Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:38 PM
Connect Directly

Microsoft Patch Tuesday: 4 Critical CVEs, 3 Publicly Known, 1 Wormable

Microsoft releases security patches for 55 vulnerabilities in its monthly roundup, which includes a critical, wormable flaw in the HTTP protocol stack.

Microsoft's May Patch Tuesday release is smaller compared with previous months, but there are several vulnerabilities to note: Four are considered critical, one of which is wormable, and three of the flaws are publicly known at the time of disclosure. None are listed as under active attack.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

This month brought patches for 55 CVEs in Microsoft Windows, Microsoft Office, .NET Core and Visual Studio, Internet Explorer, SharePoint Server, Hyper-V, Skype for Business and Microsoft Lync, Open Source Software, and Exchange Server. Fifty of these vulnerabilities are classified as Important in severity, one as Moderate.

One concerning CVE to prioritize is CVE-2021-31166, a critical remote code execution flaw in the HTTP protocol stack with a CVSS score of 9.8. An attack using this would be low in complexity and require no privileges or user interaction, Microsoft says in its disclosure.

To exploit this, an attacker would need to send a specially crafted packet to a vulnerable server using the HTTP protocol stack to process packets. This makes the bug wormable, a danger Microsoft points out. And as Dustin Childs of Trend Micro's ZDI writes in a blog post, Windows 10 can be configured as a server, meaning it's also affected.

Microsoft and security experts advise prioritizing patching for affected servers. While the wormable bug hasn't been seen in active attacks, Microsoft's exploitability assessment warns exploitation is more likely.

"Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing," says Kevin Breen, director of cyber-threat research at Immersive Labs. "As this specific exploit would not require any form of authentication, it's even more appealing for attackers, and any organization using the HTTP.sys protocol stack should prioritize this patch."

This vulnerability has the potentially to be "both directly impactful and is also exceptionally simple to exploit," notes Steve Povolny, head of advanced threat research and principal engineer at McAfee. While this could lead to code execution in the Windows kernel, that type of exploit would be a higher bar for attackers. Achieving remote code execution could give them the ability to create a self-propagating worm, which could cause widespread damage.

Another CVE worth noting is CVE-2021-28476, a critical remote code execution flaw in Hyper-V with a CVSS score of 9.9. This attack also requires low complexity, low privileges, and no user interaction to be successful. The flaw lets a guest virtual machine force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address, which wouldn't be returned to the guest VM.

"In most circumstances, this would result in a denial of service to the Hyper-V host (bugcheck) due to reading an unmapped address," Microsoft writes. "It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware specific side effects that could compromise the Hyper-V host's security."

Microsoft has deployed patches for four Exchange Server vulnerabilities (CVE-2021-31198CVE-2021-31207CVE-2021-31209, and CVE-2021-31195), all of which are categorized as Important or Moderate in severity. One of these, CVE-2021-31207, is publicly known and is a security bypass vulnerability in Microsoft Exchange versions 2013–2019. While it isn't critical, this was exploited in the recent Pwn2Own competition and should be patched.

"While none of these flaws is deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible," says Satnam Narang, staff research engineer at Tenable.

Other publicly known vulnerabilities patched today include CVE-2021-31204, an Important elevation of privilege flaw in .NET Core and Visual Studio, and CVE-2021-31200, an Important remote code execution vulnerability in Common Utilities.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).