March 2021 Patch Tuesday: More Microsoft Zero-Day Vulnerabilities and More CVEs

In this Microsoft Patch Tuesday update, we discuss several critical vulnerabilities, including a newly released zero-day targeting Internet Explorer that has already seen active exploitation in the wild, and five others that target the backbone of most organizations: DNS.

 

Organizations should take particular notice of the new Microsoft Exchange vulnerabilities revealed last week, which were so severe that Microsoft likely felt compelled to once again preempt its regular Patch Tuesday cycle to make them public. Mass exploitation in the wild, involving four remote code execution vulnerabilities used by an alleged state-sponsored adversary, should make patching these flaws a high priority for any affected organization. The risk may be higher for those that rely heavily on Microsoft Defender, which has recently been subject to numerous related critical vulnerabilities. In addition, Microsoft cites numerous AV exclusions that could further impact Exchange Server risk. Although the security fixes for older and out-of-support versions of Microsoft Exchange Server were released by Microsoft prior to the Patch Tuesday update, we’ll cover some important additional details in this roundup. Let's get started.

New Patches for 89 Vulnerabilities

This month’s Patch Tuesday updates include fixes for 82 vulnerabilities. Combined with the seven vulnerabilities patched for Microsoft Exchange Server released earlier this month, we have a total of 89 new CVEs with patch updates offered by Microsoft.
pie chart Figure 1. Breakdown of March’s Patch Tuesday attack impact

Zero-Day Vulnerability: Internet Explorer Memory Corruption Vulnerability Exploited in the Wild

CVE-2021-26411, a critical zero-day memory corruption vulnerability within Internet Explorer, has seen active exploitation in the wild. This vulnerability has a CVSS v3.0 base score of 8.8 out of 10, indicating high severity (for an explanation of CVSS scores, see the end of this blog post). The successful exploitation of this vulnerability would require user interaction after enticing the victim to visit a specially crafted website. Alternatively, the attacker could inject malicious code into a legitimate website. Once exploited, the attacker could gain the same operating system permissions as the user visiting the website. This attack method could be especially dangerous if you’re an admin browsing a website with malicious code — it would provide the attacker with admin-level privileges to files and operating systems.
RankCVSS ScoreCVEDescription
Critical8.8CVE-2021-26411Internet Explorer Memory Corruption Vulnerability

Windows DNS Server Remote Code Execution Vulnerability Updates

Remotely exploitable DNS vulnerabilities are an effective avenue for worms to spread quickly and effectively. Many organizations rely heavily on Windows-based DNS servers, so updating these vulnerabilities are critical in creating a safe environment.

 

 

Another five Windows DNS Server RCE vulnerabilities have been patched this month, including:

 

  • CVE-2021-26897

     

  • CVE-2021-26877

     

  • CVE-2021-26893

     

  • CVE-2021-26894

     

  • CVE-2021-26895

     

These CVEs all have a high CVSS base score of 9.8. Another recent vulnerability that affected the Windows DNS server was known as SIGRED, referenced by CVE-2020-1350 and patched back in July 2020.

 

Please note that CVE-2021-24078 is only exploitable if the server is configured to be a DNS server.
RankCVSS ScoreCVEDescription
Critical9.8CVE-2021-26897Windows DNS Server Remote Code Execution Vulnerability
Critical9.8CVE-2021-26877Windows DNS Server Remote Code Execution Vulnerability
Critical9.8CVE-2021-26893Windows DNS Server Remote Code Execution Vulnerability
Critical9.8CVE-2021-26894Windows DNS Server Remote Code Execution Vulnerability
Critical9.8CVE-2021-26895Windows DNS Server Remote Code Execution Vulnerability
Other critical vulnerabilities to consider:
RankCVSS ScoreCVEDescription
Critical8.8CVE-2021-21300Git for Visual Studio Remote Code Execution Vulnerability
Critical9.9CVE-2021-26867Windows Hyper-V Remote Code Execution Vulnerability
Critical8.8CVE-2021-26876OpenType Font Parsing Remote Code Execution Vulnerability
Critical7.8CVE-2021-26902HEVC Video Extensions Remote Code Execution Vulnerability
Critical7.8CVE-2021-27061HEVC Video Extensions Remote Code Execution Vulnerability
Critical6.2CVE-2021-27074Azure Sphere Unsigned Code Execution Vulnerability
Critical6.8CVE-2021-27075Azure Virtual Machine Information Disclosure Vulnerability
Critical9.3CVE-2021-27080Azure Sphere Unsigned Code Execution Vulnerability

More on Microsoft Exchange Server Critical Vulnerabilities

A total of seven remote code execution vulnerabilities affecting Microsoft Exchange server — including the four vulnerabilities being exploited actively by an alleged nation-state-sponsored actor — were disclosed before this month’s Microsoft Patch Tuesday update due to their impact and active exploitation. Learn what recommendations the Falcon Complete team offers to help stop a breach occurring from these vulnerabilities. Microsoft has recently released a guide with updated, temporary mitigation actions for those organizations that cannot fully patch and remediate the reported vulnerabilities. According to the information being shared by the Microsoft Security Response Center (MSRC) team, mitigations apply to Exchange server 2013, 2016, and 2019; however, these temporary measures might not prevent all potential avenues for attackers. The Microsoft Exchange team has released an out-of-band security update for an older and unsupported version of Microsoft Exchange server. Guidelines were provided along with recommendations for companies using older versions missing appropriate security fixes.

 

CrowdStrike enables organizations to protect themselves against attacks exploiting vulnerabilities like these.

 

RankCVSS ScoreCVEDescription
Critical9.1CVE-2021-26412Microsoft Exchange Server Remote Code Execution Vulnerability
Important6.6CVE-2021-26854Microsoft Exchange Server Remote Code Execution Vulnerability
Critical9.1CVE-2021-26855Microsoft Exchange Server Remote Code Execution Vulnerability
Critical7.8CVE-2021-26857Microsoft Exchange Server Remote Code Execution Vulnerability
Important7.8CVE-2021-26858Microsoft Exchange Server Remote Code Execution Vulnerability
Critical7.8CVE-2021-27065Microsoft Exchange Server Remote Code Execution Vulnerability
Important9.1CVE-2021-27078Microsoft Exchange Server Remote Code Execution Vulnerability

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

 

Additional Resources

Breaches Stop Here