April 2021 Patch Tuesday: Active Exploits and Another Zero-Day Vulnerability

Blog 1060x698

The year 2021 has required a lot of attention from cyber-savvy Microsoft users so far, considering the quantity and severity of vulnerabilities requiring updates and also the increased urgency to release updates for vulnerabilities that several threat actors have been actively exploiting.

This month is no different. For April’s Patch Tuesday, 108 vulnerabilities have received updates, and of those, 19 were flagged as critical, and at least one of them (CVE-2021-28310) has seen exploitation in the wild. This latest zero-day vulnerability has been reported by security vendors but is not currently attributed to a specific advanced persistent threat (APT) group.

Our April 2021 blog also covers a Kerberos Key Distribution Center (KDC) vulnerability, CVE-2020-17049, which is in the second phase of updates. In addition, we discuss updates for vulnerabilities within Win32k, SMB, TCP/IP and RPC. Other applications include Microsoft Exchange, Visual Studio Code, Microsoft Office and more. 

Let’s get started. 

New Patches for 108 Vulnerabilities in April 2021

This year has seen a steady increase in the proportion of updates for remote code execution vulnerabilities — 51% in April vs. 38% in February and 46% in March. In the past three months, privilege elevation attack risks have also seen a large percentage of updates, as shown in Figures 1-3. See our February 2021 Patch Tuesday and March 2021 Patch Tuesday blogs for more analysis.

Figure 1. Risk analysis breakdown by vulnerability type, February 2021

Figure 2. Risk analysis breakdown by vulnerability type, March 2021

Figure 3. Risk analysis breakdown by vulnerability type, April 2021

High-Ranking Vulnerabilities to Consider: Win32k Elevation of Privilege Vulnerability 

CVE-2021-28310, an out-of-band (OOB) vulnerability found within a dynamic link library (DLL) that is part of Desktop Window Manager, has been confirmed to have active exploitation in the wild. Some sources speculate that the exploit may already be in use by multiple threat actors and is possibly being used by the BITTER APT group to target Pakistani nationals

Two new vulnerabilities affecting Win32k have been patched by Microsoft this month. These vulnerabilities affect the latest version of Microsoft Windows 10 20H2. Back in February, we saw another vulnerability affecting the same component, also being actively exploited.

Rank CVSS Score CVE Description
Important 7.8 CVE-2021-28310 Win32k Elevation of Privilege Vulnerability
Important 7 CVE-2021-27072 Win32k Elevation of Privilege Vulnerability

Note: An explanation of CVSS scores is included at the end of this blog.

Kerberos KDC Security Feature Bypass

CVE-2020-17049 is a type of security feature bypass vulnerability within Kerberos KDC. A compromised service configured to use KDC could be tampered with by a service ticket that is not valid for delegation in order to force KDC to accept it. 

It appears the release of this update removes the need to adjust the “PerformTicketSignature” setting to enable protection on Active Directory domain controller servers, as described in KB4598347. Support for Windows Server 2008 SP2 and Windows Server 2008 R2 has also been added. 

There are three phases for patching this vulnerability: The first phase of updates occurred in November 2020, the second was released in this Patch Tuesday update, and the last phase — which will mandate Enforcement Mode, thereby permanently enabling protection — is scheduled to arrive in July 2021. Therefore, if you only have installed updates in November 2020 for KDC, you will need to continue the patching process as this service continues to be compromised by adversaries.

Rank CVSS Score CVE Description
Important 6.6 CVE-2020-17049 Kerberos KDC Security Feature Bypass Vulnerability

Microsoft Exchange: Four New Remote Code Execution Vulnerabilities

Following the list of vulnerabilities we revisited in Microsoft Exchange in March, four new remote code execution vulnerabilities for Microsoft Exchange have received patches this month. 

Fortunately, none of these vulnerabilities has seen exploitation. To protect against vulnerabilities such as these, CrowdStrike analysts have shared how Falcon Complete™ can stop exploits seeking to compromise Microsoft Exchange servers.

The U.S. National Security Agency, which disclosed two of these vulnerabilities internally to Microsoft, urged organizations to apply updates as soon as possible, stating that exploiting these vulnerabilities could provide persistent access to and control of enterprise networks.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2021-28481 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 9.8 CVE-2021-28480 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 9 CVE-2021-28483 Microsoft Exchange Server Remote Code Execution Vulnerability
Important 8.8 CVE-2021-28482 Microsoft Exchange Server Remote Code Execution Vulnerability

Visual Studio and Visual Studio Code: Updates for Nine Remote Code Execution Vulnerabilities

This month, Microsoft Visual Studio Code received patches to update nine vulnerabilities, all of which could lead to remote code execution exploitation. Some of the vulnerabilities are present in plugins and tools, including those for integrating with GitHub, Maven and Kubernetes.

Rank CVSS Score CVE Description
Important 7.8 CVE-2021-28473 Remote Code Execution
Important 7.8 CVE-2021-28472 Remote Code Execution
Important 7.8 CVE-2021-28471 Remote Code Execution
Important 7.8 CVE-2021-28469 Remote Code Execution
Important 7.8 CVE-2021-28448 Remote Code Execution
Important 7.8 CVE-2021-28470 Remote Code Execution
Important 7 CVE-2021-28477 Remote Code Execution
Important 7.8 CVE-2021-28475 Remote Code Execution
Important 7.8 CVE-2021-28457 Remote Code Execution

Other important vulnerabilities to be aware of:

Rank CVSS Score CVE Description
Important 8.1 CVE-2021-28460 Azure Sphere Unsigned Code Execution Vulnerability
Important 8.1 CVE-2021-28445 Windows Network File System Remote Code Execution Vulnerability
Important 7.8 CVE-2021-28314 Windows Hyper-V Elevation of Privilege Vulnerability
Important 6.5 CVE-2021-28442 Windows TCP/IP Information Disclosure Vulnerability
Important 6.5 CVE-2021-28325 Windows SMB Information Disclosure Vulnerability

Further Recommendations

Besides critical and important vulnerabilities, Microsoft provided updates for more than 20 vulnerabilities affecting Microsoft Office, Excel, Word, SharePoint and other commonly used applications. These applications are often a target for attackers, as organizations typically rely on these applications for day-to-day business activities. Consider prioritizing updates for these applications if your business uses them. Read more about the specific applications affected here.

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial