Sophos Sav



After several months of monthly updates that fix fewer-than-average bugs in Windows and other Microsoft products, the March edition of Patch Tuesday once again repairs a raft of urgently-needed fixes affecting both enterprise services and software common to most Windows desktop installations. Microsoft also published a series of fixes ahead of the normal release schedule to address critical vulnerabilities that have been actively exploited against Exchange, the mail server software widely used by large organizations and hosted both in cloud services and in on-premises installations.

This month’s updates will also address several serious problems that have been discovered in Microsoft’s DNS Server software. In the analysis guidance provided by Microsoft, these vulnerabilities not only pose a risk of remote code execution but could lead to so-called wormable exploits targeting DNS servers en masse. Another important bug addressed this month is a remote code execution vulnerability currently being exploited against Internet Explorer. And Microsoft has fixed a critical RCE bug affecting Git for Windows, which is now included by default with Microsoft’s Visual Studio development tools. In all, 89 distinct vulnerabilities will be closed down by this update, 14 of which the company classifies as critical.

Andrew Brandt is a Principal Researcher for Sophos, specializing in security analytics and the forensic, retrospective analysis of malware infections and cyberattacks. In brief, he does whatever it takes to make life and business difficult for cybercriminals, spies, and other Internet miscreants. Security and privacy for the entire family in one user-friendly product. Protect your Windows PCs, Macs, iPhones, iPads, and Android phones.

As with all Patch Tuesdays, Microsoft publishes detailed analysis about major fixes on their Security Updates page. The availability of patches does not mean that your computer will install it quickly, enough. To find and download this month’s Cumulative Update patch yourself, search for the term “2021-03” at the Microsoft Update Catalog website and select the monthly security rollup that matches your computer’s CPU architecture and build of Windows. You can also read the full technical details about each patch on March‘s Security Updates Guide.

What follows are notes about some of the more critically important fixes released this month.

Multiple critical vulnerabilities affecting Microsoft Exchange

CVE-2021-26412, -26854, -26855, -26857, -26858, -27065, and -27078

Out-of-band patches for bugs Microsoft was planning to fix, anyway, in an upcoming release cycle are thankfully rare, but they’re also an indication of a serious problem that demands immediate action. Unfortunately, in the case of some of the Exchange vulnerabilities fixed this month, there was the combination of a novel bug, actively being abused by a nation-state threat actor, that could reveal the contents of someone’s email inbox. Microsoft designated the attackers with the pseudonym Hafnium and published a detailed disclosure about the bug and the threat actors who were using it in active attacks.

The bugs affect the 2013, 2016, and 2019 versions of Microsoft Exchange server. At least one of the bugs is capable of dependably being used to create a remote system shell on the affected server versions, while another can be used to elevate the privileges of the Exchange server process, so it can be used to launch elevated-permissions payloads.

While many of the administrators who manage Exchange servers may already have installed the out-of-band patch, the inclusion of this fix in Windows Update will help to deliver updates to Exchange servers operated by less vigilant administrators.

There are specialized detections that have been deployed to the IPS built into Sophos firewall products, as well as to both legacy and advanced Sophos endpoint tools. See the detection guidance section, below, for details.

Remote code execution & DoS bugs in DNS Server

Sophos Savdi

Sav

CVE-2021-26877, -26893, -26894, -26895, -26896, and -27063

Because services that face the public internet are more readily accessible to potential attackers, bugs affecting those services tend to rapidly be targeted for exploitation. DNS servers are a very visible, highly accessible service that would be ripe for just such an attack. Microsoft fixed eight bugs (including one classified as critical) that would permit an attacker to run hostile code on the machine hosting a DNS server, or render the DNS server unavailable to its users, either of which could result in widespread problems in the network segment where those servers are hosted.

Sophos Sav

Privilege escalation bugs in win32k driver and DirectX

CVE-2021-26863, -26875, -26900, -27077 (win32k); CVE-2021-24095 (DirectX)

Both the win32k and DirectX components of Windows are responsible for displaying data on-screen, both in the operating system and for applications like games. This month, Microsoft released fixes for these components that, if not addressed, an attacker might leverage during an attack to give themselves software execution privileges beyond those of whatever user account level they might be using at the time. Microsoft, notably, provided very specific guidance about one of the win32k bugs, a remote code execution vulnerability (CVE-2021-26863) that involves a race condition on the driver.

In the words of the Offensive Research team member who read up on the Microsoft documentation of this win32k bug, “it was one of the most complete writeups I’ve ever seen come out of [the MAPP program], and included details about how they found the exploit and what did and didn’t work. The technique [Microsoft] came up with to win the race can be applied to many other bugs.”

Internet Explorer bugs

CVE-2021-26411, -27085

The latter of these two bugs affecting the aging Internet Explorer browser is by far the more serious, a remote code execution vulnerability that Microsoft has spotted being used in the wild by attackers. The bug affects IE’s mshtml module, the parsing engine used by the browser. Microsoft’s guidance included a proof-of-concept that demonstrated the exploits functionality on IE running under 32-bit Windows 10.

Sophos protection

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.

IPS Signatures to detect Exchange server attacks with XF/SFOS

CVESID
CVE-2021-2685557241, 57242, 57243, 57244, 2305106, 2305107
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246
Sav

Anti-Malware signatures for CIXA and legacy SAV

The following AV signature names could be monitored by the customers to recognize potential Hafnium attacks.

Webshell related

    • Troj/WebShel-L
    • Troj/WebShel-M
    • Troj/WebShel-N
    • Troj/ASPDoor-T
    • Troj/ASPDoor-U
    • Troj/ASPDoor-V
    • Troj/AspScChk-A

Other payloads

    • Troj/Bckdr-RXD
    • ATK/Pivot-B
    • AMSI/PowerCat-A (Powercat)
    • AMSI/PSRev-A (Invoke-PowerShellTcpOneLine reverse shell)

Due to the dynamic nature of the webshells, Sophos will not perform automatic cleanup; The product blocks the shells, but removal requires manual effort. We have also blocked relevant C2 IP destinations, where it was safe to do so.

