Patch Tuesday Update - April 2021

Be Nice to Your Admins

This month, Microsoft has released its largest haul so far in 2021, with fixes for 110 vulnerabilities, including 19 classified as critical. No rest for the weary…

Of the 19 critical, there are 5 zero-days with exploits, including one (CVE-2021-23810) that has been discovered being actively exploited in the wild. The other 4 have been classified by Microsoft as “potentially exploitable” but haven’t been seen in any attacks yet:

• CVE-2021-27091 – RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
• CVE-2021-28312 – Windows NTFS Denial of Service Vulnerability
• CVE-2021-28437 – Windows Installer Information Disclosure Vulnerability – PolarBear
• CVE-2021-28458 – Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability

Unfortunately for our heroic Exchange admins, the hits just keep on coming as well. The NSA has released 4 new critical Remote Code Execution (RCE) vulnerabilities for Exchange Server 2013, 2016, and 2019:

• CVE-2021-28480 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28481 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28482 – Microsoft Exchange Server Remote Code Execution Vulnerability (pre-auth)
• CVE-2021-28483 – Microsoft Exchange Server Remote Code Execution Vulnerability (pre-auth)

2 of the above 4 are “pre-authentication”, meaning attackers don’t actually need to be logged into the server to exploit them. The good news is that there aren’t any known exploits for these, but with the pre-auth attack vector, we can be sure there will be soon.

Per Microsoft’s blog on the subject released today, these need to be fixed ASAP. Hopefully everyone was able to implement some expedited processes for updating Exchange as a result of the Hafnium fiasco last month… but if not then this is definitely more fuel for the fire.

More info for admins on how to patch these can be found here.

Other RCE vulnerabilities released this month include a handful for Microsoft Office. CVE-2021-28451 and CVE-2021-28454 involve Excel, CVE-2021-28453 for Word and CVE-2021-28449 in Microsoft Office itself. Unusually, these CVE’s impact all versions of office, including O365. Microsoft hasn’t labeled these as “critical”, but admins should still seriously consider updating.

Other Microsoft products with patches required this month include Azure and Azure DevOps Server, Edge (Chromium-based), Hyper-V, SharePoint Server, Team Foundation Server, and Visual Studio.

For more information or to access the security updates, see
https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-Apr

As always, Balbix can identify all affected assets within 1 hour of release. To view the list of affected assets for a specific CVE in your Balbix dashboard, enter the CVE in the Search field and hit Enter. Balbix automatically prioritizes the search results for remediation. You can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.

If you have additional questions, please contact support@balbix.com.