, silent deployment, and many more. Contact us to schedule a free 30-day trial of Heimdal™ Patch & Asset Management.
Additional Patch Management Resources