Top Middle East Cyber Threats – 19 July 2021

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

Out-of-Band Patch for “PrintNightmare Vulnerability” – CVE-2021-34527

Microsoft has issued emergency out-of-band patch for CVE-2021-34527 (PrintNightmare) vulnerability. KB5005010 describes the patch as well as other recommendations.

The fix comes after an incident in which a proof-of-concept (POC) for PrintNightmare was published on GitHub on 29 June 2021. The code was made available for a short period of time and was found to be actively used against vulnerable systems before being removed within a few hours. We believe an attacker could use the proof-of-concept to exploit the vulnerability and gain control of a vulnerable system.

A remote code execution vulnerability exists when the Windows Print Spooler service incorrectly performs privileged file operations. In the meantime, Microsoft issued another advisory on PrintNightmare, assigning a new CVE (CVE-2021-34527) and implying a new attack vector in an attempt to bridge the gap. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code with SYSTEM privileges. After that, an attacker could install programmes, change or delete data, or create new accounts with full user privileges. Microsoft connects CVE-2021-1675 to CVE-2021-34527 and describes the situation as evolving. CVE-2021-34527 is similar to but distinct from CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx().

CVE-2021-34527 dates back to the June 2021 patch updates and affects domain controllers in all versions of Windows; however, it was not assigned a score due to its ongoing investigation.

RECOMMENDATIONS

• Prioritize timely patching for identified vulnerabilities of Internet-facing servers as well as internet data processing tools, such as web browsers, application plug-ins, and document readers. Please refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.
• Apply the July 6th Windows update and configure RestrictDriverInstallationToAdministrators. To configure the key registry key, create the DWord key named “RestrictDriverInstallationToAdministrators” under “HKEY_LOCAL_MACHINE SoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint” with the value of 1.
• Follow the official notification and refer to the “Workaround” section for information on how to help protect your system from this vulnerability.
• Develop risk management and cyber hygiene practices for third parties or managed service providers (MSPs) that your organization relies on.
• Use multi-factor authentication (MFA) for all services, especially webmail, virtual private networks, and accounts that access critical systems, to the extent possible.

Microsoft Security Updates – July 2021

The July 2021 patch was released by Microsoft with a series of updates that addressed high-severity flaws in a variety of products. Microsoft fixed 117 security flaws in Microsoft Windows, Dynamics, Exchange Server, Microsoft Office, Windows Storage Spaces Controller, Bing, SharePoint Server, Internet Explorer (IE), Visual Studio, and OpenEnclave as part of its July 2021 updates.

The official notification noted 13 critical, 103 important and 1 moderate severity vulnerabilities. Six of these bugs are publicly known, and four are listed as being under active attack at the time of release, according to Microsoft.

The Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) is a notable addition to this month’s pool of patched vulnerabilities, also popularly known as PrintNightmare. Microsoft has released multiple revisions of this vulnerability since its initial release date of 1 July 2021. There have been reports that the patch is ineffective, but Microsoft asserts that it works as long as certain registry keys are set to the correct values.

The Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-34494) is not under active attack, but given the severity of the vulnerability, there are active threat actors who will attempt to change the current status. Without user interaction, this bug could allow remote code execution at a privileged service level on a listening network port. Low privileges are required, according to our analysis, but depending on the server configuration, these could be easily obtained.

The Windows Kernel Remote Code Execution bug (CVE-2021-34458) is a kernel-level remote code execution vulnerability that affects systems that use single root input/output virtualization (SR-IOV) devices to host virtual machines. This bug, with a CVSS score of 9.9, should not be overlooked when patching because the current scope of exploitation is unknown.

The Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448) is also listed as being actively exploited, but no information is provided about how widespread the attack is. If a user browses a specially crafted website, the vulnerability allows an attacker to execute their code on an affected system. The code would be executed at the level of the currently logged-in user. In this case, CVSS does not provide a complete picture of the threat. Microsoft rates the attack complexity as high, reducing it from a high severity (>8) to a medium severity (6.8).

The complete list of critical vulnerabilities for comparison is highlighted below:

There are a few RCE vulnerabilities affecting Windows DNS Server, the majority of which require an administrator to view a malicious record in the DNS Snap-in to be exploited. There are also a few that do not require user interaction and only require low-level privileges. Two of the patches address denial-of-service (DoS) bugs in the server, implying that shutting down DNS is as severe as taking it over. For a system to be affected by these bugs, the DNS Server must be enabled in all cases. Fixes for Office components, SharePoint Server, and HEVC Video Extensions include the Important RCEs category.

Two updates for Defender code execution bugs are among the remaining Critical-rated bugs, though no action is required because Microsoft updates the Malware Protection Engine on a regular basis. RCE flaws have also been discovered in Dynamics 365 Business Central, Windows Media Foundation, MSHTML, and Hyper-V.

This month’s release addressed 32 Elevation of Privilege (EoP) vulnerabilities. EoP vulnerabilities in the kernel, Remote Access Connection Manager, Installer service, partition management, and projected file system are also addressed. Six of these address EoP issues in the Windows Storage Spaces Controller.

This month, 14 patches are available to fix information disclosure bugs, including a single Moderate-rated fix for a bug in SharePoint Server (CVE-2021-34519). This bug has the potential to expose personally identifiable information and, in some cases, necessitates the resolution of multiple packages. The other bugs only cause leaks of unspecified memory contents.

RECOMMENDATIONS

• Review the July 2021 “Release Notes” and “Deployment Information” for more details and apply the necessary patches as soon as possible.
• Disable the Print Spooler service wherever it is not required and restrict printer driver installation to administrators only.
• Test and deploy the CVE-2021-34494 patch as soon as possible due to its potential worming characteristics.
• Refer to the tips for Understanding Patches and Securing Network Infrastructure Devices from CISA.

References:

• https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/
• https://www.zerodayinitiative.com/blog/2021/7/13/the-july-2021-security-update-review