February 2021 Patch Tuesday: Many “Exploitation More Likely” and an update to a Netlogon fix from last year

February continues the trend of less than 100 vulnerabilities, and there are a few that Microsoft has disclosed are likely to be targeted. All in all, this month there are 80 fixed vulnerabilities, with 11 of them listed as “Critical,” and 43 rated as “Important.” All those listed “Critical” this month are in the operating system and developer tools, with none in browsers or other Microsoft applications.

There are a few listed as “Exploitation More Likely,” even though they are not labeled “Critical” by Microsoft. Let’s start with the operating systems, then we will take a look at developer tools and some of the others that warrant extra attention this month.

Operating systems

Let’s focus on the items that are listed with the highest CVSS scores. Four in total have a score of 9.8. Three of them are related to TCP/IP communications, and Microsoft has released a blog about them in case you want to read more.

The first one is a Windows TCP/IP Remote Code Execution Vulnerability, CVE-2021-24094. It is a packet assembly vulnerability in IPv6 for link-local addresses only. According to Microsoft, an attacker would have to be in the victim’s network to exploit this vulnerability, since link-local addresses are not routable on the internet. The described workaround entails disabling packet reassembly on IPv6. This vulnerability is listed as “Exploitation More Likely” and affects Windows 7 up to Windows 10 current version, including Server editions.

CVE-2021-24074 is also titled Windows TCP/IP Remote Code Execution Vulnerability. It affects IPv4 source routing on Windows 7 up to Windows 10 current version, including Server. It is a remote code execution vulnerability with no user interaction required. According to Microsoft, if you cannot update your system, there is a workaround to configure Windows to drop source routing requests instead of responding to them. The details can be found in the CVE link above.

DNS servers need special attention this month because of CVE-2021-24078. This Windows DNS Server Remote Code Execution Vulnerability is also listed as “Exploitation More Likely.” An attacker could remotely execute code on a Windows DNS server with no user interaction required. These types of vulnerabilities are more enticing to bad actors because the nature of DNS servers is that they are available and connected to all systems on the network. This affects Windows Server 2008 up to the current versions of Windows Server that are configured with the DNS server role.

The final vulnerability with a 9.8 score is a Windows Fax Service Remote Code Execution Vulnerability, CVE-2021-24077. However, Microsoft lists this one as “Exploitation Less Likely.” A bad actor could execute code on a system through the fax service with no user interaction. If you are not using the fax service, the fax and scan feature could be disabled on systems as a workaround. This vulnerability affects Windows 7 up to the current versions of Windows 10, including Server.

The next two “Critical” vulnerabilities are listed with a CVSS score of 8.8. CVE-2021-24093 is a Windows Graphics Component Remote Code Execution Vulnerability that would allow an attacker to execute code on a a system if a user were to access a malicious website containing a specially crafted image. It affects all versions of Windows 10 and the corresponding Server versions.

 The Windows Local Spooler Remote Code Execution Vulnerability, CVE-2021-24088 is a remote vulnerability that could be exploited by a bad actor with no user interaction. This vulnerability affects Windows 7 up to Windows 10 including Server.

CVE-2021-1722 is a Windows Fax Service Remote Code Execution Vulnerability that Microsoft has listed as “Exploitation Less Likely.” Much like the other fax service vulnerability, the workaround is to disable the fax and scan feature on systems that do not use it.

CVE-2021-24081 is titled Microsoft Windows Codecs Library Remote Code Execution Vulnerability. It is listed as “Exploitation Less Likely” and requires access to the system to execute. It affects all Windows 10 versions including Server editions.

The final “Critical” operating system vulnerability is a Windows Camera Codec Pack Remote Code Execution Vulnerability. CVE-2021-24091 is also a local vulnerability that requires no user interaction and affects Windows 10 systems, including Server.

There are also two .NET Core vulnerabilities this month affecting .NET 5.0 and .NET Core 2.1 and 3.1. If you are developing using .NET, be sure to update as well.

Not “Critical,” but exploitation detected

CVE-2021-1732 is listed as “Important,” but according to Microsoft is actively being exploited. It is a Windows Win32k Elevation of Privilege Vulnerability that would require an attacker to have direct access to a vulnerable system. These types of vulnerabilities are usually used in “chained attacks” once an attacker gains access to a system through another method.

“Important,” but “Exploitation More Likely”

Let’s highlight a few vulnerabilities that are not “Critical,” but warrant attention since they are likely to be exploited, according to Microsoft.

CVE-2021-1727 is a Windows Installer Elevation of Privilege Vulnerability that requires no user interaction. It does, however, require the attacker to have access to the affected system to successfully elevate privilege.

Like several months previous, there is a Microsoft SharePoint Remote Code Execution Vulnerability, CVE-2021-24066, that would allow an attacker that had rights to upload an application to execute code on the SharePoint server. This vulnerability affects Microsoft SharePoint Foundation 2010 and 2013, as well as SharePoint Server 2019 and SharePoint Enterprise Server 2016.

A final item of note in this month’s batch of fixes is an update to CVE-2020-1472. In August of last year, Microsoft released an update for a Netlogon Elevation of Privilege Vulnerability on Domain Controllers. This was a 10.0 CVSS score that affected systems that allowed insecure netlogon channels. At that time, the update introduced new logging and settings to ensure you had visibility into what devices were using insecure channels to connect. Now, as promised, they are rolling out the enforcement where secure channels are only allowed. For more information about how this may affect you, refer to their KB article.

So from a priority standpoint, I recommend focusing on your DNS servers as a priority, and then moving on to workstations and servers on a normal schedule. Then turn to updating SharePoint and then installing the other updates released this month for Microsoft Edge, Excel, Office, and Teams.

As always, stay safe out there!


Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd