Microsoft’s end-of-summer software security cleanse crushes more than 80 bugs
Patch Tuesday For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities alongside 20 Chromium security bugs in Microsoft Edge. Affected products include: Azure, Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows DNS, and the Windows Subsystem for Linux. Of these CVEs, three are rated critical, one is rated moderate, and the remainder are considered important.
One of the already publicly disclosed CVEs resolves a critical zero-day vulnerability (CVE-2021-40444) in MSHTML, also known as Microsoft’s legacy Trident rendering engine. The flaw can be abused to achieve arbitrary code execution using a malicious ActiveX control within a Microsoft Office document that hosts the browser rendering engine. This is the vulnerability we learned of on September 7 and was used in targeted attacks on Office users.
Code to exploit the hole has been passed around the web and between security researchers, so get patching. Another fix updates a publicly disclosed patch from August 11 which addressed last month’s Print Spooler RCE (CVE-2021-36958). “The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix,” explained Chris Goettl, VP of product management at Ivanti, an IT asset management firm, in a statement emailed to The Register. “The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates.”
Goettl said the third previously disclosed vulnerability (CVE-2021-36968) addresses a privilege elevation flaw in Windows DNS. “This CVE applies to the legacy Windows OSs. Public disclosure gives threat actors a bit of a jump start on developing a working exploit.” There are other two critical flaws: a Windows WLAN AutoConfig Service remote code execution vulnerability (CVE-2021-36965) and an Open Management Infrastructure remote code execution vulnerability (CVE-2021-38647).
The former, said Zero-Day Initiative’s Dustin Childs, in an advisory, allows an attacker on an adjacent network, such as public Wi-Fi at a coffee shop, to take over a vulnerable target system. The latter is even more serious. It’s a critical severity (CVSS 9.8) bug in the Open Management Infrastructure (OMI).
It can be exploited to gain administrative control over a vulnerable machine on the network, no authentication or other checks required. “This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system,” warned Childs. “OMI users should test and deploy this one quickly.” Attention, Azure subscribers… Be aware that CVE-2021-38647 is part of a family of flaws – the others being CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649 – in OMI, which is used in Linux virtual machines on Azure.
When you spin up a Linux guest in Microsoft’s cloud, and certain services are enabled, an OMI agent is automatically and quietly deployed in the virtual machine with root privileges. That means your Linux guest is, or rather was, potentially vulnerable to serious attack via these bugs in the OMI agent. See the above-linked page by Wiz, which discovered and reported the holes, for more information, and check you’re using OMI version 188.8.131.52, which contains the necessary fixes – particularly if OMI is listening on ports 5985, 5986, and 1270.
Azure should automatically deploy a corrected version of the software. Wiz, which dubbed the bugs “OMIGOD,” reports that “customers still using System Center with OMI-based Linux may need to manually update the OMI agent.” The cloud services known to trigger the deployment of an OMI agent in a Linux virtual machine include:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” said Wiz’s Nir Ohfeld. “In a small sample of Azure tenants we analyzed, over 65 per cent were unknowingly at risk.”
Kevin Breen, director of cyber threat research, Immersive Labs, told The Register in an email that three local-privilege-escalation vulnerabilities in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) also deserve attention because they’re listed as more likely to be exploited. “Local Priv Esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access,” Breen explained. “This allows them to disable anti-virus, delete backups and ensure their encryptors can reach even the most sensitive of files.” The exploits, however, can’t be carried out remotely, he said, which means attackers have to use these in conjunction with a separate RCE flaw, like the MSHTML bug (CVE-2021-40444).
Apple, as we noted on Monday, released patches for macOS, iOS, and iPadOS addressing flaws in WebKit and CoreGraphics yesterday, one of which has been implicated in attacks on human-rights advocates. And Google also pushed out fixes for nine CVEs in Chromium, two of which are under active attack. Adobe published 15 security advisories addressing 59 CVEs in Adobe Acrobat Reader, ColdFusion, Creative Cloud Desktop, Digital Editions, Experience Manager, Framemaker, Genuine Service, InCopy, InDesign, Photoshop, Photoshop Elements, Premiere Elements, Premiere Pro, SVG-Native-Viewer, and XMP Toolkit SDK.
Acrobat Reader alone has 26 bugs, 13 of which are rated critical. “The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability,” said Childs. “The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file.” SAP, meanwhile, released 19 security notes, two of which update previous patches, covering 23 CVEs.
Seven of these have been bestowed with the label “HotNews,” SAP’s maddening way of saying “critical.” Two have earned a perfect severity score of 10 out of 10. One is a Missing Authorization check in SAP NetWeaver Application Server for Java (CVE-2021-37535). “Facing the integral role of the JMS Connector Service and the CVSS top score of the vulnerability, there should be no doubt that providing the corresponding patch is absolutely recommended,” said Thomas Fritsch, a researcher at security firm Onapsis, in a blog post. “Otherwise, restricted data is at risk of being read, updated, or deleted.”
The other severity-10 note updates an April 2018 Patch Day mitigation applied to a Google Chromium component in SAP Business Client.
Among the remaining five “HotNews” notices, four describe 9.9 severity bugs and one refers to a 9.6 severity flaw. (R)