Today is Microsoft’s October 2021 Patch Tuesday, and it delivers fixes for four zero-day vulnerabilities, one of which is being exploited in a far-reaching espionage campaign that delivers the new MysterySnail RAT malware to Windows servers.
Microsoft reported a total of 74 vulnerabilities, three of which are rated critical.
MysterySnail Exploits Win32K Bug
Security researchers pointed to CVE-2021-40449, an elevation of privilege vulnerability in Win32k, as standing out from the crowd of patches, given that It’s been exploited in the wild as a zero-day.
This summer, Kaspersky researchers discovered that the exploit was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) campaign from the APT IronHusky.
The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data.
Bharat Jogi, Qualsys senior manager of vulnerability and threat research, told Threatpost on Tuesday that if left unpatched, “MysterySnail has the potential to collect and exfiltrate system information from compromised hosts, in addition to other malicious users having the ability to gain complete control of the affected system and launch further attacks.”
Jay Goodman, Automox director of product marketing, told Threatpost via email that these kinds of privilege elevation attacks “can be used to access beyond what the current user context of the device would allow, enabling attackers to perform unauthorized action, delete or move data, view private information, or install malicious software.”
This bug, rated Important, is found in all supported versions of Windows.
Greg Wiseman, Rapid7 senior security researcher, told Threatpost that this vulnerability is “likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems.”
Satnam Narang, staff research engineer at Tenable, noted that elevation of privilege flaws “are most valuable in post-compromise scenarios once an attacker has gained access to a target system through other means, in order to execute code with elevated privileges.”
Immersive Labs’ Kevin Breen, director of cyber threat research, said that this all points to prioritizing this patch, particularly given how common these vulnerabilities are in ransomware attack chains: “Gaining this level of access on a compromised host is the first step towards becoming a domain admin – and securing full access to a network,” he told Threastpost. “Almost every ransomware attack reported this year has included the use of one or more privilege escalation vulnerabilities as part of the attacker’s workflow, so this is serious stuff indeed.”
A PrintNightmare Fix to Fix the Other PrintNightmare Fix
Other fixes released in the October Patch Tuesday batch include those that address what was a summer’s full of Print Spooler-related patches. There’s been a steady stream of these patches for flaws in Windows Print Spooler following June’s disclosure of the PrintNightmare vulnerability – a bug that allowed threat actors to conduct remote code execution (RCE) and to gain local system privileges.
This month’s release includes a fix for CVE-2021-36970, a spoofing vulnerability in Microsoft’s Windows Print Spooler that has a CVSSv3 score of 8.8.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that the spoofing vulnerability fix Microsoft put out today is meant to fix the problems that previous patches have introduced.
“While Microsoft provided a fix in their September 2021 update, the patch resulted in a number of management problems,” he told Threatpost. “Certain printers required users to repeatedly input their administrator credentials every time an application attempted to print or had a client connect to a print server.
“Other problems included event logs recording error messages and denying users the ability to perform basic prints” he continued. “As a result, many may have likely skipped the update due to its operational impact, ultimately leaving the risk posed by PrintNightmare in place.”
This vulnerability was discovered by researchers XueFeng Li and Zhiniang Peng of Sangfor, who were also credited with the discovery of CVE-2021-1675, one of two vulnerabilities known as PrintNightmare.
Satnam Narang, staff research engineer at Tenable noted that “While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook. We strongly encourage organizations to apply these patches as soon as possible.”
RCE Affects Microsoft Word, Office, SharePoint
Another vulnerability worth noting is CVE-2021-40486, a critical RCE affecting Microsoft Word, Microsoft Office and some versions of SharePoint Server that can be exploited via the Preview Pane.
Gina Geisel, Automox product and partner marketing professional, noted that this vulnerability isn’t new to Microsoft, with several other similar CVEs documented this year. In this case, the RCE vulnerability exists in some Microsoft apps when they fail to properly handle objects in memory.
With a low attack complexity, this vulnerability requires a user opening a specially crafted file either by email or via a website, either hosted by the attacker or through a compromised website that accepts or hosts user-provided content.
“An attacker who successfully exploits this vulnerability can use this file to perform actions in the context of the current user,” Geisel explained. “For example, the file could take actions on behalf of the logged-on user with the same permissions as the current user.”
Microsoft SharePoint Server RCE
Immersive Labs’ Breen told Threatpost that this RCE vulnerability – tracked as CVE-2021-40487 rated as 8.1 out of 10 CVSS score and marked as “exploitation more likely” – will be more difficult for an attacker to exploit, given that it requires an authenticated user on the domain.
But gaining RCE on a SharePoint server “opens up a lot of avenues for further exploitation,” he noted via email.
“Internal SharePoint servers are often used to host company-sensitive documents and provide an intranet for staff to interact with,” Breen explained. “If an attacker could manipulate the content of these articles or replace valid documents with malicious ones, they could steal credentials or trick targeted users into installing additional malware.”
Highest CVSS Award Goes to Microsoft Exchange Server RCE
CVE-2021-26427, the latest in Exchange Server RCEs, takes the severity cake this month, with a CVSS score of 9.0 out of 10. In spite of this hgh severity rating, Microsoft has marked it as being “exploitation less likely,” perhaps due to the what Breen called the “network adjacent vector.”
In other words, he explained, “an attacker would already need access to your network in order to exploit this vulnerability. Email servers will always be prime targets, simply due to the amount of data contained in emails and the range of possible ways attackers could use them for malicious purposes.”
While it’s not “right at the top” of Breen’s list of priorities to patch, “it’s certainly one to be wary of.”
Rapid7’s Wiseman concurs: This is a notable vulnerability, though it’s mitigated “by the fact that attacks are limited to a ‘logically adjacent topology,'” meaning, in other words, that it can’t be exploited directly over the public Internet.
