The February 2021 Security Update Review

February 09, 2021 | Dustin Childs

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2021

For February, Adobe released six patches addressing 50 CVEs in Adobe Dreamweaver, Illustrator, Animate, Photoshop, Magento, and Reader. A total of 14 of these bugs came through the ZDI program. The update for Adobe Reader fixes a total of 23 CVEs, 17 of which are rated Critical, and eight of which were reported through the ZDI program. CVE-2021-21017, a heap-based buffer overflow, is listed as being under “limited” active attacks on Reader for Windows. Definitely prioritize the testing and deployment of this update.

The update for Magento is also significant as it patches 18 bugs, seven of which are rated Critical. In the worst-case scenario, successful exploitation could lead to arbitrary code execution at the level of the current process. The update for Dreamweaver fixes a single, Important-rated info disclosure bug. The patch for Illustrator fixes two Out-Of-Bounds (OOB) write bugs that could lead to code execution. There’s also an OOB write being fixed in the patch for Animate. The patch for Photoshop fixes five Critical-rated bugs that could allow code execution.

Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2021

For February, Microsoft released patches for 56 CVEs covering Microsoft Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender. Seven of these CVEs were submitted through the ZDI program. Of these 56 CVEs, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity. According to Microsoft, one bug is known to be actively exploited and six other bugs are listed as being publicly known at the time of release. This is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs. Microsoft provides no information on where these CVEs were publicly exposed.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-1732 - CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

-       CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

-       CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

-       CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for February 2021.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 Yes No DoS
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability Important 5.5 Yes No DoS
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24111 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 No No Info
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability Important 5.4 No No Spoof
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability Important 8 No No Spoof
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Moderate 6.8 No No EoP
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability Moderate 6.5 No No DoS

You’ll notice we have added the CVSS scores to the table. This is to provide further detail on the severity of the patches since Microsoft is now relying on CVSS scores so heavily. We recommend balancing the Microsoft severity (i.e., Critical, Important, Moderate, etc…) with the CVSS score to help determine prioritization for your enterprise.

Moving on to the remaining Critical-rated patches, two involve codec libraries and were reported by ZDI vulnerability researcher Hossein Lotfi. Both of these bugs are OOB Writes that result from the lack of proper validation of user-supplied data. This can lead to a write past the end of an allocated buffer and allow an attacker to execute code in the context of the current user. There are two Critical-rated bugs impacting the Fax Service, but the Windows Fax and Scan feature needs to be enabled for a system to be affected by this vulnerability. There’s a patch for the Windows graphics component to correct a bug that allows code execution when viewing a specially crafted image. The Windows Spooler service also receives a Critical-rated patch to prevent remote code execution, although the exploit path is not as clear here. The final Critical-rated bug addresses a vulnerability in the .NET Core for Linux. In this case, a .NET application utilizing libgdiplus on a non-Windows system could allow code execution if an attacker sends a specially crafted request.

Shifting our focus to Important-rated updates, there are nine bugs that could result in remote code execution. The most interesting of these are two that impact the SharePoint Server. One of these came from an anonymous contributor to our program and could allow code execution if an authenticated user can trigger through deserialization of untrusted data by tampering with client-side data. There are four patches for Excel – two that came through our program – that would allow code execution when opening a specially crafted file in Excel. Note that the updates for Microsoft Office 2019 for Mac are not currently available. Hopefully, Microsoft gets those out soon.

There are a couple of updates to Visual Studio addressing code execution bugs. In one case, a user would need to clone a malicious repository from inside Visual Studio Code. Once completed, attacker code would execute once the targeted user viewed contents of the repository. That’s not the most likely scenario. The Windows Address Book gets a patch for a bug found by ZDI vulnerability researcher Mat Powell. The bug results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Finally, there’s a significant bug in the Windows package manager that can only be addressed by reconfiguring installation tools and workflows. Microsoft provides several resources with additional information on this vulnerability and how to mitigate it. It is highly recommended to read and heed all information here. Considering the complexity in resolving this issue, this is a bug that could stick with us for a while.

There are only 11 Elevation of Privilege (EoP) bugs addressed in this month’s release, and we’ve already covered the one under active attack. Two are publicly known, and the more interesting of those impacts Sysinternals PsExec. If you’re not familiar with this tool, it’s a lightweight utility that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It’s also often used by red teams when penetrating a network. We’ll likely see this bug end up in different toolkits should an exploit become available. The other publicly known bug impacts Windows Installer, but there’s no additional information about this vulnerability. Other EoP fixes of note include one for PKU2U, which is a peer-to-peer authentication protocol. Although systems not running PKU2U are not affected, Microsoft still recommends installing this update to all potentially impacted OSes.

Two different security feature bypasses receive fixes this month. The first covers a bypass in PowerShell, although no further information on what is bypassed is provided. The second covers a bypass in PFX encryption. When exporting a SID-protected PFX file, keys encrypted using AES are not properly protected. You’ll need to do more than just patch here as well. Any SID-protected PFX files using AES for key encryption should be regenerated and exported after this update is installed and all copies of the original PFX files must be securely destroyed.

There are 10 different patches for information disclosure bugs in this month’s release. The info leak impacting DirectX is another of the publicly known bugs. While most of these cases only lead to leaks consisting of unspecified memory contents, some do yield some interesting data. The bug fixed in the patch for Edge for Android could disclose personally identifiable information (PII) and payment information of a user. The vulnerability in Microsoft Dataverse could expose underlying datasets in Dataverse, which could include PII. This vulnerability in Microsoft Teams iOS exposes the Skype token value in the preview URL for images in the Teams iOS app. The SharePoint bug leaks SQL table columns that would normally be restricted. Finally, the bug in Mobile Device Management could allow an attacker to read from the file system.

There are a handful of notable Denial-of-Service (DoS) bugs patched this month, and the fix for TCP/IP leads the way. Similar to CVE-2021-24094, this bug also involves IPv6 fragmentation, although there’s no patch to code execution here. Disallowing IPv6 UDP fragmentation at the perimeter could have some side effects but implementing the workaround to drop out-of-order packets seems more reasonable. Still, this should be tested before updating production systems. The DoS bugs impacting .NET Core and the Windows Console Driver are listed as publicly known, but Microsoft provides no further details. There’s a patch for a DoS vulnerability in Skype for Business and Lync. If you’re still using either of those messaging tools, definitely look to patch soon.

Speaking of Skype for Business and Lync, these also receive a patch to fix a spoofing bug. Microsoft doesn’t indicate what is spoofed, but they do note user interaction is required. There’s also a spoofing bug in Exchange that dates back to September of 2020. Since the bug was in the Exchange Server installer, it could only be addressed in a complete release as opposed to a cumulative update. Microsoft allowed time for customers to move to the September release before disclosing the vulnerability. The other Exchange spoofing bug comes from Pwn2Own winner Steven Seeley and allows an authenticated attacker to leak a CERT file, which would allow an attacker to forge CSRF tokens. The final spoofing bug for this month fixes a SharePoint bug that could allow an authenticated attacker to manipulate the SharePoint blog sharing functionality to produce a bogus message or link.

The only cross-site scripting (XSS) bug in this month’s release impacts Microsoft Dynamics Business Central. Rounding out this month’s release are Moderate-rated bugs in Azure Kubernetes and the Windows Trust Verification API. Those using the Azure Kubernetes Service should be automatically updated to an unaffected version, but you should still verify your version number to be sure.  

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on March 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!