Posts

Microsoft Security Bulletin Coverage for October 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-40443 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 230:Malformed-File exe.MP_205

CVE-2021-40449 Win32k Elevation of Privilege Vulnerability
ASPY 235:Malformed-File exe.MP_210

CVE-2021-40450 Win32k Elevation of Privilege Vulnerability
ASPY 236:Malformed-File exe.MP_211

CVE-2021-40466 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 237:Malformed-File exe.MP_212

CVE-2021-40467 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 231:Malformed-File exe.MP_206

CVE-2021-40470 DirectX Graphics Kernel Elevation of Privilege Vulnerability
ASPY 232:Malformed-File exe.MP_207

CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability
ASPY 233:Malformed-File exe.MP_208

CVE-2021-41357 Win32k Elevation of Privilege Vulnerability
ASPY 234:Malformed-File exe.MP_209

Adobe Coverage:
CVE-2021-40728 Use After free Vulnerability
ASPY 239:Malformed-File pdf.MP_510

The following vulnerabilities do not have exploits in the wild :
CVE-2020-1971 OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference
There are no known exploits in the wild.
CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26441 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26442 Windows HTTP.sys Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-3449 OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing
There are no known exploits in the wild.
CVE-2021-3450 OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT
There are no known exploits in the wild.
CVE-2021-36953 Windows TCP/IP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38662 Windows Fast FAT File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38663 Windows exFAT File System Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40454 Rich Text Edit Control Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40455 Windows Installer Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-40456 Windows AD FS Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-40457 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-40460 Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40462 Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40463 Windows NAT Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-40464 Windows Nearby Sharing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40465 Windows Text Shaping Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40468 Windows Bind Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40471 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40472 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40473 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40474 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40475 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40476 Windows AppContainer Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40477 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40478 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40479 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40480 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40481 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-40483 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-40485 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40488 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40489 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41330 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41332 Windows Print Spooler Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41334 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41336 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-41339 Microsoft DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41340 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41342 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41343 Windows Fast FAT File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41344 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41345 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41346 Console Window Host Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-41347 Windows AppX Deployment Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41352 SCOM Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41353 Microsoft Dynamics 365 Sales Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41354 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-41355 .NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-41361 Active Directory Federation Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-41363 Intune Management Extension Security Feature Bypass Vulnerability
There are no known exploits in the wild.

March 2021 OpenSSL Vulnerability

/in /by

Overview:

  A denial of service vulnerability has been reported in OpenSSL library. An OpenSSL TLS server may crash if a remote attacker sends a maliciously crafted renegotiation ClientHello message (the exploit) from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-3449,
dated 2021-03-17.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  The primary goal of the SSL protocol, Secure Socket Layer (SSL) is to provide privacy and reliability between two communicating applications and the primary goal of the TLS protocol, Transport Layer Security (TLS) is to provide a secure channel between two communicating peers. Both protocols are cryptographic protocols that provide authentication, confidentiality and data integrity for communication over TCP/IP networks. By using cryptographic algorithms such as symmetric key ciphers, cryptographically secure hash functions, and asymmetric cryptography, also known as public-key cryptography, is a process that uses a pair of related keys; one public key and one private key; to encrypt and decrypt a message and protect it from unauthorized access or use. The listed protocols enable hosts to communicate securely over insecure networks.

Triggering the Problem:

  • The target must have a vulnerable version of the product running, with TLS 1.2 enabled.
  • The target application must have TSL renegotiation enabled.
  • The attacker must have network connectivity to the vulnerable application.

Triggering Conditions:

  The attacker sends a TLS 1.2 Client Hello handshake message containing a non-empty signature_algorithms extension, then renegotiates with an empty signature_algorithms extension but non-empty signature_algorithms_cert extension. The vulnerability is triggered when the server processes the new Client Hello message.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • TLS
    • HTTPS, over ports 443/TCP, 8443/TCP
    • SMTP, over ports 25/TCP, 587/TCP

Patched Software:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15483 “Client Renegotiation within Short Period”

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading to the patched releases to eliminate the vulnerability.
    • Disabling TLS 1.2 version in OpenSSL.
    • Disabling renegotiation if it was not needed.
  The vendor has released the following advisory regarding this vulnerability:
  Open SSL News Advisory

Appendix – Discovered By:

  This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz.