Patch Tuesday Update - March 2021

The Elephant in the Room

There were 89 CVEs addressed this month by Microsoft, but of course, they’ve all been overshadowed by the big 4 affecting on-prem Exchange servers, known as the ProxyLogon attacks or by the name of the hacker group allegedly responsible: Hafnium. As is unfortunately typical of large-scale attacks like this, these flaws had been discovered by security researchers long before the disclosure, in this case as early as January 3rd. Microsoft started the patching cycle a week early this month with an emergency release for 7 patches (4 of which are currently under attack). It doesn’t need to be discussed further on this blog or any other how imperative it is that administrators patch their on-prem Exchange servers ASAP, however in this case that probably isn’t enough. If you patch and your server is already infected, the patch won’t help. Administrators also need to investigate, check your logs for indicators of compromise (IOCs) and other artifacts that may be present on infected systems. If you find that you’re already infected, your only hope is if you’ve been taking regular backups.

Here are the 4 CVEs in question:

CVE-2021-26854 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26857 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26858 – Microsoft Exchange Server Remote Code Execution Vulnerability

Apart from Exchange, other affected software & components this month include Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Office, SharePoint Server, Visual Studio, and Windows Hyper-V. Of these 89 bugs, 14 are listed as Critical and 75 are listed as Important in severity, including two other zero-day flaws, one that is also under active attack for Internet Explorer.

CVE-2021-26411 addresses a remote code execution (RCE) bug in Internet Explorer and Edge (EdgeHTML-based) that could allow an attacker to run arbitrary code on affected systems through a specially crafted HTML file. Successful exploitation would yield code execution at the level of the logged-on user, so this fix would be especially critical for any assets configured where users have administrative rights.

CVE-2021-27077 is a privilege escalation vulnerability that affects 32-bit versions of Windows. Though deemed not as critical because 32-bit versions of Windows are not as widespread as they used to be, this is still an important one to patch if you have these assets in your network.

For more information or to access the security updates, see
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2021-Mar

As always, Balbix can identify all affected assets within 1 hour of release. To view the list of affected assets for a specific CVE in your Balbix dashboard, enter the CVE in the Search field and hit Enter. Balbix automatically prioritizes the search results for remediation. You can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.

If you have additional questions, please contact support@balbix.com.