Windows 10, Server 2019 users must patch serious zero-day

An elevation of privilege vulnerability in Microsoft Windows Win32k.sys, impacting Windows 10 and Windows Server 2019, is already being exploited in the wild as a zero-day, and should be prioritised for patching despite being rated as merely “important”, rather than “critical”.

The vulnerability, CVE-2021-1732, requires an attacker to have access to the target system in order to exploit it to gain admin rights. It is one of 56 vulnerabilities – six already disclosed – to be patched in Microsoft’s February Patch Tuesday update, which has come in much lighter than usual.

Chris Goetll, senior director of product management at Ivanti, said: “The vulnerability has been detected in active exploits in the wild. This is a prime example of why risk-based prioritisation is so important.

“If you base your prioritisation off of vendor severity and focus on ‘critical’, you could have missed this vulnerability in your prioritisation. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.”

Other important disclosures this month include CVE-2021-24078, a remote code execution (RCE) vulnerability in Windows DNS Server impacting Windows Server 2008 through to 2019.

Allan Liska of Recorded Future explained: “This is a critical vulnerability to which Microsoft has assigned a CVSS score of 9.8. Similar to SIGRed, which was disclosed last year, this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before, for example by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain.”

Liska also highlighted CVE-2021-1733, an elevation of privilege vulnerability in the Sysinternals tool PsExec that could be used to gain admin rights on a system to which a malicious actor already has access, and CVEs 2021-1721 and -26701, a .NET Core and Visual Studio denial-of-service vulnerability, and another RCE vulnerability in the .NET Core service. Exploitation of -26701 is less likely, and Recorded Future has noted little activity around previous .NET Core bugs, but attention should still be paid.

The three other publicly disclosed vulnerabilities are CVE-2021-1727, an elevation of privilege vulnerability in Windows Installer, CVE-20201-24098, a denial-of-service vulnerability in Windows Console Driver, and CVE-2021-24106, an information disclosure vulnerability in Windows DirectX.

Also worthy of note this month are a number of updates relating to the “near perfect” Zerologon vulnerability, CVE-2020-1472, which was disclosed in August 2020 but by September had emerged as such a serious problem that it warranted emergency action and advisories.

As a reminder, Zerologon is another elevation of privilege vulnerability through which a connection to a vulnerable domain controller using the Netlogon Remote Protocol (NRP) can obtain domain admin rights.

According to a whitepaper published at the time, all a determined actor needs to take advantage of it is the ability to set up a TCP connection with a vulnerable domain controller – which means they need to have a foothold on the network, but don’t need domain credentials.

“Back in August 2020, Microsoft addressed a critical remote code vulnerability affecting the Netlogon protocol,” said Rapid7 product manager Greg Wiseman. “In October, Microsoft noted that attacks which exploit this weakness have been seen in the wild.

“February’s security update bundle will also be enabling Domain Controller enforcement mode by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function.

“All organisations should heed Microsoft’s detailed guidance before applying the latest updates to ensure business process continuity.”