SolarWinds MSP is becoming N-able

Read more

April 2021 Patch Tuesday: Four More Exchange Vulnerabilities Resolved

While not under active exploit like March’s Exchange vulnerabilities, we are addressing four new security vulnerabilities for Exchange this month. The total number of security fixes are up versus previous months as well, so there is plenty of patching to be done.

There are 110 fixes in for this Patch Tuesday. There are five zero days, with one being under active exploit and 19 critical. These, along with the four Exchange vulnerabilities, should be top priority.

Another round of exchange vulnerabilities

There are four new vulnerabilities (CVE-2021-28480CVE-2021-28481CVE-2021-28482CVE-2021-28483) for Exchange this month, with two being pre-authentication vulnerabilities. Since they are pre-authentication, attackers do not need valid credentials for an Exchange server for exploitation to occur. All four are marked as “exploitation more likely” and with APT and cybercrime groups having a new-found love for Exchange vulnerabilities, it may only be a matter of days before patches for the vulnerabilities are reverse engineered and we see active attacks.

Of note is that these vulnerabilities were reported by the NSA;  Microsoft is urging patching these vulnerabilities as a top priority, and CISA has given federal civilian agencies until Friday, April 16, 2021 to apply the required patches per an updated Emergency Directive 21-02.

Windows OS

There are 14 critical and 50 important Windows vulnerabilities this month. Almost all critical are for RPC remote code execution. 

  • CVE-2021-28336—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28335—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28334—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28338—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28337—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28333—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28329—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28330—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28332—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28331—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28339—Remote Procedure Call Runtime Remote Code Execution Vulnerability
  • CVE-2021-28343—Remote Procedure Call Runtime Remote Code Execution Vulnerability

CVE-2021-28315 and CVE-2021-27095 are for Windows Media Player Video Decoder.

Cumulative updates

For cumulative updates, we have KB5001330 for Windows 10 20H2 and KB5001337 for Windows 10 1909. These cumulative updates include the March out of band update that fixes BSOD related to printing.

Also a small reminder that Windows 10 1909 reaches end of service as of May 11, 2021 for Home, Pro, Pro for Workstation and Server SAC editions.

Browsers

Microsoft Edge is dead. Long live Chromium Microsoft Edge.

This month’s cumulative updates also mean the end of Legacy Microsoft Edge. It will be permanently removed and replaced with Chromium-based Microsoft Edge. Microsoft has also said there will be no supported way to block the switch from legacy to Chromium Microsoft Edge.

While there were no CVEs related to Chromium Microsoft Edge addressed in Patch Tuesday, there were nine addressed earlier on April 1, 2021. These vulnerabilities are addressed as of Microsoft Edge version 89.0.774.68.

Other applications

Azure Sphere 21.03 and higher have been updated to address CVE-2021-28460. This carries a CVSS of 8.1. Simply make sure you’re on the appropriate version.

We also have a collection of seven important updates for the Microsoft Office Suite that need to be applied.

Zero days

Microsoft fixed five zero-day vulnerabilities, with one being actively exploited.

  • CVE-2021-27091—RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
  • CVE-2021-28312—Windows NTFS Denial of Service Vulnerability
  • CVE-2021-28437—Windows Installer Information Disclosure Vulnerability
  • CVE-2021-28458—Azure Library Elevation of Privilege Vulnerability

Exploitation detected

CVE-2021-28310 is a zero day listed as being actively exploited. This is an escalation of privilege exploit used to escape sandboxes or get system privileges to facilitate lateral movement on an endpoint. This vulnerability exists in Desktop Windows Manager and patches exists for all Windows 10 versions back to 1803, Windows Server 2019 and Windows Server Core version 2004.

Summary

This is a larger than normal Patch Tuesday with lots of critical and “exploitation more likely” vulnerabilities. While you’ll always have to use your own knowledge and the risk exposure of your environments to decide what to prioritize when it comes to patching, here are the ones you should consider tackling first:

CVE Number

CVE Title

CVSS V3.x

Exploitability

CVE-2021-28480

Microsoft Exchange Server Remote Code Execution Vulnerability

9.8

Exploitation More Likely

CVE-2021-28481

Microsoft Exchange Server Remote Code Execution Vulnerability

9.8

Exploitation More Likely

CVE-2021-28482

Microsoft Exchange Server Remote Code Execution Vulnerability

8.8

Exploitation More Likely

CVE-2021-28483

Microsoft Exchange Server Remote Code Execution Vulnerability

9.0

Exploitation More Likely

CVE-2021-28310

Win32k Elevation of Privilege Vulnerability

7.8

Exploitation Detected

CVE-2021-28442

Windows TCP/IP Information Disclosure Vulnerability

6.5

Exploitation More Likely

CVE-2021-28325

Windows SMB Information Disclosure Vulnerability

6.5

Exploitation More Likely

CVE-2021-28324

Windows SMB Information Disclosure Vulnerability

7.5

Exploitation More Likely

CVE-2021-28319

Windows TCP/IP Driver Denial of Service Vulnerability

7.5

Exploitation More Likely

CVE-2021-27072

Win32k Elevation of Privilege Vulnerability

7.0

Exploitation More Likely

CVE-2021-27091

RPC Endpoint Mapper Service Elevation of Privilege Vulnerability

7.8

Exploitation Less Likely

CVE-2021-28312

Windows NTFS Denial of Service Vulnerability

3.3

Exploitation Less Likely

CVE-2021-28437 

Windows Installer Information Disclosure Vulnerability

5.5

Exploitation Less Likely

CVE-2021-28458

Azure Library Elevation of Privilege Vulnerability

7.8

Exploitation Less Likely

CVE-2021-28315

Windows Media Video Decoder Remote Code Execution Vulnerability

7.8

Exploitation Less Likely

CVE-2021-27095

Windows Media Video Decoder Remote Code Execution Vulnerability

7.8

Exploitation Less Likely

CVE-2021-28336

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28335

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28334

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28338

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28337

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28333

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28329

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28330

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28332

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28331

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28339

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

CVE-2021-28343

Remote Procedure Call Runtime Remote Code Execution Vulnerability

8.8

Exploitation Less Likely

 

Lewis Pope is Head RMM Nerd for SolarWinds MSP you can follow him on Twitter at @cybersec_nerd

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site