Today’s VERT Alert addresses Microsoft’s May 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-943 on Wednesday, May 12th.
In-The-Wild & Disclosed CVEs
CVE-2021-31204
Up first in the list this month, we have a vulnerability that impacts .NET and Visual Studio and could allow a successful attacker to elevate their permissions. We see patches for Microsoft Visual Studio 2019 for Windows and macOS as well as .NET 5.0 and .NET Core 3.1. Microsoft indicates that while this has been publicly disclosed, it has not been exploited in the wild. There are additional details regarding this vulnerability available on the dotnet github page.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-31207
Once again, we have a Microsoft Exchange Server vulnerability in the patch round-up. This time, it is a security feature bypass and is one of the Exchange vulnerabilities that was found during PWN2OWN 2021.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-31200
This code execution vulnerability is found in Neural Network Intelligence (NNI), an open-source tool for managing AutoML experiments. Since it is an open-source project, you can see the code change that was made to resolve this vulnerability. It is interesting to note that the fixed code was committed on Dec 21, 2020, but it did not make a Patch Tuesday release until May.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
| Tag | CVE Count | CVEs |
| .NET Core & Visual Studio | 1 | CVE-2021-31204 |
| Windows WalletService | 1 | CVE-2021-31187 |
| Microsoft Windows IrDA | 1 | CVE-2021-31184 |
| Microsoft Office Word | 1 | CVE-2021-31180 |
| Windows Container Isolation FS Filter Driver | 1 | CVE-2021-31190 |
| HTTP.sys | 1 | CVE-2021-31166 |
| Visual Studio | 1 | CVE-2021-27068 |
| Windows SSDP Service | 1 | CVE-2021-31193 |
| Internet Explorer | 1 | CVE-2021-26419 |
| Microsoft Bluetooth Driver | 1 | CVE-2021-31182 |
| Microsoft Windows Codecs Library | 2 | CVE-2021-31192, CVE-2021-28465 |
| Jet Red and Access Connectivity | 1 | CVE-2021-28455 |
| Open Source Software | 1 | CVE-2021-31200 |
| Microsoft Office Excel | 5 | CVE-2021-31174, CVE-2021-31175, CVE-2021-31177, CVE-2021-31178, CVE-2021-31179 |
| Skype for Business and Microsoft Lync | 2 | CVE-2021-26421, CVE-2021-26422 |
| Microsoft Graphics Component | 2 | CVE-2021-31170, CVE-2021-31188 |
| Microsoft Office SharePoint | 7 | CVE-2021-31171, CVE-2021-31172, CVE-2021-31173, CVE-2021-31181, CVE-2021-28474, CVE-2021-28478, CVE-2021-26418 |
| Role: Hyper-V | 1 | CVE-2021-28476 |
| Windows CSC Service | 1 | CVE-2021-28479 |
| Microsoft Office | 1 | CVE-2021-31176 |
| Windows Desktop Bridge | 1 | CVE-2021-31185 |
| Microsoft Accessibility Insights for Web | 1 | CVE-2021-31936 |
| Windows OLE | 1 | CVE-2021-31194 |
| Visual Studio Code | 3 | CVE-2021-31211, CVE-2021-31213, CVE-2021-31214 |
| Windows Wireless Networking | 3 | CVE-2020-24588, CVE-2020-24587, CVE-2020-26144 |
| Microsoft Exchange Server | 4 | CVE-2021-31195, CVE-2021-31198, CVE-2021-31207, CVE-2021-31209 |
| Microsoft Dynamics Finance & Operations | 1 | CVE-2021-28461 |
| Windows Container Manager Service | 5 | CVE-2021-31165, CVE-2021-31167, CVE-2021-31168, CVE-2021-31169, CVE-2021-31208 |
| Windows RDP Client | 1 | CVE-2021-31186 |
| Windows Projected File System FS Filter | 1 | CVE-2021-31191 |
| Windows SMB | 1 | CVE-2021-31205 |
Other Information from PAtch Tuesday
There were no advisories included in the May Security Guidance, but there was a vulnerability of note:
CVE-2021-31166
This is a code execution vulnerability in the HTTP Protocol stack of HTTP.sys that was discovered internally at Microsoft. It is important to note that this affects the most recent releases of Windows – Windows 10 2004 and 20H2 and Windows Server 2004 and 20H2. The biggest take-away from this vulnerability is that Microsoft has labeled it as wormable. For this reason, it should be patched ASAP.
Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.
