"Team Security" Telegram-Gruppe .

❈ The February 2021 Security Update Review

Hacking thezdi.com

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2021

For February, Adobe released six patches addressing 50 CVEs in Adobe Dreamweaver, Illustrator, Animate, Photoshop, Magento, and Reader. A total of 14 of these bugs came through the ZDI program. The update for Adobe Reader fixes a total of 23 CVEs, 17 of which are rated Critical, and eight of which were reported through the ZDI program. CVE-2021-21017, a heap-based buffer overflow, is listed as being under “limited” active attacks on Reader for Windows. Definitely prioritize the testing and deployment of this update.

The update for Magento is also significant as it patches 18 bugs, seven of which are rated Critical. In the worst-case scenario, successful exploitation could lead to arbitrary code execution at the level of the current process. The update for Dreamweaver fixes a single, Important-rated info disclosure bug. The patch for Illustrator fixes two Out-Of-Bounds (OOB) write bugs that could lead to code execution. There’s also an OOB write being fixed in the patch for Animate. The patch for Photoshop fixes five Critical-rated bugs that could allow code execution.

Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2021

For February, Microsoft released patches for 56 CVEs covering Microsoft Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender. Seven of these CVEs were submitted through the ZDI program. Of these 56 CVEs, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity. According to Microsoft, one bug is known to be actively exploited and six other bugs are listed as being publicly known at the time of release. This is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs. Microsoft provides no information on where these CVEs were publicly exposed.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-1732 - CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

-       CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

-       CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

-       CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for February 2021.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 Yes No DoS
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability Important 5.5 Yes No DoS
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24111 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 No No Info
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability Important 5.4 No No Spoof
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability Important 8 No No Spoof
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Moderate 6.8 No No EoP
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability Moderate 6.5 No No DoS

You’ll notice we have added the CVSS scores to the table. This is to provide further detail on the severity of the patches since Microsoft is now relying on CVSS scores so heavily. We recommend balancing the Microsoft severity (i.e., Critical, Important, Moderate, etc…) with the CVSS score to help determine prioritization for your enterprise.

Moving on to the remaining Critical-rated patches, two involve codec libraries and were reported by ZDI vulnerability researcher Hossein Lotfi. Both of these bugs are OOB Writes that result from the lack of proper validation of user-supplied data. This can lead to a write past the end of an allocated buffer and allow an attacker to execute code in the context of the current user. There are two Critical-rated bugs impacting the Fax Service, but the Windows Fax and Scan feature needs to be enabled for a system to be affected by this vulnerability. There’s a patch for the Windows graphics component to correct a bug that allows code execution when viewing a specially crafted image. The Windows Spooler service also receives a Critical-rated patch to prevent remote code execution, although the exploit path is not as clear here. The final Critical-rated bug addresses a vulnerability in the .NET Core for Linux. In this case, a .NET application utilizing libgdiplus on a non-Windows system could allow code execution if an attacker sends a specially crafted request.

Shifting our focus to Important-rated updates, there are nine bugs that could result in remote code execution. The most interesting of these are two that impact the SharePoint server. One of these came from an anonymous contributor to our program and could allow code execution if an authenticated user can trigger the deserialization of untrusted data by tampering with client-side data. There are four patches for Excel – two that came through our program – that would allow code execution when opening a specially crafted file in Excel. Note that the updates for Microsoft Office 2019 for Mac are not currently available. Hopefully, Microsoft gets those out soon.

There are a couple of updates to Visual Studio addressing code execution bugs. In one case, a user would need to clone a malicious repository from inside Visual Studio Code. Once completed, attacker code would execute once the targeted user viewed contents of the repository. That’s not the most likely scenario. The Windows Address Book gets a patch for a bug found by ZDI vulnerability researcher Mat Powell. The bug results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Finally, there’s a significant bug in the Windows package manager that can only be addressed by reconfiguring installation tools and workflows. Microsoft provides several resources with additional information on this vulnerability and how to mitigate it. It is highly recommended to read and heed all information here. Considering the complexity in resolving this issue, this is a bug that could stick with us for a while.

There are only 11 Elevation of Privilege (EoP) bugs addressed in this month’s release, and we’ve already covered the one under active attack. Two are publicly known, and the more interesting of those impacts Sysinternals PsExec. If you’re not familiar with this tool, it’s a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It’s also often used by red teams when penetrating a network. We’ll likely see this bug end up in different toolkits should an exploit become available. The other publicly known bug impacts Windows Installer, but there’s no additional information about this vulnerability. Other EoP fixes of note include one for PKU2U, which is a peer-to-peer authentication protocol. Although systems not running PKU2U are not affected, Microsoft still recommends installing this update to all potentially impacted OSes.

Two different security feature bypasses receive fixes this month. The first covers a bypass in PowerShell, although no further information on what is bypassed is provided. The second covers a bypass in PFX encryption. When exporting a SID-protected PFX file, keys encrypted using AES are not properly protected. You’ll need to do more than just patch here as well. Any SID-protected PFX files using AES for key encryption should be regenerated and exported after this update is installed.

There are 10 different patches for information disclosure bugs in this month’s release. The info leak impacting DirectX is another of the publicly known bugs. While most of these cases only lead to leaks consisting of unspecified memory contents, some do yield some interesting data. The bug fixed in the patch for Edge for Android could disclose personally identifiable information (PII) and payment information of a user. The vulnerability in Microsoft Dataverse could expose underlying datasets in Dataverse, which could include PII. This vulnerability in Microsoft Teams iOS exposes the Skype token value in the preview URL for images in the Teams iOS app. The SharePoint bug leaks SQL table columns that would normally be restricted. Finally, the bug in Mobile Device Management could allow an attacker to read from the file system.