Wiseman called on virtualization administrators to take heed of two RCEs affecting Windows Hyper-V: CVE-2021-40461 and CVE-2021-38672, both of which affect relatively new versions of Windows and which are considered critical.
Windows Hyper-V is a native hypervisor that can create and run virtual machines (VMs) on x86-64 systems running Windows. These two flaws both allow a VM to escape from guest to host by triggering a memory allocation error, allowing it to read kernel memory in the host.
Christopher Hass, Autmox director of information security and research, said that exploitation of these bugs “could allow a malicious guest VM to read kernel memory in the host.”
Neither vulnerability has been exploited publicly, and exploitation is less likely, however organizations using Hyper-V should patch these vulnerabilities as soon as possible, Hass recommended.
One Step Away From Domain Admin
There’s one bug that swings above its weight range: the DNS server remote code execution (RCE) vulnerability that’s tracked as CVE-2021-40469.
Jake Williams, Co-Founder and CTO at BreachQuest, calls this one “interesting,” as in, that curse about living in interesting times.
Its base score severity rating is 7.2, but its attack complexity is low, and an attack can be launched remotely. Exploitation does, however, require what VulDB calls “an enhanced level of successful authentication.”
Even if that makes it tough to weaponize, this bug is still potentially uber nasty, given that, for one thing, it’s been publicly disclosed in a proof of concept, and also that DNS servers sit in such a crucial spot.
“While it will likely be difficult to weaponize, DNS servers are typically run on domain controllers, making this extremely serious,” Williams noted. “A threat actor that gains remote code execution on a domain controller is likely to gain immediate domain administrator permissions. In the best case scenario, they are a mere step away from taking domain administrator.”
This isn’t the first time that Microsoft has had to stomp on an RCE vulnerability in DNS server this year, including in March’s Patch Tuesday updates. This time around, the vulnerability affects various versions of Windows 7, 8.1 and 10, as well as Windows Server.
Windows Kernel Elevation of Privilege Flaw
CVE-2021-41335, an elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory, is rated high severity, and it’s been publicly disclosed in a proof-of-concept (POC) showing how successful exploitation could allow an attacker to run arbitrary code in kernel mode.
Exploitation would enable an attacker to install programs; view, change, or delete data; or create accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system and then run a specially crafted application to take control of the system.
Justin Knapp, Automox senior product marketing manager, explained that “Elevation of privilege vulnerabilities like this are often an important step in the cyber kill chain and should be immediately prioritized and patched.”
Windows AppContainer Firewall Rules Security Feature Bypass
Tracked as CVE-2021-41338, this vulnerability is, again, high severity – it allows an attacker to bypass the security rules of Windows AppContainer Firewall – as well as publicly disclosed.
AppContainers are designed to protect against infiltration from third-party apps. They essentially isolate the runtime environment of applications with the goal of blocking malicious code.
This vulnerability results in loss of confidentiality and can be exploited without any user interaction.
Maarten Buis, Automox product marketing manager, noted that a successful attacker that exploits this vulnerability could run arbitrary code on the endpoint, but they need to have administrative privileges before they can meaningfully exploit it.
“However, there is still a significant risk because no user interaction is required, and no special endpoint conditions are required for an attack to succeed,” Buis explained to Threatpost via email .
There are no reports of the vulnerability having been actively exploited – yet. Still, Automox recommends a rapid patch rollout – as in, within 72 hours of the patch being made available – given that it’s been publicly disclosed in a proof of concept by James Forshaw of Google’s Project Zero.
Aleks Haugom, Automox product marketing manager, noted that, given the sheer number of apps users download, “making sure that AppContianers cannot be compromised is important to every company’s security hygiene.”
How to Prioritize?
Williams said that he doesn’t want to sound like a broken record, but he’s still going to say what security experts say every Patch Tuesday. To wit, “Patch now.”
That’s particularly true for the MysterySnail campaign, he said: “Seriously, this is not a patch Tuesday to delay on,” he advised. “Threat actors are actively exploiting the vulnerability for CVE-2021-40449 to elevate from user to administrator permissions on compromised systems. While CVE-2021-40449 doesn’t allow for remote exploitation, that doesn’t mean it can be taken lightly. Threat actors regularly gain access to target machines using phishing attacks and vulnerabilities such as CVE-2021-40449 allow them to evade more effectively bypass endpoint controls and evade detection.”
Besides which, MysterySnail’s success in weaponizing this flaw means that other APTs will soon follow, Williams said: “Because the code for this has already been weaponized by one threat actor, we should expect to see it weaponized by others more quickly because there is already sample exploit code in the wild to work with.”
Danny Kim, Principle Architect at Virsec, who spent time at Microsoft during his graduate work on the OS security development team, voted for prioritizing the three critical remote code execution vulnerabilities: CVE-2021-40469, CVE-2021-26427 and CVE-2021-40487, which affect a wide range of Windows versions.
“These vulnerabilities not only have a high to critical CVSS rating, but two of the three attacks (CVE-2021-40487, CVE-2021-40469) can be executed remotely,” he stressed. “Remote Code Execution (RCE) attacks are especially devastating because once the exploit is executed, [the attackers] can launch any kind of cyberattack, including ransomware.
He noted that RCE vulnerabilities were also the root cause of the Hafnium and Kaseya attacks. “Trying to mitigate the attacker’s actions after they have gained access is significantly harder than stopping the actions that led to the successful exploit,” Kim pointed out. “This is why runtime monitoring of enterprises’ server workloads is becoming a key part of today’s cybersecurity. Stopping the exploitation of these vulnerabilities has to start with equipping the servers themselves with constant, deterministic runtime protection, not just detection.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.