This week Microsoft released its security updates for August 2021, which has fixes for 44 vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Dan Robinson has provided our FIT score and tips.

Out of the 44 patches; 7 are classed as critical and 37 as important. There were also 3 Zero-Day vulnerabilities publicly disclosed. 

Zero-day vulnerabilities discovered this month:

The two publicly disclosed, but not exploited:-

  • CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
  • CVE-2021-36942 - Windows LSA Spoofing Vulnerability

The one actively exploited elevation of privileges vulnerability:-

  • CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability

Other companies who have released security updates this week:

  • Adobe released security updates for two products.
  • Android's August security updates were released yesterday.
  • Cisco released security updates for numerous products this month.
  • SAP released its August 2021 security updates.
  • VMWare released security updates for VMware Workspace ONE.

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

 

Category

CVE IDs

CVE Title 

Severity

FIT Score & Tip

.NET Core & Visual Studio
2

CVE-2021-34485
CVE-2021-26423

.NET Core and Visual Studio Information Disclosure Vulnerability

.NET Core and Visual Studio Denial of Service Vulnerability

Important

3/5 - Attackers needs local access to execute vulnerability. Updates are available for .NET, PowerShell and Visual Studio 2019.

ASP.NET Core & Visual Studio
1

CVE-2021-34532

ASP.NET Core and Visual Studio Information Disclosure Vulnerability

Important

3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is data inside the targeted website like IDs, tokens, nonces, and other sensitive information.

Azure
2

CVE-2021-36943
CVE-2021-33762

Azure CycleCloud Elevation of Privilege Vulnerability

Important

3/5 - Updates are available for Azure CycleCloud 8.2.0.

Azure Sphere
3

CVE-2021-26428
CVE-2021-26430
CVE-2021-26429

Azure Sphere Information Disclosure Vulnerability

Azure Sphere Denial of Service Vulnerability

Azure Sphere Elevation of Privilege Vulnerability

Important

3/5 - All versions of Azure Sphere that are 21.07 and higher are protected from this vulnerability. If you need to update due to lack of connectivity, there are specific commands available once connected to update.

Microsoft Azure Active Directory Connect
1

CVE-2021-36949

Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability

Important

4/5 - The attacker must be able to establish Man-in-the-middle between your Azure AD Connect server and a domain controller. The attacker also needs to possess domain user credentials to be able to exploit this vulnerability. You will need to apply an update and also disable NTLM as per guidance.

Microsoft Dynamics
3

CVE-2021-36946
CVE-2021-36950
CVE-2021-34524

Microsoft Dynamics Business Central Cross-site Scripting Vulnerability

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Important

4/5 - Updates are available for Dynamics if you use it. Exploitation is less likely however if used, Dynamics may form a core component of your business and should be treated as important.

Microsoft Edge (Chromium-based)
7

CVE-2021-30591
CVE-2021-30592
CVE-2021-30597
CVE-2021-30594
CVE-2021-30596
CVE-2021-30590
CVE-2021-30593

Chromium: CVE-2021-30591 Use after free in File System API
Chromium: CVE-2021-30592 Out of bounds write in Tab Groups
Chromium: CVE-2021-30597 Use after free in Browser UI
Chromium: CVE-2021-30594 Use after free in Page Info UI
Chromium: CVE-2021-30596 Incorrect security UI in Navigation
Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks
Chromium: CVE-2021-30593 Out of bounds read in Tab Strip

Unknown

4/5 - There has been a bumper release of fixes for the Chromium engine that runs Microsoft Edge (as well as support Google Chrome) both of these will update independently, but worth checking your versions match up with the fixed releases.

Microsoft Graphics Component
1

CVE-2021-34530

Windows Graphics Component Remote Code Execution Vulnerability

Critical

5/5 - This forms part of your monthly patches for Microsoft operating systems and due to be flagged as critical, is important to get up to date.

Microsoft Graphics Component
1

CVE-2021-34533

Windows Graphics Component Font Parsing Remote Code Execution Vulnerability

Important

4/5 - This forms part of your monthly patches for the Microsoft operating system.

Microsoft Office
1

CVE-2021-34478

Microsoft Office Remote Code Execution Vulnerability

Important

3/5 - These updates are part of the Office suite and will need to be applied via click-to-run. Users would need to download a malicious file, so users do need to be made aware not to do as such.

Microsoft Office SharePoint
1

CVE-2021-36940

Microsoft SharePoint Server Spoofing Vulnerability

Important

4/5 - This is for SharePoint on-premise, if you use SharePoint Online, which is part of the O365 suite, then you do not need to worry about this update. - This is for SharePoint on-premise, if you use SharePoint Online, which is part of the O365 suite, then you do not need to worry about this update.

Microsoft Office Word
1

CVE-2021-36941

Microsoft Word Remote Code Execution Vulnerability

Important

4/5 - Updates exist for the Office suite for enterprise and also Mac. Worth version checking and then applying if required.

