This month we saw a rise in the number of vulnerabilities addressed by Microsoft, and a significant out-of-band update to address PrintNightmare vulnerabilities. With four vulnerabilities under Active Exploitation and six marked as Exploitation More Likely, we have a manageable list of priority patches. All vulnerabilities this month are rated as important or higher so you shouldn’t skip anything over. Additional guidance from Microsoft concerning best practices might add some project work for some environments; I’ll cover that below in the section about PrintNightmare.
Microsoft addressed 120 vulnerabilities in Patch Tuesday and out-of-band updates this month. With 2,790 different potential patches available when you consider different OS builds it’s worth taking a moment to appreciate what Windows® Server Update Services (WSUS) and other patch management solutions do to help streamline patching. For MSPs, this is another part of the drive to automation and efficiency. Don’t hesitate to use this point as part of your sales conversation when a client asks why you need to manage their patching.
As I mentioned above, Microsoft delivered security updates to deal with vulnerabilities, including six marked as Exploitation More Likely and four as Exploitation Detected. There are also five non-exploited zero-day vulnerabilities that should receive attention. That gives us 15 priority vulnerabilities for this month, including the out-of-band update to contend with PrintNightmare. If you must prioritize any one of the following vulnerabilities over the others it will likely be any remote code execution (RCE) vulnerabilities.
- CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability – Exploitation Detected
- CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability – Exploitation Detected
- CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability – Exploitation Detected
- CVE-2021-34527 Windows Print Spooler RCE Vulnerability – Exploitation Detected
- CVE-2021-34520 Microsoft SharePoint Server RCE Vulnerability – Exploitation More Likely
- CVE-2021-34473 Microsoft Exchange Server RCE Vulnerability – Exploitation More Likely
- CVE-2021-34468 Microsoft SharePoint Server RCE Vulnerability – Exploitation More Likely
- CVE-2021-34467 Microsoft SharePoint Server RCE – Exploitation More Likely
- CVE-2021-34449 Win32k Elevation of Privilege Vulnerability – Exploitation More Likely
- CVE-2021-33780 Windows DNS Server RCE Vulnerability – Exploitation More Likely
- CVE-2021-34492 Windows Certificate Spoofing Vulnerability – Exploitation Less Likely
- CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability
- CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability
CVE-2021-34527, otherwise known as PrintNightmare, is a severe threat and has the potential to upset the long-established habits of IT administrators. Microsoft issued updated guidance throughout early July on how to mitigate the threat of PrintNightmare. Microsoft gave additional guidance after the release of KB5005010 that recommends applying registry changes to further mitigate future chances of exploitation. We’ve have automation scripts available for those changes in the Automation Cookbook for use with the N-able™ N-central® and N-able RMM products.
The guidance from Microsoft also specifies that “domain controllers and Active Directory admin systems need to have the Print spooler service disabled” due to unconstrained delegation from any authenticated user account on the domain. For single server environments where that server hosts multiple roles, this guidance requires you to perform a risk assessment to determine if the addition of a dedicated print server is warranted.
We have cumulative updates for all supported Windows 10 builds as usual. The KB5004237 Cumulative for Windows 10 21H1 and 20H2 includes fixes for printer issues that may have arisen from KB5005010. Aside from normal roll-up behavior there is nothing of note about cumulative updates as of print.
Third-party vulnerabilities: Adobe
Five Adobe products received security updates this month. There are no standouts at this time, but you can read more at the Security Bulletins and Advisories from Adobe.
PrintNightmare gave us a scare and even after Microsoft released security updates and guidance, it’s worth re-evaluating what systems need Print Spooler service enabled in the first place. The goal of patching a system is to harden it against exploitation; shutting off Print Spooler where it’s not needed is just another hardening measure you can undertake to improve the resiliency of your managed environments.
Prioritize the zero-day, Exploitation Detected, and Exploitation More Likely vulnerabilities, but since all vulnerabilities are marked as important or higher, strive to get all requisite patches applied sooner rather than later.
Lewis Pope is the head security nerd at N-able. You can follow him on