October 2021 Patch Tuesday: Active Zero-Day Exploit for Windows PC, and Critical CVEs for Hyper-V and Spooler Service

Microsoft has released its October 2021 updates covering a garden variety of vulnerabilities that threat actors can exploit using several attack types, from remote code execution to spoofing to privilege elevation and more. An active zero-day, CVE-2021-40449, should be one of the first that organizations prioritize in their patching cycle, and other vulnerabilities with Microsoft priority rankings should also be considered.

SecOps staff should carefully review the rankings that Microsoft and the National Vulnerability Database have provided for these vulnerabilities — some should be elevated beyond the industry-standard Common Vulnerability Scoring System (CVSS) rating assigned. But, additional review can be challenging for organizations, especially those with limited time and resources. Falcon Spotlight’s™ newly announced feature, the ExPRT.AI model, will help with that — it will be available to all Falcon Spotlight™ customers next week. This ever-adapting model will predict which vulnerabilities are truly critical for your organization to address.

New Patches for 74 Vulnerabilities

This month’s Patch Tuesday updates include fixes for 74 vulnerabilities. Of these, Microsoft Exchange received four patches for remote code execution vulnerabilities. And, not surprisingly, another actively exploited vulnerability that received an update this month — CVE-2021-40449 — has been exploited using elevation of privilege. Attackers have been capitalizing on it by employing a use-after-free (UAF) vulnerability, which is a memory corruption bug. UAF is enabled by the mechanisms of dynamic memory allocation. If, after freeing a memory location, a program doesn’t clear the pointer to that memory location, an attacker may gain access to the program by capitalizing on that error. Customers can see the detection for this vulnerability within the Falcon Spotlight console.

Other CVEs that received updates are another one affecting the Microsoft Print Spooler Service (the same service affected during PrintNightmare), multiple vulnerabilities for Sharepoint, and a Windows DNS vulnerability. As in September, Windows products and Extended Security Updates (ESU) continue to be the most affected and patched of Microsoft product families (see Figure 2).

Active Exploitation for CVE-2021-40449 Zero-Day

A use-after-free vulnerability affecting Win32k would allow an attacker to escalate privileges on the affected systems. This vulnerability has been reported as exploited by Microsoft, and there are public reports about it being leveraged by a threat actor group

According to the reporters of this zero-day, the vulnerability resides within the NtGdiResetDC function. Besides this vulnerability, researchers have become aware of two other privilege escalation vulnerabilities affecting Win32k, but these have not yet been exploited and there is currently no knowledge of exploits for them.

Two points to note: Microsoft has rated them as important, and the CVSS Score for all three is 7.8.

Rank CVSS Score CVE Description
Important 7.8 CVE-2021-40449 Win32k Elevation of Privilege Vulnerability
Important 7.8 CVE-2021-41357 Win32k Elevation of Privilege Vulnerability
Important 7.8 CVE-2021-40450 Win32k Elevation of Privilege Vulnerability

Other Critical Vulnerabilities to Prioritize

Again this month, there are three Critical vulnerabilities that organizations should consider prioritizing. It should be noted that Microsoft ranked these vulnerabilities even though the exploitability assessment has been determined to be Less Likely. As of this writing, none of these vulnerabilities have been exploited. 

CVE-2021-40461: This vulnerability was given a rating of Critical with a CVSS score of 8. It occurs on Windows Hyper-V, also known as Viridian. Hyper-V is a native hypervisor, meaning it can create virtual machines on x86-64 systems running Windows. For this vulnerability, attackers use remote code execution to gain access to the system. This vulnerability impacts both Windows 11 and Windows 10 as well as servers.

CVE-2021-38672: This CVE is another Windows Hyper-V vulnerability that has also been given a Critical rating — attackers also use remote code execution to gain access. It affects Windows 11 and Windows Servers 2022.

CVE-2021-40486: As with the above-listed vulnerabilities, attackers also use remote code execution for CVE-2021-40486. For this CVE, threat actors may use the Preview Pane in Windows as an attack vector. 

While the CVSS score is lower, and Microsoft indicates that exploitation is Less Likely, these vulnerabilities, if left unpatched, could dramatically impact your organization. CrowdStrike encourages organizations to prioritize these vulnerabilities in their patching cycle.

Rank CVSS Score CVE Description
Critical 8 CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability
Critical 8 CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability
Critical 7.8 CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability

Among other vulnerabilities reported this month, three affect Microsoft Sharepoint, a remote code execution vulnerability affects Windows DNS Server, and one is a Print Spooler vulnerability. CVE-2021-36970 is related to the Printing Service, and while it was given a score of Important by Microsoft, CVSS has scored it as an 8.8. SecOps staff should consider prioritizing the updates for these CVEs.

Rank CVSS Score CVE Description
Important 8.1 CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability
Important 7.6 CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability
Important 5.3 CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability
Important 7.2 CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability
Important 8.8 CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability

Microsoft Exchange Vulnerabilities: A Myriad of Attack Types 

This month, there are four vulnerabilities associated with Microsoft Exchange Server, each with a different attack type. CVE-2021-26427 has the highest CVSS score, but Microsoft gave it only a rank of Important. It is utilized via remote code execution. This vulnerability should be prioritized — recall that Microsoft Exchange Servers impacted thousands of systems earlier this year after multiple zero-day vulnerabilities were discovered in March. Microsoft has even offered out-of-band updates to address this vital product.

Among the remaining high-priority vulnerabilities, CVE-2021-41348 is utilized by attackers through privilege elevation, CVE-2021-34453 through denial of service, and 2021-41350 through spoofing.

Rank CVSS Score CVE Description
Important 9 CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability
Important 8 CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability
Important 7.5 CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability
Important 6.5 CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability

When Ranking and Scores Don’t Match, Rely on Dynamic Scoring and Vulnerability Severity Prediction

It can be difficult for IT staff to determine which vulnerabilities will truly have a negative impact in their environment, especially considering the differences in scoring and ratings between Microsoft and CVSS for vulnerabilities this month. SecOps teams typically have a limited amount of time to determine which vulnerabilities will affect them the most, and with the wide variety of applications affected this month, many may experience a gap in their prioritization process.

Recognizing this challenge, CrowdStrike offers a new rating process that not only quickly and more accurately rates vulnerabilities that are important to an organization, it can also predict which vulnerabilities will have the greatest impact in their environment. You can learn more about this new Exploit Prediction Rating via Falcon Spotlight in the announcement blog

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources 

Related Content