Microsoft Scripting Engine
1

CVE-2021-34480

Scripting Engine Memory Corruption Vulnerability

Critical

5/5 - The attack vector for this update is getting the user to open a maliciously generated file. This would then allow the attack to succeed. The fix for this vulnerability is within the normal monthly updates released in August.

Microsoft Windows Codecs Library
1

CVE-2021-36937

Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability

Important

3/5 - Exploitation of this vulnerability is less likely, and the fix is located within your normal monthly patching.

Remote Desktop Client
1

CVE-2021-34535

Remote Desktop Client Remote Code Execution Vulnerability

Critical

5/5 - Exploitation is likely to occur for this vulnerability. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest. The fix is located within this months normal patching cycle.

Windows Bluetooth Service
1

CVE-2021-34537

Windows Bluetooth Driver Elevation of Privilege Vulnerability

Important

3/5 - Exploitation is less likely on this vulnerability. An authorized attacker could exploit the Windows Bluetooth driver vulnerability by programatically running certain functions that could lead to elevation of privilege on the Bluetooth component.

Windows Cryptographic Services
1

CVE-2021-36938

Windows Cryptographic Primitives Library Information Disclosure Vulnerability

Important

3/5 - This fix is only for later operating systems, such as Windows 10 and Server 2019.

Windows Defender
1

CVE-2021-34471

Microsoft Windows Defender Elevation of Privilege Vulnerability

Important

3/5 - There is a process to check your version, but ultimately if the version is out then install the update.

Windows Event Tracing
3

CVE-2021-34486
CVE-2021-34487
CVE-2021-26425

Windows Event Tracing Elevation of Privilege Vulnerability

Important

3/5 - This update forms part of the monthly updates for August.

Windows Media
1

CVE-2021-36927

Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability

Important

3/5 - Exploitation is less likely on this vulnerability. Updates are available for all desktop operating systems.

Windows MSHTML Platform
1

CVE-2021-34534

Windows MSHTML Platform Remote Code Execution Vulnerability

Critical

5/5 - The user would need to open a maliciously created file in order for this vulnerability to fire. However, as users are the attack vector this makes it critical.

Windows NTLM
1

CVE-2021-36942

Windows LSA Spoofing Vulnerability

Important

4/5 - An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface.

Windows Print Spooler Components
1

CVE-2021-36936

Windows Print Spooler Remote Code Execution Vulnerability

Critical

5/5 - Most users are finally getting over the print nightmare vulnerability, but Microsoft have plugged another issue with the print spooler. I'd recommend you get this applied and this will be part of the monthly updates.

Windows Print Spooler Components
2

CVE-2021-36947
CVE-2021-34483

Windows Print Spooler Elevation of Privilege Vulnerability

Windows Print Spooler Remote Code Execution Vulnerability

Important

4/5 - Like the above, this is part of the monthly patches and should be applied to machines in conjunction with the above.

Windows Services for NFS ONCRPC XDR Driver
1

CVE-2021-26432

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability

Critical

5/5 - Flagged as critical. Servers that have installed the Network File System are exposed to this vulnerability in rpcxdr.sys. An attacker would require read or write permission to any file on an NFS share on the victim system. If NFS is configured to allow anonymous access, then the victim system would be vulnerable to unauthenticated attackers. Located within the monthly updates released in August.

Windows Services for NFS ONCRPC XDR Driver
4

CVE-2021-36933
CVE-2021-26433
CVE-2021-36932
CVE-2021-36926

Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability

Important

4/5 - This links to the above, once again located within the updates from August.

Windows Storage Spaces Controller
1

CVE-2021-34536

Storage Spaces Controller Elevation of Privilege Vulnerability

Important

3/5 - Expoitation is less likely, updates are available in the monthly updates released in August.

Windows TCP/IP
1

CVE-2021-26424

Windows TCP/IP Remote Code Execution Vulnerability

Critical

5/5 - This is remotely triggerable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host utilizing the TCPIP Protocol Stack (tcpip.sys) to process packets. Exploitation is more likely on this vulnerability. Updates are available for all operating systems.

Windows Update
1

CVE-2021-36948

Windows Update Medic Service Elevation of Privilege Vulnerability

Important

4/5 - Exploitation has been detected on this one. Updates to resolve are located within the monthly updates released in August.

Windows Update Assistant
2

CVE-2021-36945
CVE-2021-26431

Windows 10 Update Assistant Elevation of Privilege Vulnerability

Windows Recovery Environment Agent Elevation of Privilege Vulnerability

Important

3/5 - Exploitation is less likely and an update is available for Windows Update Assistant.

Windows User Profile Service
2

CVE-2021-34484
CVE-2021-26426

Windows User Profile Service Elevation of Privilege Vulnerability

Windows User Account Profile Picture Elevation of Privilege Vulnerability

Important

3/5 - Exploitation is less likely. Updates are available for all operating systems, these are in the normal monthly updates released in August.

 

Hope this table with helpful! 

Lizzie Arcari

Lizzie joined Foundation IT in 2019 after graduating from University. She is excited to develop her career in the IT industry, learning from the best.