There are a handful of notable Denial-of-Service (DoS) bugs patched this month, and the fix for TCP/IP leads the way. Similar to CVE-2021-24094, this bug also involves IPv6 fragmentation, although there’s no patch to code execution here. Disallowing IPv6 UDP fragmentation at the perimeter could have some side effects but implementing the workaround to drop out-of-order packets seems more reasonable. Still, this should be tested before updating production systems. The DoS bugs impacting .NET Core and the Windows Console Driver are listed as publicly known, but Microsoft provides no further details. There’s a patch for a DoS vulnerability in Skype for Business and Lync. If you’re still using either of those messaging tools, definitely look to patching soon.

Speaking of Skype for Business and Lync, these also receive a patch to fix a spoofing bug. Microsoft doesn’t indicate what is spoofed, but they do note user interaction is required. There’s also a spoofing bug in Exchange that dates back to September of 2020. Since the bug was in the Exchange Server installer, it could only be addressed in a complete release as opposed to a cumulative update. Microsoft allowed time for customers to move to the September release before disclosing the vulnerability. The other Exchange spoofing bug comes from former Pwn2Own winner Steven Seeley and allows an authenticated attacker to leak a CERT file, which could result in a CSRF token being generated. The final spoofing bug for this month fixes a SharePoint bug that could allow an authenticated attacker to manipulate the SharePoint blog sharing functionality to trigger messaging or a link that appears to be from the SharePoint target site.

The only cross-site scripting (XSS) bug in this month’s release impacts Microsoft Dynamics Business Central. Rounding out this month’s release are Moderate-rated bugs in Azure Kubernetes and the Windows Trust Verification API. Those using the Azure Kubernetes Service should be automatically updated to an unaffected version, but you should still verify your version number to be sure.  

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on March 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

...


Kompletten Artikel lesen (externe Quelle: https://www.thezdi.com/blog/2021/2/9/the-february-2022-security-update-review)

Zur Team IT Security IT Sicherheit Nachrichtenportal Startseite

➤ Weitere Beiträge von Team Security | IT Sicherheit (tsecurity.de)

CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903)

vom 772.28 Punkte
Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're gett

The January 2021 Security Update Review

vom 589.95 Punkte
Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. Adobe Patches for January 2021This month,

The March 2021 Security Update Review

vom 585.51 Punkte
It’s the third second Tuesday of the year, which means we get the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings. Adobe Patch

CentOS Blog: Releases/updates on Feb 1

vom 466.79 Punkte
On February 1st (last week) there were a large number of enhancements/updates released by the CentOS community:   Errata and Enhancements Advisories We issued the following CEEA (CentOS Errata and Enhancements Advisories): CEEA-2019:0178 CentOS 7 libreswan Enhancement - http

The February 2021 Security Update Review

vom 445.82 Punkte
It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. Adobe Patches for

CentOS Blog: CentOS Community newsletter, March 2020 (#2003)

vom 424.28 Punkte
Dear CentOS enthusiast, For the past several months, the focus has been on FOSDEM, as usual this time of year. Now that FOSDEM is behind us, it's time to turn our attention to the upcoming Dojo at Facebook, and Red Hat Summit. We'd love to see you at one of thes

CentOS Blog: CentOS Community Newsletter, April 2021 (#2104)

vom 196.88 Punkte
Dear CentOS Community, Thanks for joining us for another edition of our monthly newsletter. Here's what's happening in the CentOS community. Upcoming CentOS Dojo Yesterday we closed the Call For Presentations (CFP) for the upcoming CentOS Dojo in May, and w

CentOS Blog: CentOS Community Newsletter, February 2021 (#2102)

vom 157.91 Punkte
Dear CentOS Community, This month's newsletter is running a little late, because I wanted to include the report from our annual FOSDEM CentOS Dojo, which was held last Thursday and Friday. CentOS Dojo at FOSDEM We had 216 registrations, with 164 (75.9

.NET Framework May 2020 Security and Quality Rollup Updates

vom 150.37 Punkte
Today, we are releasing the May 2020 Security and Quality Rollup Updates for .NET Framework. Security CVE-2020-0605 – .NET Framework Remote Code Execution Vulnerability A remote code execution vulnerability exists in .NET software when the software

HPR3281: HPR Community News for February 2021

vom 145.19 Punkte
New hosts Welcome to our new hosts: o9l, Some Guy On The Internet. Last Month's Shows Id Day Date Title Host 3261 Mon 2021-02-01 HPR Community News for January 2021 HPR Volunteers 3262 Tue 2021-02-02 My thoughts on diversity in Lin

The February 2020 Security Update Review

vom 142.92 Punkte
February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2020The Adobe

HPR3261: HPR Community News for January 2021

vom 142.18 Punkte
New hosts Welcome to our new host: TrumpetJohn. Last Month's Shows Id Day Date Title Host 3240 Fri 2021-01-01 Linux Under Attack Ahuka 3241 Mon 2021-01-04 HPR Community News for December 2020 HPR Volunteers 3242 Tue 2021-01-05 The eternal battle over how to run your chromebook is ab

Team Security Diskussion über The February 2021 Security Update Review