March 2021 Patch Tuesday: More Microsoft Zero-Day Vulnerabilities and More CVEs

Patch Tuesday image

In this Microsoft Patch Tuesday update, we discuss several critical vulnerabilities, including a newly released zero-day targeting Internet Explorer that has already seen active exploitation in the wild, and five others that target the backbone of most organizations: DNS. 

Organizations should take particular notice of the new Microsoft Exchange vulnerabilities revealed last week, which were so severe that Microsoft likely felt compelled to once again preempt its regular Patch Tuesday cycle to make them public. Mass exploitation in the wild, involving four remote code execution vulnerabilities used by an alleged state-sponsored adversary, should make patching these flaws a high priority for any affected organization. The risk may be higher for those that rely heavily on Microsoft Defender, which has recently been subject to numerous related critical vulnerabilities. In addition, Microsoft cites numerous AV exclusions that could further impact Exchange Server risk.

Although the security fixes for older and out-of-support versions of Microsoft Exchange Server were released by Microsoft prior to the Patch Tuesday update, we’ll cover some important additional details in this roundup. Let’s get started.

New Patches for 89 Vulnerabilities

This month’s Patch Tuesday updates include fixes for 82 vulnerabilities. Combined with the seven vulnerabilities patched for Microsoft Exchange Server released earlier this month, we have a total of 89 new CVEs with patch updates offered by Microsoft.

pie chart

Figure 1. Breakdown of March’s Patch Tuesday attack impact

Zero-Day Vulnerability: Internet Explorer Memory Corruption Vulnerability Exploited in the Wild

CVE-2021-26411, a critical zero-day memory corruption vulnerability within Internet Explorer, has seen active exploitation in the wild. This vulnerability has a CVSS v3.0 base score of 8.8 out of 10, indicating high severity (for an explanation of CVSS scores, see the end of this blog post). The successful exploitation of this vulnerability would require user interaction after enticing the victim to visit a specially crafted website. Alternatively, the attacker could inject malicious code into a legitimate website. Once exploited, the attacker could gain the same operating system permissions as the user visiting the website. This attack method could be especially dangerous if you’re an admin browsing a website with malicious code — it would provide the attacker with admin-level privileges to files and operating systems.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability

Windows DNS Server Remote Code Execution Vulnerability Updates

Remotely exploitable DNS vulnerabilities are an effective avenue for worms to spread quickly and effectively. Many organizations rely heavily on Windows-based DNS servers, so updating these vulnerabilities are critical in creating a safe environment.  

Another five Windows DNS Server RCE vulnerabilities have been patched this month, including: 

  • CVE-2021-26897 
  • CVE-2021-26877 
  • CVE-2021-26893 
  • CVE-2021-26894 
  • CVE-2021-26895 

These CVEs all have a high CVSS base score of 9.8. Another recent vulnerability that affected the Windows DNS server was known as SIGRED, referenced by CVE-2020-1350 and patched back in July 2020. 

Please note that CVE-2021-24078 is only exploitable if the server is configured to be a DNS server.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability
Critical 9.8 CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability
Critical 9.8 CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability
Critical 9.8 CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability
Critical 9.8 CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability

Other critical vulnerabilities to consider:

Rank CVSS Score CVE Description
Critical 8.8 CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability
Critical 9.9 CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability
Critical 8.8 CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability
Critical 7.8 CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability
Critical 7.8 CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability
Critical 6.2 CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability
Critical 6.8 CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability
Critical 9.3 CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability

More on Microsoft Exchange Server Critical Vulnerabilities

A total of seven remote code execution vulnerabilities affecting Microsoft Exchange server — including the four vulnerabilities being exploited actively by an alleged nation-state-sponsored actor — were disclosed before this month’s Microsoft Patch Tuesday update due to their impact and active exploitation. Learn what recommendations the Falcon Complete team offers to help stop a breach occurring from these vulnerabilities.

Microsoft has recently released a guide with updated, temporary mitigation actions for those organizations that cannot fully patch and remediate the reported vulnerabilities. According to the information being shared by the Microsoft Security Response Center (MSRC) team, mitigations apply to Exchange server 2013, 2016, and 2019; however, these temporary measures might not prevent all potential avenues for attackers.

The Microsoft Exchange team has released an out-of-band security update for an older and unsupported version of Microsoft Exchange server. Guidelines were provided along with recommendations for companies using older versions missing appropriate security fixes

CrowdStrike enables organizations to protect themselves against attacks exploiting vulnerabilities like these. 

Rank CVSS Score CVE Description
Critical 9.1 CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability
Important 6.6 CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 9.1 CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 7.8 CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability
Important 7.8 CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 7.8 CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability
Important 9.1 CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Related Content

TRY CROWDSTRIKE FREE FOR 15 DAYS

GET STARTED WITH A FREE TRIAL