Analysis of Patch Tuesday in July and recommendations from Ivanti to prioritize the elimination of vulnerabilities (CVEs). Patch Tuesday in July 2021 has it all.
With the recent PrintNightmare out-of-band update, the upcoming quarterly Oracle CPU, a number of updates from Adobe including Acrobat and Reader, Mozilla Firefox and Firefox ESR, and the typical series of Microsoft monthly updates, Patch Tuesday includes a lot of vulnerabilities in July that should be prioritized.
PrintNightmare vulnerability
It starts with PrintNightmare CVE-2021-34527, which was identified as another vulnerability in the Print Spooler after the June Patch Tuesday update. Microsoft was quick to release out-of-band security updates for most operating systems. The updates are available for Windows 7 and Server 2008/2008 R2, provided users have an Extended Security Update (ESU) subscription. The company has also made a support article available that explains how the updates work and offers some additional configuration options. Organizations that have not yet installed the out-of-band update can simply update the July operating system updates to address the three new zero-day vulnerabilities along with this CVE.
Microsoft - over 100 CVEs
Microsoft also fixed 117 individual CVEs in July, 10 of which were classified as critical. These include three zero-day vulnerabilities and five public notices. A bit of good news: all three zero days and three of the five publicly known vulnerabilities will be fixed with the deployment of the July operating system updates. This month's updates affect Windows operating systems, Office 365, Sharepoint, Visual Studio and a number of modules and components (see the release notes for details).
Risk-based prioritization
If you look at the vulnerabilities that have been fixed by the manufacturers, more than just the severity and the CVSS score should be considered in the assessment. If IT security teams don't have additional metrics to determine risk, there is a very good chance they are missing some of the most important updates. A good example of how the manufacturers' algorithms used to define severity can create a false sense of security can be found on this month's zero-day list. Two of the CVEs are only classified as important by Microsoft, although they were already actively exploited before the update was released. The CVSSv3 score for the critical CVE is even lower than for the two major CVEs. According to analysts like Gartner, introducing a risk-based approach to vulnerability management can reduce the number of data breaches per year by up to 80% (Gartner Forecast Analysis: Risk-Based Vulnerability Management 2019).
Zero-day vulnerabilities
CVE-2021-31979 is an "Elevation of Privilege" vulnerability in the Windows kernel. This vulnerability was discovered in an attack "in the wild". The severity rating by Microsoft for this CVE is classified as important and the CVSSv3 score is 7,8. The vulnerability affects Windows 7, Server 2008, and later versions of the Windows operating system.
At CVE-2021-33771 is an elevation of privilege vulnerability in the Windows kernel. This vulnerability was also discovered in a real-world attack. The severity rating by Microsoft for this CVE is classified as important and the CVSSv3 score is 7,8. The vulnerability affects Windows 8.1, Server 2012 R2, and later Windows operating system versions.
CVE-2021-34448 is a memory corruption vulnerability in the Windows scripting engine that could allow an attacker to remotely execute code on the affected system.
Zero-day attack scenario
In a web-based attack scenario, an attacker could host a website that contains a specially crafted file designed to exploit the vulnerability. The same goes for a compromised website that accepts or hosts user-provided content. However, there would be no way for an attacker to force the user to visit the website. Instead, an attacker would have to voluntarily trick the user into clicking a link. This is typically done through an email or instant messenger message. The goal is then to convince the user to open the file.
Microsoft has rated the severity level as critical for this CVE and the CVSSv3 score is 6,8. The vulnerability affects Windows 7, Server 2008 and newer Windows operating system versions.
Announced publicly
CVE-2021-33781 aims to bypass security functions in the Active Directory service. This vulnerability has been disclosed to the public. The severity rating by Microsoft for this CVE is rated important and the CVSSv3 score is 8.1. The vulnerability affects Windows 10, Server 2019, and later Windows operating system versions.
