The April 2021 Security Update Review

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for April 2021

For April, Adobe released four patches addressing 10 CVEs in Adobe Photoshop, Digital Editions, RoboHelp, and Bridge. The update for Bridge fixes six CVEs, all of which were reported through the ZDI program. Four of these bugs are rated Critical and could allow arbitrary code execution if exploited. The patch for Photoshop fixes two Critical-rated CVEs. Both of these buffer overflows could all arbitrary code execution. The update for Digital Editions fixes a Critical-rated privilege escalation bug that could lead to an arbitrary file system write. Finally, the patch for RoboHelp fixes a single privilege escalation bug. None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for April 2021

For April, Microsoft released patches for 114 CVEs in Microsoft Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, Visual Studio, and Exchange Server. This is the largest number of CVEs addressed in a month by Microsoft this year, and it is slightly higher than April of last year. A total of five of these bugs came through the ZDI program. None of the bugs being addressed this month were disclosed at the recent Pwn2Own contest. Of these 114 bugs, 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity. Six additional bugs impact Edge (Chromium-based) and were ingested from a recent Chromium update. According to Microsoft, one bug is currently being exploited while four others are publicly known at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-28310 - Win32k Elevation of Privilege Vulnerability
This is the only vulnerability listed as being actively exploited being patched in April. The bug allows an attacker to escalate privileges by running a specially crafted program on a target system. This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf. Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system.

-       CVE-2021-28480/28481 – Microsoft Exchange Server Remote Code Execution Vulnerability
Both of these CVEs are listed at a 9.8 CVSS and have identical write-ups, so they both get listed here. Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as “Network,” it is likely these bugs are wormable – at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. These bugs were credited to the National Security Agency. Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.

-       CVE-2021-28329 et al. – Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are 27 bugs in this month’s release with this title, and all have identical descriptions and CVSS scores. However, 12 are rated Critical while 15 are rated Important in severity. In RPC vulnerabilities seen in the past, an attacker would need to send a specially crafted RPC request to an affected system. Successful exploitation results in executing code in the context of another user. Perhaps the users involved in the Important-rated bugs have lower privileges than their Critical-rated counterparts, but that is not clear from the description. Either way, the researcher who reported these bugs certainly found quite the attack surface.

-       CVE-2021-28444 – Windows Hyper-V Security Feature Bypass Vulnerability
This security feature bypass allows an attacker to potentially bypass Router Guard configurations on Hyper-V. Router Guard is designed to prevent guest OSes from offering router services on the network. Many don’t realize Windows can be set up as a router, and on physical or virtual systems, be configured to re-route packets to a rouge location (e.g. Man-in-the-Middle) or simply black hole the traffic. If you’re running Hyper-V, even accidental misconfigurations could cause disruptions, so definitely don’t ignore this patch.

Here’s the full list of CVEs released by Microsoft for April 2021, minus the Edge bugs ingested from Chromium.

Moving on to the remaining Critical-rated patches, there are two additional patches for Exchange that are nearly as severe as those already documented. None of the Exchange bugs this month indicate Office 365 versions are affected. Like those before them, these bugs only impact on-prem installations. Microsoft also provided additional information about the security updates. If you’re running Exchange, this should be considered required reading.

There’s a bug impacting Azure Sphere, but you likely won’t need to take any action to be protected. Devices running Azure Sphere connected to the Internet should receive automatic updates. If your devices are isolated, you will need to ensure these updates are applied. The final two Critical-rated patches correct bugs in the Windows Media Video Decoder component. For these, an attacker would need to convince a user to open specially crafted media on an affected system to gain arbitrary code execution at the logged-on user level.

Looking at other bugs in this release, we see more than half of the patches this month are related to remote code execution vulnerabilities. Beyond those already mentioned, the bugs mostly impact Office and Windows components. In most cases, they represent open-and-own scenarios. Of those that stand out, there’s a bug impacting Outlook that requires user interaction but could lead to code execution. There are several patches for Visual Studio as well. These also will require some form of user interaction. There’s one patch for the Visual Studio Code GitHub Pull Requests and Issues Extension, but it’s unclear how an attacker would leverage this vulnerability. The same goes for the bug in Visual Studio Code Kubernetes Tools. The final RCE bugs to watch out for impact the GDI+ component. These are somewhat cryptic. Even though they are listed as RCE, their attack vector is listed as local and user interaction is none. This would indicate the bugs could be triggered by something other than viewing or opening an image, but without further details, we can only speculate. 

There are 19 bugs labelled as privilege escalations, and this includes two of the publicly known vulnerabilities. The first occurs in the Azure ms-rest-nodeauth library, and the other is in the RPC Endpoint Mapper Service. There’s also a privilege escalation in Hyper-V, but it’s not clear where an attacker would escalate from or to. For the majority of these bugs, an attacker would need to log on to an affected system and run their own code. As mentioned above, these are typically combined with a separate code execution bug to take over a system.

This month’s release also includes patches for nine Denial of Service (DoS) bugs, including the publicly known Moderate-rate DoS in NTFS. The other DoS bug that stands impacts the TCP/IP driver. It appears an attacker could cause a DoS by sending specially crafted packets to an affected system, although it’s not clear if this would result in a blue screen of if the system would just stop responding. Other DoS bugs impact SharePoint, the AppX Deployment server, Hyper-V, and other Windows components.

The final publicly known bug this month in an info disclosure bug in the Windows Installer. If exploited, the bug could allow attackers unauthorized file system access. There are 17 total info disclosure bugs receiving patches this month, and most only lead to leaks consisting of unspecified memory contents. An exception to this is a bug that impacts the Azure DevOps Server. If exploited, this vulnerability could leak pipeline configuration variables and secrets. There’s a patch for an info disclosure bug in Excel as well. A user would need to open a specially crafted file with Excel to be impacted, but it’s not clear what would leak beyond “sensitive information.”

Shifting to the security feature bypasses, there are two patches for the Windows Early Launch Antimalware driver – better known as ELAM. Microsoft does not list what security feature could be bypassed by either vulnerability. Other bypasses impact the Azure AD Web Sign-in and the Windows WLAN AutoConfig Service. These bugs also provide no guidance on what may be bypassed by an attacker.

This month’s release is rounded out by patches to address two spoofing bugs. The first bug impacts Azure DevOps Server and Team Foundation Services, while the other affects the Windows Installer. Neither of these bugs receives much in the way of documentation, but a CVSS score north of 6 means they shouldn’t be ignored.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on May 11, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!