Today’s VERT Alert addresses Microsoft’s July 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-954 on Wednesday, July 14th.
In-The-Wild & Disclosed CVEs
CVE-2021-34527
The vulnerability dubbed PrintNightmare was patched prior to the Tuesday patch drop, but it is still worth including here. This vulnerability also generated a bit of confusion. There is confusion around the CVE associated with the vulnerability. CVE-2021-1675 was patched in June and the PrintNightmare proof of concept worked on systems with that update. Articles indicated that the patch was broken or it had been bypassed, but Microsoft clarified this in the FAQ for CVE-2021-34527. This vulnerability is distinct from CVE-2021-1675 and existed before the June patch, which is why we now have two CVEs and a lot of confusion in discussions around PrintNightmare.
The vulnerability itself allows an authenticated user to execute code as SYSTEM and as such there are concerns that it could be incorporated into malware for the purpose of lateral movement. It is important to note that there is a registry key that could return a system to a vulnerable state. Additionally, this vulnerability has been publicly disclosed and has been actively exploited.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-33771
This CVE describes an actively exploited elevation of privilege vulnerability in the Windows kernel.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-34448
In order to exploit this vulnerability in a scripting engine, a user would have to visit a malicious page or open a specially crafted file. This vulnerability has seen active exploitation.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-31979
This CVE describes an actively exploited elevation of privilege vulnerability in the Windows kernel.
Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.
CVE-2021-34473
This code execution vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 and has been publicly disclosed but is not currently seeing active exploitation. It is important to note that this vulnerability was actually patched in the April patch drop, but Microsoft forgot to include it in the April 2021 Security Updates.
Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.
CVE-2021-34492
This vulnerability describes a publicly disclosed certificate spoofing vulnerability that impacts all modern Microsoft platforms.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-34523
This elevation of privilege vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 and has been publicly disclosed but is not currently seeing active exploitation. It is important to note that this vulnerability was actually patched in the April patch drop, but Microsoft forgot to include it in the April 2021 Security Updates.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-33779
A publicly disclosed bypass in Windows ADFS resolved by this update. The vulnerability is related to Primary Refresh Tokens stored in TPM. The tokens are used for SSO with AzureAD and prior to this update are stored with weak encryption that could potentially allow a malicious administrator to extract and decrypt the tokens.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE-2021-33781
A publicly disclosed vulnerability that allows the bypass of an Active Directory security feature is resolved with this vulnerability.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.
Tag | CVE Count | CVEs |
Windows Installer | 3 | CVE-2021-31961, CVE-2021-33765, CVE-2021-34511 |
Windows Partition Management Driver | 1 | CVE-2021-34493 |
Windows Remote Assistance | 1 | CVE-2021-34507 |
Windows Storage Spaces Controller | 6 | CVE-2021-33751, CVE-2021-34509, CVE-2021-34460, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513 |
Microsoft Windows Media Foundation | 3 | CVE-2021-34441, CVE-2021-34439, CVE-2021-34503 |
