Actively Exploited Windows Kernel EoP Bug Allows Takeover

Microsoft Patch Tuesday February 2021

Microsoft addressed 56 security vulnerabilities for February Patch Tuesday — including 11 critical and six publicly known. And, it continued to address the Zerologon bug.

Microsoft has addressed nine critical-severity cybersecurity bugs in February’s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild.

Six of the security holes – including one of the critical bugs – were already publicly disclosed.

Overall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.

Actively Exploited Security Bug in Windows Kernel

The security bug tracked as CVE-2021-1732 is being actively exploited, according to Microsoft’s advisory. It carries a vulnerability-severity rating of 7.8 on the CVSS scale, making it important in severity – however, researchers said it deserves attention above some of the critical bugs in terms of patching priority.

It exists in the Windows Win32k operating system kernel and is an elevation-of-privilege (EoP) vulnerability. It would allow a logged-on user to execute code of their choosing with higher privileges, by running a specially crafted application. If successful, attackers could execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted on the compromised machine.

“The vulnerability affects Windows 10 and corresponding server editions of the Windows OS,” said Chris Goettl, senior director of product management and security at Ivanti. “This is a prime example of why risk-based prioritization is so important. If you base your prioritization off of vendor severity and focus on ‘critical’ you could have missed this vulnerability in your prioritization. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.”

Critical Microsoft Bugs for February Patch Tuesday

None of the critical bugs rate more than an 8.8 (out of 10) on the CVSS scale, but all allow for remote code execution (RCE) and many should take top priority, according to security researchers.

  • Publicly Known .NET Core/Visual Studio Bug

For instance, the bug tracked as CVE-2021-26701 exists in .NET Core and Visual Studio – it’s the only critical-rated bug to be listed as publicly known.

“Without more information from Microsoft, that’s about all we know about it,” said Dustin Childs, of Trend Micro’s Zero Day Initiative, in an analysis released Tuesday. “Based on the CVSS severity scale, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.”

  • Windows Fax Bugs

Other critical bugs should be on researchers’ radars. The bugs tracked as CVE-2021-1722 and CVE-2021-24077 meanwhile are both Windows Fax Service RCE problems.

“Windows Fax Service specifies settings for faxes, including how they are sent, received, viewed and printed,” said Eric Feldman, senior product marketing manager at Automox. “The Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8 and Windows 10 and some earlier versions.”

An attacker who successfully exploited either vulnerability could take control of an affected system, and then be able to install programs; view, change or delete data; or create new accounts with full user rights.

“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Feldman said. “Even if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.”

  • Critical TCP/IP Bugs

CVE-2021-24074 and CVE-2021-24094 are both Windows TCP/IP RCE vulnerabilities. The former is found in the way Windows handles iPv4 source routing; the latter is found in the way Windows handles iPv6 packet reassembly.

“IPv4 source routing…should be disabled by default,” said Childs. “You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.”

Researchers said that both these patches should be prioritized.

“Because these affect the network stack, require zero interaction from a user and can be exploited by sending malicious network traffic to a device, it’s only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks,” Chris Hass, director of information security and research at Automox, said.

Kevin Breen, director of cyber threat research at Immersive Labs, said that the IPv6 security hole is an obvious target for hackers.

“CVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore gain an attacker a system shell,” he said. “As an IPV6 Link local attack it would require the threat actor to already have a foothold in your network, but could ultimately lead to a high level of access on domain controllers, for example. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.”

Breen also pointed out that RCE isn’t the only possible outcome of an exploit for this bug.

“The release notes indicate that the exploit is ‘complex’ – which means attempted attacks may serve to cause systems to crash, giving it the potential to be used in a denial-of-service attack,” he said.

  • Flaw in Windows Codec Pack

Windows Camera Codec Pack is home to yet another critical RCE bug (CVE-2021-24091). If successfully exploited, an attacker could run arbitrary code in the context of the current user.

“If the current user is logged on with admin privileges, the attacker could gain control of the affected system,” said Justin Knapp, senior product marketing manager at Automox. “This could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there’s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.”

  • Windows DNS Problems

And Windows Domain Name System (DNS) servers, when they fail to properly handle requests, are also open to a critical RCE bug (CVE-2021-24078) that could allow an attacker to run arbitrary code in the context of the Local System Account.

“Only Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited,” Knapp said. “To exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and ‘exploitation more likely’ label assigned, this is a vulnerability that should be addressed immediately.”

  • Windows Print Spooler

Also of note, CVE-2021-24088 affects the Windows Local Spooler, which is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them.

It’s a bug that “could be a big concern,” according to Allan Liska, senior security architect at Recorded Future.

“This vulnerability impacts Windows 7 to 10 and Windows Server 2008 to 2019,” he said. “Windows Print Spooler vulnerabilities have been widely exploited in the wild going back to the days of Stuxnet. Just last year CVE-2020-0986 was seen by Kaspersky being widely exploited in the wild.

  • Other Critical February 2021 Microsoft Bugs

And finally, .NET Core for Linux is also at risk for RCE (CVE-2021-24112); and CVE-2021-24093 is a critical RCE vulnerability in the Windows graphic component. Details are scant for both, but of the latter, Breen said, “This is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.”

And, a critical bug that would allow RCE exists in the Microsoft Windows Codecs Library (CVE-2021-24081). Details are sparse, but Microsoft said that the difficulty required for exploitation is considered to be low. However, end-user interaction is required for successful exploitation.

Publicly Disclosed Bugs of Note

Outside of the critical issues, CVE-2021-1733 is a high-severity EoP vulnerability discovered to be impacting Sysinternals PsExec utility that deserves a look. It’s listed as being publicly disclosed.

“PsExec which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due the utility’s weaponization by criminals in malware,” Nicholas Colyer, senior product marketing manager at Automox, said via email. “Proof-of-concept code has not been independently verified but it is notable that in January 2021, Microsoft released a patch to resolve a remote code-execution vulnerability for the same utility, indicating that it is getting attention. Robust endpoint management is necessary for any organization’s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.”

The other publicly reported vulnerabilities this month are CVE-2021-1727, an EoP vulnerability in Windows Installer; CVE-2021-24098, a DoS vulnerability in the Windows Console Driver; CVE-2021-24106, an information-disclosure vulnerability in Windows DirectX; and CVE-2021-1721, a .NET Core and Visual Studio DoS problem.

Zerologon Redux

Microsoft also again released the patch for the Netlogon vulnerability (CVE-2020-1472), which originally was resolved in August. The vulnerability has consistently been exploited by threat actors, so the re-release serves to highlight its importance. Microsoft also starting Tuesday began blocking by default any vulnerable connections on devices that could be used to exploit the flaw. It does this by enabling domain controller “enforcement mode.”

“When you consider that Zerologon led the U.S. government to issue an Emergency Directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation,” Satnam Narang, staff research engineer at Tenable, told Threatpost. “Zerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself.”

He added, “For these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We’ve also seen reports of Zerologon being favored by ransomware groups like Ryuk during their campaigns.”

What Should IT Patch First?

“Windows OS updates and Adobe Acrobat and Reader need immediate attention with the list of exploited and publicly disclosed vulnerabilities,” said Goettl.

After that, development tools and IT tools “need some attention,” he added.

“.Net Core and PsExec disclosures are a concern that should not go unaddressed. Because this development and IT tools do not follow the same update process as OS and application updates, it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components,” he said. “For tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.”

Is your business an easy mark? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register here for the Wed., Feb. 24 LIVE webinar. 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.