July 2021 Patch Tuesday: Greatest Number of Updates for Ongoing Zero-Day Vulnerabilities Year-to-Date

The month of July 2021 has been particularly challenging for organizations relying on Microsoft products. Along with the ongoing PrintNightmare out-of-band patch bypass situation affecting Windows Print Spooler, attackers are targeting other Microsoft products, with Scripting Engine and Windows Kernel both seeing active exploitation. And, as mentioned in previous Patch Tuesday reports, companies continue to be plagued by numerous vulnerabilities affecting Microsoft’s DNS — a cornerstone product for most organizations. In this month’s Patch Tuesday release, Microsoft attempts to stem the vulnerabilities in these products, offering the greatest number of patches to date this year. We review these patches and offer recommendations on those that are most important to prioritize. Let’s get started.

New Patches for 117 Vulnerabilities

This month’s Patch Tuesday updates include fixes for 117 vulnerabilities. As we’ve seen the story unfold in the days before July’s release, Microsoft has rushed to address CVE-2021-34527 (referenced as PrintNightmare) with public exploits that affect almost all Windows versions. June’s Patch Tuesday update covered this CVE; however, it was considered incomplete. As a result, additional patches have been released, and the data surrounding these patches has been included in this month’s update. (Please note that PrintNightmare is still a developing situation.) We also see fixes for numerous products, with remote code execution (RCE) vulnerabilities continuing to lead for patching coverage, as was the case in June’s update. These fixes cover products for Microsoft Exchange Server, DNS and SharePoint.

 

SecOps teams will have to patch workstations and servers to address these vulnerabilities, paying particular attention to Microsoft Exchange Servers and those that run DNS Services.

Critical Vulnerabilities

The CVE with the highest score in this month’s release is a remote code execution (RCE) vulnerability in the Windows kernel. CVE-2021-34458 has been given a CVSS score of 9.9, followed by multiple RCE vulnerabilities affecting Microsoft Exchange (CVE-2021-34473), Windows DNS Server (CVE-2021-34494) among others (see chart below). CVE-2021-34458 An attacker can utilize CVE-2021-34458A — a vulnerability that only affects Windows Server installations 2016 and newer —

 

with a guest virtual machine by leveraging a compromise in the host kernel or other guests’ kernel.
CVE-2021-34522 and CVE-2021-34464 Two RCE vulnerabilities, CVE-2021-34522 and CVE-2021-34464, have similar ratings and affect Microsoft Defender. No updates have been released for these vulnerabilities. However, if updates are appropriately configured, patches will be downloaded and installed automatically. CVE-2021-34448 According to Microsoft, this remote code execution vulnerability has seen in-the-wild exploitation. CVE-2021-34448 is a memory corruption vulnerability that affects Microsoft’s scripting engine.
RankCVSS ScoreCVEDescription
Critical9.9CVE-2021-34458Windows Kernel Remote Code Execution Vulnerability
Critical9.1CVE-2021-34473Microsoft Exchange Server Remote Code Execution Vulnerability
Critical8.8CVE-2021-34527Windows Print Spooler Remote Code Execution Vulnerability
Critical8.8CVE-2021-34494Windows DNS Server Remote Code Execution Vulnerability
Critical8.5CVE-2021-34450Windows Hyper-V Remote Code Execution Vulnerability
Critical8CVE-2021-34474Dynamics Business Central Remote Code Execution Vulnerability
Critical7.8CVE-2021-34522Microsoft Defender Remote Code Execution Vulnerability
Critical7.8CVE-2021-34464Microsoft Defender Remote Code Execution Vulnerability
Critical7.8CVE-2021-34503Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Critical7.8CVE-2021-34439Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Critical7.8CVE-2021-33740Windows Media Remote Code Execution Vulnerability
Critical6.8CVE-2021-34448Scripting Engine Memory Corruption Vulnerability
Critical6.8CVE-2021-34497Windows MSHTML Platform Remote Code Execution Vulnerability

Important Vulnerabilities, Including an In-the-Wild Windows Kernel Exploit

Microsoft reports having seen active exploitation of two Important vulnerabilities in the Windows kernel. As shown in the chart below, both have the same rating on the CVSS scale. While CVE-2021-31979 affects all Windows platforms dating as far back as Windows 7 and Server 2008 versions, CVE-2021-33771 only has updates for Windows 8.1 and newer. Although the updates for these vulnerabilities are ranked as “Important” instead of “Critical,” IT staff should prioritize them because of active exploitation.
RankCVSS ScoreCVEDescription
Important7.8CVE-2021-33771Windows Kernel Elevation of Privilege Vulnerability
Important7.8CVE-2021-31979Windows Kernel Elevation of Privilege Vulnerability

