Microsoft’s Zero-day vulnerability on Patch Tuesday, 2021

On 12th January, 2021 Microsoft conducted its monthly set of security patches which is commonly known as Microsoft Patch Tuesday. During 2021’s first month’s patch Tuesday, 83 vulnerabilities across Microsoft’s wide range of products were detected. These products included its Windows operating system, cloud-based products, developer tools, and enterprise servers. While 83 CVEs (common vulnerabilities and exposures) is much lower than the record monthly patch numbers Microsoft reported last year, it's 59% higher than the 49 patched vulnerabilities in January 2020. Out of the 83 vulnerabilities one had already been exploited, this zero-day vulnerability was in the Microsoft Defender antivirus. The same was tracked as CVE-2021-1647.

Affected CVEs:

 

CVE-2021-1647- Microsoft Defender Remote Code Execution Vulnerability:

The exploit has been defined as a remote code execution (RCE). Microsoft’s Defender antivirus was subject to RCE and such an exploitation may lead to a full compromise of the particular application or web server. This particular vulnerability was defined by Kevin Breen, director of research at Immersive Labs as a vulnerability that was so simple but could lead to great harm. The attack not only requires low or no privileges to occur but can also take place without any kind of user interaction. This vulnerability also had a high impact on confidentiality, availability and integrity. The vector of this attack is considered “local” due to being file based, Microsoft Exchange and other public facing services should be prioritized to be patched first as they likely have the greatest exposure to exploitation.

CVE-2021-1648- Microsoft splwow64 Elevation of Privilege Vulnerability:

This bug was discovered by both ZDI as well as Google because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref.

CVE-2021-1677- Azure Active Directory Pod Identity Spoofing Vulnerability:

This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This also requires more than just a patch to fix.

CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability:

It carries a relatively high CVSS score (8.8), but without an executive summary, there is no possible way to tell what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability.

The image below shows us the count by impact of all the vulnerabilities found on Patch Tuesday, 2021:

Who was affected?

  1. The versions Windows 7 to Windows Server 2016 were affected by this exploitation.
  2. Microsoft mentioned that a proof-of-concept code of the exploitation is available even though it might not work in all situations. The code or technique may not be functional in all the situations but a skilled attacker on various modifications can still be successful.
  3. Even though the network stack is not affected by this vulnerability, an attacker can gain access remotely via SSH by accessing the machine locally.
  4. The case may also exist where the attacker tricks the user into performing a particular action that can trigger the bug, for example opening a malicious file.
  5. Due to the popularity of Microsoft Defender the attackers have a large attack surface.

Recommendations:

Since Microsoft has already patched this vulnerability, the remediation is quite simple but still important.

  1. Microsoft has released patches for the Microsoft Malware Protection Engine, which won't require any user interaction and will be installed automatically, unless specifically blocked by system administrators.
  2. Further, in case the systems are not connected to the internet then a manual installation of the update will be required to ensure that the device is safe from this vulnerability.
  3. For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.17700.4 or later.
  4. To verify that the update has been installed on your device follow the following steps:
  1. Open the Windows Security program. For example, type Security in the Search bar, and select the Windows Security program.
  2. In the navigation pane, select Virus & threat protection.
  3. Under Virus & threat protection updates in the main window, select Check for updates.
  4. Select Check for updates again.
  5. In the navigation pane, select Settings, and then select About.
  6. Examine the Engine Version number. The update was successfully installed if the Malware Protection Engine version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed. The number you are trying to verify it with is 1.1.17700.4.