Today’s VERT Alert addresses Microsoft’s April 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-939 on Wednesday, April 14th.
In-The-Wild & Disclosed CVEs
CVE-2021-28310
Borin Larin of Kaspersky Lab discovered this vulnerability being actively used for exploitation and suspects that it is tied to the BITTER APT group. Larin and co-authors have released a detailed technical write-up on this vulnerability that impacts the Desktop Window Manager.
Microsoft has rated this as Exploit Detected on the latest software release on the Exploitability Index.
CVE-2021-28312
This publicly disclosed denial of service impacts the Windows NTFS file system. Newer versions of Windows 10 as well as Windows Server 2019 and Server version 20H2 are impacted. This appears to be the same vulnerability detailed by BleepingComputer back in January. While an unpatched system will output, “The file or directory is corrupted and unreadable.” when executing the proof of concept, a patched system will output, “The directory name is invalid.”
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-28437
A publicly disclosed information disclosure in the Windows Installer could allow attackers to read from the file system. Based on the Microsoft security guidance, all versions of Windows from Windows 7 to Windows 10 and their associated server platforms are vulnerable.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-28458
The final publicly disclosed vuln this month is found in @azure/ms-rest-nodeauth, a node-js library for Azure authentication. The fix for this vulnerability was committed on March 23, 2021 and can be reviewed on github.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-27091
This publicly disclosed privilege elevation vulnerability in the RPC Endpoint Mapper Service only affects older operating systems with patches available for Windows 7, Windows Server 2008 R2, and Windows Server 2012.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
| Tag | CVE Count | CVEs |
| Visual Studio Code - Kubernetes Tools | 1 | CVE-2021-28448 |
| Microsoft NTFS | 2 | CVE-2021-27096, CVE-2021-28312 |
| Open Source Software | 1 | CVE-2021-28458 |
| Microsoft Office Word | 1 | CVE-2021-28453 |
| Microsoft Windows Speech | 3 | CVE-2021-28347, CVE-2021-28351, CVE-2021-28436 |
| Windows Resource Manager | 1 | CVE-2021-28320 |
| Windows Installer | 4 | CVE-2021-26413, CVE-2021-26415, CVE-2021-28437, CVE-2021-28440 |
| Visual Studio | 1 | CVE-2021-27064 |
| Visual Studio Code - GitHub Pull Requests and Issues Extension | 1 | CVE-2021-28470 |
| Windows Network File System | 1 | CVE-2021-28445 |
| Microsoft Office SharePoint | 1 | CVE-2021-28450 |
| Microsoft Windows Codecs Library | 5 | CVE-2021-27079, CVE-2021-28317, CVE-2021-28464, CVE-2021-28466, CVE-2021-28468 |
| Visual Studio Code | 6 | CVE-2021-28457, CVE-2021-28469, CVE-2021-28471, CVE-2021-28475, CVE-2021-28477, CVE-2021-28473 |
| Windows Application Compatibility Cache | 1 | CVE-2021-28311 |
| Visual Studio Code - Maven for Java Extension | 1 | CVE-2021-28472 |
| Microsoft Office Excel | 4 | CVE-2021-28449, CVE-2021-28451, CVE-2021-28454, CVE-2021-28456 |
| Microsoft Graphics Component | 4 | CVE-2021-28318, CVE-2021-28348, CVE-2021-28349, CVE-2021-28350 |
| Azure AD Web Sign-in | 1 | CVE-2021-27092 |
| Windows Event Tracing | 2 | CVE-2021-27088, CVE-2021-28435 |
| Windows Kernel | 2 | CVE-2021-27093, CVE-2021-28309 |
| Windows Services and Controller App | 1 | CVE-2021-27086 |
| Role: Hyper-V | 4 | CVE-2021-26416, CVE-2021-28314, CVE-2021-28441, CVE-2021-28444 |
| Microsoft Exchange Server | 4 | CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483 |
| Windows ELAM | 1 | CVE-2021-27094 |
| Windows Remote Procedure Call Runtime | 27 | CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434 |
| Microsoft Internet Messaging API | 1 | CVE-2021-27089 |
| Windows Registry | 1 | CVE-2021-27091 |
| Azure Sphere | 1 | CVE-2021-28460 |
| Windows AppX Deployment Extensions | 1 | CVE-2021-28326 |
| Windows Diagnostic Hub | 3 | CVE-2021-28313, CVE-2021-28321, CVE-2021-28322 |
| Windows Portmapping | 1 | CVE-2021-28446 |
| Windows Overlay Filter | 1 | CVE-2021-26417 |
| Windows Secure Kernel Mode | 1 | CVE-2021-27090 |
| Windows Win32K | 2 | CVE-2021-27072, CVE-2021-28310 |
| Microsoft Office Outlook | 1 | CVE-2021-28452 |
| Windows TCP/IP | 3 | CVE-2021-28319, CVE-2021-28439, CVE-2021-28442 |
| Windows Early Launch Antimalware Driver | 1 | CVE-2021-28447 |
| Microsoft Windows DNS | 2 | CVE-2021-28323, CVE-2021-28328 |
| Windows SMB Server | 2 | CVE-2021-28324, CVE-2021-28325 |
| Windows Media Player | 2 | CVE-2021-27095, CVE-2021-28315 |
| Microsoft Edge (Chromium-based) | 6 | CVE-2021-21194, CVE-2021-21195, CVE-2021-21196, CVE-2021-21197, CVE-2021-21198, CVE-2021-21199 |
| Windows WLAN Auto Config Service | 1 | CVE-2021-28316 |
| Azure DevOps | 2 | CVE-2021-27067, CVE-2021-28459 |
| Windows Console Driver | 2 | CVE-2021-28438, CVE-2021-28443 |
Other Information
There were no advisories included in the April security guidance. There are, however, other vulnerabilities of note.
The National Cyber Awareness System has a new update regarding a set of vulnerabilities discovered by the NSA in Microsoft exchange. They recommend applying these updates immediately and have issued Supplemental Directive Version 2 to the previously released ED 21-02. This includes:
Kerberos KDC Security Feature Bypass Vulnerability [CVE-2020-17049]
Microsoft has released version 5 of this security guidance as the default settings have now changed. It is now assumed that all domain controllers have the December update installed. Additionally, the PerformTicketSignature registry key can no longer be set to 0, which previously disabled Kerberos Service Ticket Signatures, leaving domains unprotected. Now, if you set PerformTicketSignature to 0, it will act the same as if it were set to 1. You can find more details in KB4598347.