Three Microsoft Exchange Server Remote Code Execution Vulnerabilities Patched

 

This month, Microsoft patched a total of seven vulnerabilities within Microsoft Exchange Server. Three of those are remote code execution (RCE) vulnerabilities. CVE-2021-34473 has the highest CVSS ranking, coming in at 9.1. Back in March 2021, CrowdStrike reported on a mass exploitation event surrounding Microsoft Exchange Server — a highly sophisticated adversary used multiple zero-day vulnerabilities to create a massive campaign. Given the recent attention to Exchange Server from threat actors, along with the severity of the vulnerabilities, we strongly recommend accelerating the patching of these Exchange Server hosts. Also, Microsoft has now provided a patch for CVE-2021-31206, another RCE vulnerability uncovered during the Pwn2Own hacking contest.
RankCVSS ScoreCVEDescription
Critical9.1CVE-2021-34473Microsoft Exchange Server Remote Code Execution Vulnerability
Important9CVE-2021-34523Microsoft Exchange Server Elevation of Privilege Vulnerability
Important8CVE-2021-34470Microsoft Exchange Server Elevation of Privilege Vulnerability
Important8CVE-2021-33768Microsoft Exchange Server Elevation of Privilege Vulnerability
Important7.3CVE-2021-31206Microsoft Exchange Server Remote Code Execution Vulnerability
Important7.2CVE-2021-31196Microsoft Exchange Server Remote Code Execution Vulnerability
Important6.5CVE-2021-33766Microsoft Exchange Information Disclosure Vulnerability

Analyzing DNS Server Vulnerabilities

 

Windows DNS Server has seen the largest amount of update activity in July, with 13 vulnerabilities being patched for this module this month alone. While none of these vulnerabilities have seen in-the-wild exploitation, organizations should review these vulnerabilities and consider their prioritization in their current patching strategy.
RankCVSS ScoreCVEDescription
Important8.8CVE-2021-34525Windows DNS Server Remote Code Execution Vulnerability
Important8.8CVE-2021-33756Windows DNS Snap-in Remote Code Execution Vulnerability
Important8.8CVE-2021-33752Windows DNS Snap-in Remote Code Execution Vulnerability
Important8.8CVE-2021-33750Windows DNS Snap-in Remote Code Execution Vulnerability
Important8.8CVE-2021-33749Windows DNS Snap-in Remote Code Execution Vulnerability
Critical8.8CVE-2021-34494Windows DNS Server Remote Code Execution Vulnerability
Important8.8CVE-2021-33780Windows DNS Server Remote Code Execution Vulnerability
Important8CVE-2021-33754Windows DNS Server Remote Code Execution Vulnerability
Important8CVE-2021-33746Windows DNS Server Remote Code Execution Vulnerability
Important7.5CVE-2021-34442Windows DNS Server Denial of Service Vulnerability
Important6.5CVE-2021-33745Windows DNS Server Denial of Service Vulnerability
Important6.5CVE-2021-34499Windows DNS Server Denial of Service Vulnerability
Important6.5CVE-2021-34444Windows DNS Server Denial of Service Vulnerability

Noting Active Directory Vulnerabilities

Two security feature bypass vulnerabilities occur in Active Directory. Although Microsoft has shared information that the likelihood of exploitation of these vulnerabilities (CVE-2021-33781 and CVE-2021-33779) is low, we recommend considering prioritizing this set. If exploitation were to occur, organizations using Active Directory could see a potential high negative impact.
RankCVSS ScoreCVEDescription
Important8.1CVE-2021-33781Active Directory Security Feature Bypass Vulnerability
Important8.1CVE-2021-33779Active Directory Security Feature Bypass Vulnerability

Patch Tuesday Is Important — But Consider All Microsoft Vulnerability Activity

With all of the OOB patches and ongoing updates occurring around Microsoft products, IT staff should take full advantage of their vulnerability management and patching solutions. Active exploits, patching failures and a steady stream of vulnerabilities affecting key Microsoft products could result in access for those attempting to breach an organization. While Patch Tuesday research blogs, such as this one, may help IT staff quickly consider which patches to prioritize immediately, using a solution such as CrowdStrike Falcon® Spotlight will provide ongoing visibility for an organization’s security posture. Falcon Spotlight is an intuitive, scanless solution providing immediate visibility to help your team organize, prioritize and remediate vulnerabilities that are critical to your organization.

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

 

Additional Resources

 

Breaches Stop Here