August 2021 Patch Tuesday: Active Exploited Vulnerabilities, Window Print Spooler Updates and More

August’s Patch Tuesday covered less than half as many patched vulnerabilities as July. Two of the vulnerabilities patched this month (CVE-2021-34481 and CVE-2021-36934) were previously disclosed and have been exploited. Patches include those related to Windows Print Spooler Service; an in-the-wild exploit for a vulnerability relating to Windows Update Medic Service (WaaSMedicSVC); and a vulnerability associated with PetitPotam, a tool used to launch an NTLM relay attack. On top of that, other vulnerabilities have been flagged as “exploitation more likely” by Microsoft, meaning that either attackers have previously exploited similar vulnerabilities or there is a higher probability an exploit will be developed. We also discuss other critical vulnerabilities, common attack types and patching priorities your organization should consider for a strong security posture. Let’s get started.

 

New Patches for 44 Vulnerabilities

This month’s Patch Tuesday update includes fixes for 44 vulnerabilities. As 2021 continues to unfold, we’ve seen critical vulnerabilities that have received patches and several vulnerabilities that have failed to receive a patch within the typical Patch Tuesday cadence. While this month’s release provides a relatively low quantity of patches, it's important to recognize both in- and out-of-band patches offered by Microsoft, as numerous vulnerabilities have been successfully exploited, and actors have been able to bypass some patching solutions offered in the Patch Tuesday updates, rendering them insufficient. When it comes to risk analysis, we see again, as with previous months, remote code execution and elevation of privilege as common attack types. Last month, we introduced a new graph, “Patches by Product Family,” and this month, Windows products and browsers are the two areas requiring the most patches (last month, Windows products and ESU took the lead for most patches required). What does this mean? If your organization heavily uses one of these Microsoft product areas, you might want to consider your patching policies and prioritize those that pose more risk. As we have stated before, the quantity of vulnerabilities may not necessarily indicate increased risk — but for the best defense, a thorough review of these products could prove to be useful for robust security defense.
Figure 1. Breakdown of August’s Patch Tuesday attack impact
Figure 2: Patch updates by product family, July 2021
Figure 3: Patch updates by product family, August 2021

Critical Vulnerabilities

We see patches being rolled out for seven critical vulnerabilities (see table below) for this month. Here are a few that we recommend you patch at the earliest opportunity: CVE-2021-26424:

 

CVE-2021-26424 is a remotely triggerable vulnerability in Windows TCP/IP in which a compromise can be leveraged from a Hyper-V guest virtual machine to host by sending malicious IPv6 ping packets. Patches have rolled out for all versions of Windows going back as far as Windows 7. Microsoft labels this as exploitation more likely, which means this could be low-hanging fruit for attackers. CVE-2021-26432: A critical vulnerability in the Window Services for NFS ONCRPC XDR Driver, CVE-2021-26432 appears to be particularly risky for organizations. This vulnerability does not require any privilege or user interaction and can be triggered remotely from the network. Updates have rolled out for Windows releases going back from Windows 8.1 and Server 2012. CVE-2021-34535:

 

The CVE-2021-34535 remote code execution vulnerability targets the remote desktop client. An attacker-controlled machine can leverage code execution in the victim machines that it connects to via remote desktop protocol. This can also affect the Hyper-V host when a victim uses the interface to access the attacker-controlled guest machine. This vulnerability was patched for Windows versions as old as Windows 7. CVE-2021-36936:

 

CVE-2021-36936, another remote code execution vulnerability, affects Windows Print Spooler. It was disclosed before this Patch Tuesday update, but according to Microsoft, it has not seen any active exploitation. Patches have rolled out for this vulnerability for versions as old as Windows 7. CVE-2021-34534:

 

This remote code execution vulnerability affects the MSHTML component in the browser engine. CVE-2021-34534 has only affected recent Windows 10 versions. To successfully exploit this vulnerability, an attacker would need to trick the user into browsing to a webpage. Other Critical vulnerabilities include remote code execution in Windows Graphics and a memory corruption in Scripting Engine for Internet Explorer.
RankCVSS ScoreCVEDescription
Critical9.9CVE-2021-26424Windows TCP/IP Remote Code Execution Vulnerability
Critical9.8CVE-2021-26432Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability
Critical8.8CVE-2021-34535Remote Desktop Client Remote Code Execution Vulnerability
Critical8.8CVE-2021-36936Windows Print Spooler Remote Code Execution Vulnerability
Critical7.8CVE-2021-34530Windows Graphics Component Remote Code Execution Vulnerability
Critical6.8CVE-2021-34534Windows MSHTML Platform Remote Code Execution Vulnerability
Critical6.8CVE-2021-34480Scripting Engine Memory Corruption Vulnerability