In addition to SophosLabs protection, Intercept X’s CredGuard feature will prevent the “lsass dump” stages of Hafnium-like attacks against Exchange servers from working.

The fourth Patch Tuesday of 2021 is another big one. Today, Microsoft revealed 114 vulnerabilities fixed in the monthly security, over half of which could potentially be exploited for remote code execution by attackers. Of the 55 remote execution bugs, over half were tied to Windows’ Remote Procedure Call (RPC) interface. Four more were Microsoft Exchange bugs (all urgent fixes) reported to Micrsoft by the National Security Agency (CVE-2021-28480, 28481, 28482, and 28483). In addition, six Chrome vulnerabilities that were previously addressed by Google are included in the roll-up.

All 20 of the bugs rated as critical to patch by Microsoft in April were remote code execution bugs. A total of 87 were rated as important, and only one was given moderate importance: CVE-2021-28312, a Windows NTFS denial of service vulnerability that is less likely to be exploited.

As with all Patch Tuesdays, Microsoft has published analysis of the major fixes on their Security Updates page. But the release doesn’t ensure that the updates you need will automatically deploy quickly enough to your systems to shut down potential risks. To find and download this month’s Cumulative Update patch yourself, search for the term “2021-04” at the Microsoft Update Catalog website, and select the monthly security rollup that matches your computer’s CPU architecture and build of Windows. You can also read the full technical details about each patch in April’s Security Updates Guide.

RPC RCE OMG

A quarter of the vulnerabilities called out this month (28 of them) were in a single Windows component: the Windows RPC interface. Of those, 27 are associated with the RPC runtime itself, and are all potentially exploitable for remote code execution:

Sophos savconfig
CriticalCVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28343
ImportantCVE-2021-28327,CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434

The remaining vulnerability, CVE-2021-27091, is an elevation of privileges vulnerability in the RPC Endpoint Mapper Service, rated by Microsoft as important.

Visual Studio Code, Microsoft’s free developer tool, has eight associated remote code execution vulnerabilities patched this month. Five are in Code itself (CVE-2021-28457, CVE-2021-28469,CVE-2021-28473, CVE-2021-28475,and CVE-2021-28477). The remaining three are in extensions—CVE-2021-28470 is a vulnerability in Code’s GitHub Pull Request and Issues extension, CVE-2021-28471 is in Code’s Remote Development Extension, and CVE-2021-28472 is in Code’s Maven for Java extension. There’s also an RCE bug in Visual Studio’s Kubernetes Tools patched in this round (CVE-2021-28448).

Also of note are five remote code execution vulnerabilities patched in Office and its components this month: In the overall Office suite (CVE-2021-28449); in Microsoft Excel (CVE-2021-28451 and CVE-2021-28454); a memory corruption bug in Outlook (CVE-2021-28452) that is remotely exploitable; and in Microsoft Word (CVE-2021-28453). Excel also has an information disclosure vulnerability patched (CVE-2021-28456). And Windows’ Network File System, which has had several bugs over the past few months, has another RCE vulnerability patched in April’s rollup (CVE-2021-28445).

Rounding out the remote code execution vulnerability parade are a number of graphics, image and video related bugs: Windows Media Video Decoder has two critical RCE bugs (CVE-2021-27095 and CVE-2021-28315). Windows’ Raw Image Extension has two RCEs rated by Microsoft as “important” (CVE-2021-28466 and CVE-2021-28468), and there’s; another similarly-rated vulnerability in the VP9 Video Extensions (CVE-2021-28464).

Sophos Santa Clara Ca

Other bugs of interest

One of the most unusual bugs patched is CVE-2021-27090, an elevation of privilege vulnerability in Windows Secure Kernel Mode. This component is part of Windows’ virtualization-based security (VBS) technology, and has a very small attack surface as it’s strictly isolated by the Hyper-V hypervisor from the rest of the operating system.

Sophos Sav

Among the more exploitable bugs in April’s fix list are three related to Windows’ TCP/IP driver—two denial of service vulnerabilities (CVE-2021-28319 and 28439) and an information disclosure bug (CVE-2021-28442). CVE-2021-28319 is another bug that harkens back to the “Ping of Death”—the flaw, in the Network Driver Interface Specification driver (ndis.sys), can be triggered remotely by connections using TCP Fast Open option in the TCP/IP protocol. This bug is relatively easy to trigger, and could be exploited to cause a “Blue Screen of Death.”

The information leak bug in TCP/IP (CVE-2021-28442)is also related to TCP Fast Open, but in the TCP driver itself (tcpip.sys). A packet can leverage an overlap in TCP Fast Open and code that provides Local Area Network Denial (LAND) Attack protection in a way that results in tcpip.sys’ TcpSegmentTcbSend() function sending data from uninitialized memory back to the remote system.

Two new elevation of privilege bugs in win32.sys, the kernel driver for Windows’ Graphic Device Interface, are also patched in April. One of them, CVE-2021-28310, is already being exploited in the wild, raising the urgency of the fix.

Protection

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation:

Sophos Savsetup

CVEIPSSAV
XG firewallEndpoint

CVE-2021-28319

23052902305290

CVE-2021-28310

Exp/2128310-A

Sophos Savi

Sophos aims to add detections for critical issues, based on the type and nature of the vulnerabilities, as soon as possible and where we have been given sufficient information to be able to do so. In many cases, existing detections in endpoint products (such as Intercept X) will catch and block exploit attempts without the need for updates.