July 2021's security patch bonanza: Windows kernel under active attack, RCEs in Exchange, DNS, hyper-v

Bugs include an RCE in the Windows kernel that impacts VMs, with a CVSS of 9.9

July 2021's security patch bonanza: Windows kernel under active attack, RCEs in Exchange, DNS, hyper-v

Four Microsoft software vulnerabilities are under active attack, including the notorious Windows Print Spooler bug, a Windows kernel bug, and a scripting engine memory corruption vulnerability, Redmond said in its July 2021 security patches update -- releasing fixes for 117 CVEs, 44 of which were remote code execution (RCE) bugs and 13 of which were rated critical. Adobe, meanwhile, patched 29 CVEs, with SAP, Citrix, Siemens and others all releasing fixes.

https://twitter.com/orange_8361/status/1415316011335647234

Among the latter was the fix for an unusual RCE bug in the Windows kernel that impacts Virtual Machines. Allocated  CVE-2021-34458 and rated as an extremely high CVSS 9.9, it’s one to take a close look at. (Found internally by Microsoft it's not yet under attack, but is likely to draw heightened interest from Black Hats reverse engineering patches). The bug affects systems with single root input/output virtualization (SR-IOV) devices.

As Chad McNaughton, Technical Community Manager, Automox noted, it is a network-level, low-complexity vulnerability "requiring low privileges and no user interaction... [it] allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server. Those that host virtual machines from a Windows instance or manage a server that includes the required hardware with SR-IOV devices could be affected by this vulnerability and should deploy the security update within 72 hours.

Sysadmins and other folks will be pleased to know that the latest fix for CVE-2021-34527 (PrintNightmare) appears to fix a bug in an earlier hotfix that stopped several types of printer working, including those from vendor Zebra, among others.

As ever, the Zero Day Initiative (ZDI) remains an excellent port of call for IT professionals seeking a crisp round up of the CVEs and some guidance on what to prioritise for patching, and at The Stack we recommend its write-ups highly.

Some of the worse bugs below.

CVE-2021-34527Windows Print Spooler Remote Code Execution VulnerabilityCriticalCVSS 8.8ExploitedRCE
CVE-2021-34448Scripting Engine Memory Corruption VulnerabilityCriticalCVSS 6.8ExploitedRCE
CVE-2021-31979Windows Kernel Elevation of Privilege VulnerabilityImportantCVSS 7.8ExploitedEoP
CVE-2021-33771Windows Kernel Elevation of Privilege VulnerabilityImportantCVSS 7.8ExploitedEoP
CVE-2021-34473Microsoft Exchange Server Remote Code Execution VulnerabilityCriticalCVSS 9.1NoRCE
CVE-2021-33781Active Directory Security Feature Bypass VulnerabilityImportantCVSS 8.1NoSFB
CVE-2021-34523Microsoft Exchange Server Elevation of Privilege VulnerabilityImportantCVSS 9NoEoP
CVE-2021-33779Windows ADFS Security Feature Bypass VulnerabilityImportantCVSS 8.1NoSFB
CVE-2021-34492Windows Certificate Spoofing VulnerabilityImportantCVSS 8.1NoSpoofing
CVE-2021-34474Dynamics Business Central Remote Code Execution VulnerabilityCriticalCVSS 8NoRCE
CVE-2021-34464Microsoft Defender Remote Code Execution VulnerabilityCriticalCVSS 7.8NoRCE
CVE-2021-34522Microsoft Defender Remote Code Execution VulnerabilityCriticalCVSS 7.8NoRCE
CVE-2021-34439Microsoft Windows Media Foundation Remote Code Execution VulnerabilityCriticalCVSS 7.8NoRCE
CVE-2021-34503Microsoft Windows Media Foundation Remote Code Execution VulnerabilityCriticalCVSS 7.8NoRCE
CVE-2021-34494Windows DNS Server Remote Code Execution VulnerabilityCriticalCVSS 8.8NoRCE
CVE-2021-34450Windows Hyper-V Remote Code Execution VulnerabilityCriticalCVSS 8.5NoRCE
CVE-2021-34458Windows Kernel Remote Code Execution VulnerabilityCriticalCVSS 9.9NoRCE
CVE-2021-33740Windows Media Remote Code Execution VulnerabilityCriticalCVSS 7.8NoRCE
CVE-2021-34497Windows MSHTML Platform Remote Code Execution VulnerabilityCriticalCVSS 6.8NoRCE