News

Seven 'Critical' Vulnerabilities Addressed in Microsoft's August Patch Rollout

• By Kurt Mackie
• 08/10/2021

The August edition of Microsoft's monthly security patch rollout is here, addressing 44 common vulnerabilities and exposures (CVEs), seven of them characterized as "Critical" by security researchers.

Microsoft summarizes the affected products and "known issues" with the patches in its August "Release Notes" document. Patches are voluminously cataloged, with boilerplate descriptions, in Microsoft's August "Security Update Guide."

This month's patch count is a relatively small one. Trend Micro security researcher Dustin Childs attributed the smaller bundle of patches this month to Microsoft's time spent patching "PrintNightmare and PetitPotam" vulnerabilities back in July, according to this Zero Day Initiative post.

Two vulnerabilities (CVE-2021-36936 and CVE-2021-36942) were described as publicly known before Microsoft's August patch release. One vulnerability (CVE-2021-36948) was said to have been exploited before Microsoft's August patch release. Vulnerabilities that are known and exploited are special circumstances of note.

The Exploited ('Zero Day')
The one exploited vulnerability (CVE-2021-36948) is just rated "Important" by security researchers, with a Common Vulnerability Scoring System (CVSS) rating of 7.8 out of 10. It concerns an elevation of privilege vulnerability in the Windows Update Medic Service, a new service in Windows 10 clients and Windows Server 2019.

The Windows Update Medic Service is used to repair damaged Windows Update components. However, it's easily exploited, according to Jay Goodman, director of product marketing at security solutions company Automox, in published Automox "Patch Tuesday" commentary:

The exploit [of CVE-2021-36948] is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary's toolbox. Compounding the situation, remote code execution vulnerabilities are particularly problematic since they enable attackers to run malicious code on the exploited systems.

It was Microsoft that discovered this zero-day vulnerability in the Windows Update Medic Service, according to Satnam Narang, staff research engineer at security solutions company Tenable, via e-mail.

"It [CVE-2021-36948] was reported internally by Microsoft's security research teams and is the only vulnerability patched this month that was exploited in the wild as a zero-day," Narang indicated.

The Known
Of the two publicly known vulnerabilities, one is a Windows LSA spoofing flaw (CVE-2021-36942) that's just deemed Important by security researchers, but yet it has a CVSS ranking of 9.8. Childs described this patch as "further protection against NTLM relay attacks" associated with the PetitPotam attack.

The PetitPotam NTLM relay attack scenario popped up in a late-July Microsoft security advisory ADV210003. Microsoft described the messy mitigation steps to take in Knowledge Base article KB5005413. Potentially affected organizations are those with "servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks," the Knowledge Base article explained.

Childs recommended applying the August CVE-2021-36942 patch and following Microsoft's advice in its July advisory and Knowledge Base article:

You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn't the last we'll hear of this persistent issue.

The other publicly known vulnerability, CVE-2021-36936, concerns the Windows print spooler, potentially enabling remote code execution (RCE) attacks. It's rated Critical (CVSS 8.8) and is yet another patch for the Windows print spooler, which got patches back in July for so-called "PrintNightmare" vulnerabilities.

Narang noted that there's more than one Windows print spooler patch in Microsoft's August security patch bundle:

Two of the three Print Spooler vulnerabilities patched this month, CVE-2021-36947 and CVE-2021-36936 are rated as "Exploitation More Likely," according to Microsoft's Exploitability Index. CVE-2021-36936 is also identified as being Publicly Disclosed, which implies this is one of the additional vulnerabilities researchers have uncovered since PrintNightmare was first disclosed. Because of the ubiquitous nature of the Windows Print Spooler within networks, organizations should prioritize patching these flaws as soon as possible.

Point and Print Behavioral Change
Point and Print is an old Windows component that lets users set up printers without having to download printer and configuration files. However, it doesn't have requisite security protections in place, Microsoft admitted in a Tuesday Microsoft Security Response Center announcement.

To address PrintNightmare, Microsoft has changed how Windows Point and Print works. With the August patches in place, only administrators will be able to install printers or print drivers.

An apparently unnamed August update will effect this change, the announcement explained:

The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of the security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.

CVE-2021-34481 is actually a July patch, according to Childs.

If organizations want to alter this change to the Point and Print's default functionality (not recommended by Microsoft), then Microsoft offers Knowledge Base article KB5005652. It describes some Registry changes that could be made.

Noteworthy Critical Patches
Security researchers this month are pointing to a Critical remote desktop client RCE vulnerability (CVE-2021-34535), which has a CVSS score of 9.9.

Childs noted that the CVE-2021-34535 vulnerability occurs in the client, not in the server. For exploitation to occur, victims would need to be lured to a server controlled by an attacker or be exposed to a malicious program in a guest virtual machine, he explained:

An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer.

Other Critical vulnerabilities getting patches this month include:

• CVE-2021-34480, a memory corruption issue in Windows scripting engines.
• CVE-2021-34530, a RCE vulnerability in Windows graphics components.
• CVE-2021-34534, a RCE vulnerability in Windows MSHTML.
• CVE-2021-26424, a RCE vulnerability in Windows TCP/IP.
• CVE-2021-26432, a RCE vulnerability in the Windows Services for NFS ONCRPC XDR Driver.

This last item, stuffed with abbreviations, was explained by Aleks Haugom, product marketing manager at Automox:

CVE-2021-26432 is a critical, remote code execution vulnerability with way too many acronyms. To break it down; Network File System (NFS), Open Network Computing Remote Procedure Call (ONCRPC), External Data Representation (XCR). Acronyms aside, this vulnerability is more likely to be exploited given its low complexity status and that it does not require privileges or user interaction.

CVE-2021-26432 can be exploited for denial-of-service attacks and altering files. Details describing the vulnerability are lacking, but Haugom recommended patching it "ASAP."