In-the-Wild Exploit for CVE-2021-36948

 

CVE-2021-36948 saw active exploitation prior to a patch update. This vulnerability is an elevation of privilege that takes advantage of Windows Update Medic Service (WaaSMedicSVC). Because of its exploitation status, it’s possible that CVE-2021-36948 is a variant of CVE-2020-17070, which was reported in November 2020. These two vulnerabilities could indicate a possible increased risk on this service, if more variants of this vulnerability come out in the future. CrowdStrike recommends that organizations implement patches for environments running Windows 10, Server 2019 and later.
RankCVSS ScoreCVEDescription
Important7.8CVE-2021-36948Windows Update Medic Service Elevation of Privilege Vulnerability

PetitPotam and CVE-2021-36942

Last month, a security researcher released a tool called PetitPotam to launch a classic attack type: NTLM relay. NTLM is an authentication protocol for Microsoft, and in this type of attack, the adversary intercepts authentication traffic between a client and server on a network. If successful, the adversary can exploit Windows Domain Controllers (DCs). Microsoft offered an advisory in July 2021 on attacks by the PetitPotam tool, acknowledging the issue and offering mitigation options. This month, a patch was released to further mitigate PetitPotam and CVE-2021-36942. When the patch is implemented, this Windows local security authority (LSA) spoofing vulnerability is blocked from the affected API call. Patches are available for Windows Server from 2008 and later.
RankCVSS ScoreCVEDescription
Important7.5CVE-2021-36942Windows LSA Spoofing Vulnerability

More on PrintNightmare and Print Spooler Vulnerabilities

As we have seen, vulnerabilities affecting Windows Print Spooler, especially those relating to the PrintNightmare situation, have created urgent and potentially dangerous openings for organizations relying on those services. In this month’s release, three updates have been offered for Windows Print Spooler: two for remote code execution and one for privilege elevation. For companies utilizing the Windows Print Spooler service, an in-depth review around these and other vulnerabilities relating to PrintNightmare would be prudent. For the latest on PrintNightmare, check out this piece by CrowdStrike’s threat intelligence team.
RankCVSS ScoreCVEDescription
Important8.8CVE-2021-36947Windows Print Spooler Remote Code Execution Vulnerability
Important8.8CVE-2021-34481Windows Print Spooler Remote Code Execution Vulnerability
Important7.8CVE-2021-34483Windows Print Spooler Elevation of Privilege Vulnerability
Other important vulnerabilities to consider:
RankCVSS ScoreCVEDescription
Important8.1CVE-2021-34524Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Important7.8CVE-2021-34478Microsoft Office Remote Code Execution Vulnerability
Important7.8CVE-2021-34486Windows Event Tracing Elevation of Privilege Vulnerability
Important7.8CVE-2021-34536Storage Spaces Controller Elevation of Privilege Vulnerability
Important7.8CVE-2021-34537Windows Bluetooth Driver Elevation of Privilege Vulnerability
Important7.8CVE-2021-26425Windows Event Tracing Elevation of Privilege Vulnerability
Important7.8CVE-2021-36937Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability
Important7.8CVE-2021-36941Microsoft Word Remote Code Execution Vulnerability
Important7.8CVE-2021-36948Windows Update Medic Service Elevation of Privilege Vulnerability
Important7.8CVE-2021-34471Microsoft Windows Defender Elevation of Privilege Vulnerability
Important7.8CVE-2021-34533Windows Graphics Component Font Parsing Remote Code Execution Vulnerability
Important7.8CVE-2021-34484Windows User Profile Service Elevation of Privilege Vulnerability
Important7.8CVE-2021-26431Windows Recovery Environment Agent Elevation of Privilege Vulnerability

Be Proactive to Improve Security Posture

A proactive security posture will help organizations to minimize the exposure to vulnerabilities. CrowdStrike Falcon® Spotlight is a scanless solution that provides immediate visibility to help teams remediate vulnerabilities that are critical to your organization. CrowdStrike helps organizations prevent potential exploitation such as what users have been experiencing with CVE-2021-34481 and CVE-2021-36934 — especially useful when there is knowledge that an attack vector is present but the vendor has not yet provided a patch to secure the systems.

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

 

Additional Resources

 

Breaches Stop Here