MICROSOFT WINDOWS – OCTOBER 2021 ZERO-DAY VULNERABILITIES

Priority: High

Executive Summary:

Microsoft has issued security updates to fix a total of 74 vulnerabilities including four zero-days in its October Patch Tuesday release including a Win32k Elevation of Privilege vulnerability that has been actively exploited in the wild. Out of these 74 vulnerabilities, three are classified as Critical, 70 as Important, and one as Low. Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser.

CVE-2021-40449 (CVSS 7.8) – This vulnerability affects the Win32K kernel driver and is currently being exploited in the wild. The exploit uses a previously unknown vulnerability in the Win32k driver and relies heavily on a technique to leak the base addresses of kernel modules. Threat actors exploit the zero-day Windows vulnerability to install a Remote Access Trojan (RAT) gaining higher privileges as part of the attack. This cluster of malicious activity is named MysterySnail by Kaspersky researchers who initially identified and reported this flaw to Microsoft. This vulnerability appears to impact all systems from Windows 7 to the newly released Windows 11. MysterySnail provides the potential avenue to allow an adversary to collect and exfiltrate system information from compromised hosts. In addition, other malicious users have the ability to gain complete control of the affected system and launch further attacks.

Microsoft also patched three other publicly disclosed vulnerabilities that haven’t been exploited in previous attacks. 

CVE-2021-41335 (CVSS 7.8) – Windows Kernel Elevation of Privilege Vulnerability. A publicly disclosed vulnerability in Windows Kernel could lead to privilege escalation. Unlike CVE-2021-40449, this vulnerability does not include Windows 11 and Windows Server 2022. Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-40469 (CVSS 7.2) – Windows DNS Server Remote Code Execution Vulnerability. This remote code execution vulnerability in the Microsoft DNS server impacts all operating systems from Server 2008 to Server 2022. Only servers with the DNS Server role configured are impacted by the vulnerability. Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-41338 (CVSS 5.5) – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability. This vulnerability was originally closed by Microsoft Security as a “Won’t Fix” issue. They have since reconsidered and issued an update. The vulnerability was discovered by Google Project Zero’s James Forshaw and is detailed here with the specific Project Zero issue tracked here. Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-40486 (CVSS 7.8), CVE-2021-38672 (CVSS 8.0), and CVE-2021-40461 (CVSS 8.0) are three serious vulnerabilities to be aware of. CVE-2021-40486 affects Microsoft Word, while Hyper-V is affected by the other two vulnerabilities. All three have the potential to lead to remote code execution if exploited.

Detect:

ITC’s managed Vulnerability Intelligence customer’s network is being scanned with QID 91824, 91826, 110392, 110393, and 91827 to detect vulnerable assets. The ITC SOC will be reaching out to customers who have a Managed Vulnerability Intelligence service to offer ad hoc scans to identify affected assets.

Affected Products:

Multiple Microsoft Windows products including Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser.

Prevent:

To safeguard your corporate network against the exploits mentioned in this Threat Horizon, ITC recommends installing the latest operating system patches released by Microsoft on 12th October 2021. Windows Security Updates:

https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct

Organisations should act quickly to apply these fixes which are outlined in the following section and available via the URLs cited in Sources section below.

React:

If your organisation is unable to apply these official security patches from Microsoft immediately, then a vulnerability scan will identify vulnerable devices and the current exposure.

Customers of ITC’s Vulnerability Intelligence managed service will have already had these identified using Qualys. 

ITC’s Sentinel SIEM managed service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks and our analysts carry out proactive threat hunting to search for related indicators of compromise. Our Managed Detection and Response customers will have received proactive tailored remediation advice already.

Sources:

[1] https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct   

[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40469

[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41335 

[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41338 

[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40486 

[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38672 

[7] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40461 

[9] https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/  

[9] https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2021-patch-tuesday-fixes-4-zero-days-71-flaws/   

[10] https://www.zdnet.com/article/microsoft-october-2021-patch-tuesday-71-vulnerabilities-four-zero-days-squashed/