April 2021 Patch Tuesday: Four More Exchange Vulnerabilities Resolved
By Lewis Pope
While not under active exploit like March’s Exchange vulnerabilities, we are addressing four new security vulnerabilities for Exchange this month. The total number of security fixes are up versus previous months as well, so there is plenty of patching to be done.
There are 110 fixes in for this Patch Tuesday. There are five zero days, with one being under active exploit and 19 critical. These, along with the four Exchange vulnerabilities, should be top priority.
Another round of exchange vulnerabilities
There are four new vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) for Exchange this month, with two being pre-authentication vulnerabilities. Since they are pre-authentication, attackers do not need valid credentials for an Exchange server for exploitation to occur. All four are marked as “exploitation more likely” and with APT and cybercrime groups having a new-found love for Exchange vulnerabilities, it may only be a matter of days before patches for the vulnerabilities are reverse engineered and we see active attacks.
Of note is that these vulnerabilities were reported by the NSA; Microsoft is urging patching these vulnerabilities as a top priority, and CISA has given federal civilian agencies until Friday, April 16, 2021 to apply the required patches per an updated Emergency Directive 21-02.
Windows OS
There are 14 critical and 50 important Windows vulnerabilities this month. Almost all critical are for RPC remote code execution.
- CVE-2021-28336—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28335—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28334—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28338—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28337—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28333—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28329—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28330—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28332—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28331—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28339—Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2021-28343—Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVE-2021-28315 and CVE-2021-27095 are for Windows Media Player Video Decoder.
Cumulative updates
For cumulative updates, we have KB5001330 for Windows 10 20H2 and KB5001337 for Windows 10 1909. These cumulative updates include the March out of band update that fixes BSOD related to printing.
Also a small reminder that Windows 10 1909 reaches end of service as of May 11, 2021 for Home, Pro, Pro for Workstation and Server SAC editions.
Browsers
Microsoft Edge is dead. Long live Chromium Microsoft Edge.
This month’s cumulative updates also mean the end of Legacy Microsoft Edge. It will be permanently removed and replaced with Chromium-based Microsoft Edge. Microsoft has also said there will be no supported way to block the switch from legacy to Chromium Microsoft Edge.
While there were no CVEs related to Chromium Microsoft Edge addressed in Patch Tuesday, there were nine addressed earlier on April 1, 2021. These vulnerabilities are addressed as of Microsoft Edge version 89.0.774.68.
Other applications
Azure Sphere 21.03 and higher have been updated to address CVE-2021-28460. This carries a CVSS of 8.1. Simply make sure you’re on the appropriate version.
We also have a collection of seven important updates for the Microsoft Office Suite that need to be applied.
Zero days
Microsoft fixed five zero-day vulnerabilities, with one being actively exploited.
- CVE-2021-27091—RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
- CVE-2021-28312—Windows NTFS Denial of Service Vulnerability
- CVE-2021-28437—Windows Installer Information Disclosure Vulnerability
- CVE-2021-28458—Azure Library Elevation of Privilege Vulnerability
Exploitation detected
CVE-2021-28310 is a zero day listed as being actively exploited. This is an escalation of privilege exploit used to escape sandboxes or get system privileges to facilitate lateral movement on an endpoint. This vulnerability exists in Desktop Windows Manager and patches exists for all Windows 10 versions back to 1803, Windows Server 2019 and Windows Server Core version 2004.
Summary
This is a larger than normal Patch Tuesday with lots of critical and “exploitation more likely” vulnerabilities. While you’ll always have to use your own knowledge and the risk exposure of your environments to decide what to prioritize when it comes to patching, here are the ones you should consider tackling first:
|
CVE Number |
CVE Title |
CVSS V3.x |
Exploitability |
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
9.8 |
Exploitation More Likely |
|
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
9.8 |
Exploitation More Likely |
|
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
8.8 |
Exploitation More Likely |
|
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
9.0 |
Exploitation More Likely |
|
|
Win32k Elevation of Privilege Vulnerability |
7.8 |
Exploitation Detected |
|
|
Windows TCP/IP Information Disclosure Vulnerability |
6.5 |
Exploitation More Likely |
|
|
Windows SMB Information Disclosure Vulnerability |
6.5 |
Exploitation More Likely |
|
|
Windows SMB Information Disclosure Vulnerability |
7.5 |
Exploitation More Likely |
|
|
Windows TCP/IP Driver Denial of Service Vulnerability |
7.5 |
Exploitation More Likely |
|
|
Win32k Elevation of Privilege Vulnerability |
7.0 |
Exploitation More Likely |
|
|
RPC Endpoint Mapper Service Elevation of Privilege Vulnerability |
7.8 |
Exploitation Less Likely |
|
|
Windows NTFS Denial of Service Vulnerability |
3.3 |
Exploitation Less Likely |
|
|
Windows Installer Information Disclosure Vulnerability |
5.5 |
Exploitation Less Likely |
|
|
Azure Library Elevation of Privilege Vulnerability |
7.8 |
Exploitation Less Likely |
|
|
Windows Media Video Decoder Remote Code Execution Vulnerability |
7.8 |
Exploitation Less Likely |
|
|
Windows Media Video Decoder Remote Code Execution Vulnerability |
7.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
|
|
Remote Procedure Call Runtime Remote Code Execution Vulnerability |
8.8 |
Exploitation Less Likely |
Lewis Pope is Head N‑sight RMM Nerd for N‑able you can follow him on Twitter at @cybersec_nerd.