Microsoft Scripting Engine | 1 | CVE-2021-34448 |
Microsoft Office SharePoint | 5 | CVE-2021-34467, CVE-2021-34468, CVE-2021-34519, CVE-2021-34520, CVE-2021-34517 |
Windows Authenticode | 1 | CVE-2021-33782 |
Microsoft Windows Codecs Library | 8 | CVE-2021-31947, CVE-2021-33740, CVE-2021-33760, CVE-2021-34521, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778 |
Visual Studio Code | 3 | CVE-2021-34528, CVE-2021-34479, CVE-2021-34529 |
Windows Cloud Files Mini Filter Driver | 1 | CVE-2021-33784 |
Common Internet File System | 1 | CVE-2021-34476 |
Microsoft Office Excel | 2 | CVE-2021-34501, CVE-2021-34518 |
Windows Key Distribution Center | 1 | CVE-2021-33764 |
Dynamics Business Central Control | 1 | CVE-2021-34474 |
Microsoft Graphics Component | 5 | CVE-2021-34496, CVE-2021-34498, CVE-2021-34438, CVE-2021-34489, CVE-2021-34440 |
Windows Event Tracing | 1 | CVE-2021-33774 |
Windows File History Service | 1 | CVE-2021-34455 |
Windows Security Account Manager | 1 | CVE-2021-33757 |
Windows Kernel | 7 | CVE-2021-33771, CVE-2021-34500, CVE-2021-31979, CVE-2021-34458, CVE-2021-34508, CVE-2021-34461, CVE-2021-34514 |
Role: Hyper-V | 3 | CVE-2021-33755, CVE-2021-33758, CVE-2021-34450 |
Windows Remote Access Connection Manager | 6 | CVE-2021-33761, CVE-2021-33763, CVE-2021-33773, CVE-2021-34445, CVE-2021-34456, CVE-2021-34457 |
Windows Shell | 1 | CVE-2021-34454 |
Microsoft Office | 3 | CVE-2021-34452, CVE-2021-34469, CVE-2021-34451 |
Windows Address Book | 1 | CVE-2021-34504 |
Active Directory Federation Services | 1 | CVE-2021-33779 |
Windows AppContainer | 1 | CVE-2021-34459 |
Windows Defender | 2 | CVE-2021-34464, CVE-2021-34522 |
Windows Projected File System | 1 | CVE-2021-33743 |
Windows Desktop Bridge | 1 | CVE-2021-33759 |
Windows AppX Deployment Extensions | 1 | CVE-2021-34462 |
Windows Active Directory | 1 | CVE-2021-33781 |
Windows Local Security Authority Subsystem Service | 2 | CVE-2021-33786, CVE-2021-33788 |
Windows MSHTML Platform | 2 | CVE-2021-34447, CVE-2021-34497 |
Microsoft Exchange Server | 7 | CVE-2021-31196, CVE-2021-31206, CVE-2021-34523, CVE-2021-34473, CVE-2021-33766, CVE-2021-33768, CVE-2021-34470 |
Power BI | 1 | CVE-2021-31984 |
Windows Secure Kernel Mode | 1 | CVE-2021-33744 |
Role: DNS Server | 10 | CVE-2021-33780, CVE-2021-34442, CVE-2021-34444, CVE-2021-34494, CVE-2021-33745, CVE-2021-33749, CVE-2021-33750, CVE-2021-33752, CVE-2021-33756, CVE-2021-34525 |
Windows Win32K | 3 | CVE-2021-34491, CVE-2021-34449, CVE-2021-34516 |
Windows TCP/IP | 3 | CVE-2021-31183, CVE-2021-33772, CVE-2021-34490 |
OpenEnclave | 1 | CVE-2021-33767 |
Microsoft Bing | 1 | CVE-2021-33753 |
Windows Print Spooler Components | 1 | CVE-2021-34527 |
Microsoft Windows DNS | 3 | CVE-2021-34499, CVE-2021-33746, CVE-2021-33754 |
Windows HTML Platform | 1 | CVE-2021-34446 |
Windows Hello | 1 | CVE-2021-34466 |
Windows PFX Encryption | 1 | CVE-2021-34492 |
Windows AF_UNIX Socket Provider | 1 | CVE-2021-33785 |
Visual Studio Code - .NET Runtime | 1 | CVE-2021-34477 |
Windows Console Driver | 1 | CVE-2021-34488 |
Windows SMB | 1 | CVE-2021-33783 |
Other Information
There was an update to an existing advisory in the July security guidance.
Microsoft Guidance for Addressing Security Feature Bypass in GRUB [ADV200011]
Microsoft has updated ADV200011 with details around vulnerabilities that were patched in March related to the “There’s a Hole in the Boot” vulnerability that allowed for Secure Boot bypass with GRUB.
Kerberos KDC Security Feature Bypass Vulnerability [CVE-2020-17049]
Microsoft has released version 6 of this security guidance as the default settings have now changed to Enforcement mode. It is now required that all domain controllers have the December update installed. The PerformTicketSignature registry key setting is now ignored and you cannot override Enforcement mode. You can find more details in KB4598347.