CVE-2021-33779 is a security feature bypass in Windows ADFS Security. This vulnerability has been made public. The severity rating by Microsoft for this CVE is rated important and the CVSSv3 score is 8.1. The vulnerability affects server versions 2016, 2019, 2004, 20H2 and Core Windows Server.
At CVE-2021-34492 it is a certificate spoofing vulnerability in the Windows operating system. This vulnerability has also been made public. The severity of Microsoft for this CVE is rated as important. The CVSSv3 score is 8.1 and applies to Windows 7, Server 2008 and later Windows operating system versions.
CVE-2021-34473 is a remote code execution vulnerability in Microsoft Exchange Server and was disclosed to the public. Microsoft classifies this CVE as critical and the CVSSv3 score is 9,0. The vulnerability affects Exchange Server 2013u23, 2016u19, 2016u20, 2019u8, 2019u9.
CVE-2021-34523 is an "Elevation of Privilege" vulnerability in Microsoft Exchange Server. This vulnerability has been disclosed to the public and its severity has been rated as important. The CVSSv3 score is 9.1. It affects Exchange Server 2013u23, 2016u19, 2016u20, 2019u8, 2019u9.
Third party updates
Oracle will release its quarterly Critical Patch Update or CPU on July 20th. It will contain updates for Oracle Java SE, MySQL, Fusion Middleware, and many other Oracle products. The CPU will contain all of the security fixes and details related to CVSSv3.1. This includes the complexity of the attack and answers to the question of whether the vulnerability can be exploited remotely. There are also details to understand the urgency of the updates.
Adobe has released updates for five products as part of the July Patch Tuesday. The updates for Adobe Bridge, Dimension, Illustrator and Framemaker are given priority 3 by Adobe. Each fixes at least one critical CVE.
Lots of Adobe updates for Acrobat and Reader
When making the classification, Adobe takes into account both the severity of the security vulnerability and the likelihood that an attacker will focus on the product. Adobe priority 1 means that at least one CVE contained in the version is already being actively used. Priority 3 means that the product is less likely to be attacked and that few exploited vulnerabilities exist.
The four product updates are not urgent, but should be fixed in a reasonable time. More important this month is the update for Adobe Acrobat and Reader (APSB21-51), which fixes 19 CVEs, 14 of which are classified as critical. The relevance set by Adobe for this update is priority 2. Three of the critical CVEs were given a CVSSv3 rating of 8.8. It could allow remote code execution. It is not yet known that any of the CVEs have been exploited. However, Acrobat and Reader are widespread on systems and are of interest to threat actors per se.
Mozilla has released updates for Firefox and Firefox ESR that include fixes for 9 CVEs. The Foundation classifies five of the CVEs as “high impact”. IT security teams can find more details in MFSA2021-28.
Ivanti recommendations for prioritization
The Windows OS update has the highest priority this month. Three more zero-day vulnerabilities will be fixed. For companies that have not yet installed the out-of-band fix for PrintNightmare, that would be four zero-day vulnerabilities along with three publicly reported vulnerabilities.
Microsoft Exchange has two publicly known vulnerabilities as well as CVE-2021-31206, which was discovered a few months ago as part of the Pwn2Own competition. So while Exchange had a short breather after there have been many updates in the past few months, this vulnerability should be analyzed and fixed as soon as possible.
Third-party updates for Adobe Acrobat and Reader as well as Mozilla Firefox should be given high priority. PDF and browser applications are easy targets for attackers who take advantage of a user with phishing attacks and other user-centric methods.
More at Ivanti.de
About Ivanti The strength of unified IT. Ivanti connects IT with security operations in the company in order to better control and secure the digital workplace. We identify IT assets on PCs, mobile devices, virtualized infrastructures or in the data center - regardless of whether they are hidden on-premise or in the cloud. Ivanti improves the provision of IT services and reduces risks in the company on the basis of specialist knowledge and automated processes. By using modern technologies in the warehouse and across the entire supply chain, Ivanti helps companies improve their ability to deliver - without changing the backend systems.