Microsoft patches actively exploited zero-day (CVE-2021-36948), more Print Spooler flaws

Microsoft’s August 2021 Patch Tuesday is pretty lightweight, through it covers a wide variety of Microsoft solutions. 44 CVE-numbered security holes have been plugged, seven of which are critical, and one is actively exploited (CVE-2021-36948).


Fixed vulnerabilities of note

Let’s start with the zero-day. CVE-2021-36948 is a vulnerability in the Windows Update Medic Service that can be exploited by attackers to escalate privileges on a compromised system (and misuse them to do things like create user accounts, delete their tracks, and so on). It affects various versions of Windows 10 and Windows Server.

Microsoft says that its security research teams spotted it being actively exploited, though they did not share details about the attack(s).

The company has fixed three Windows Print Spooler bugs: one “critical”
(CVE-2021-36936) and two “important” (CVE-2021-34483, CVE-2021-36947).

“CVE-2021-36947 and CVE-2021-36936 are rated as “Exploitation More Likely,” according to Microsoft’s Exploitability Index. CVE-2021-36936 is also identified as being publicly disclosed, which implies this is one of the additional vulnerabilities researchers have uncovered since PrintNightmare was first disclosed. Because of the ubiquitous nature of the Windows Print Spooler within networks, organizations should prioritize patching these flaws as soon as possible,” advised Satnam Narang, staff research engineer at Tenable.

Kevin Breen, Director of Cyber Threat Research at Immersive Labs, says that CVE-2021-36942, a Windows LSA Spoofing Vulnerability, is interesting.

“It fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host. These types of attacks are well known for lateral movement and privilege escalation, as has been demonstrated recently by a new exploit called PetitPotam. It is a post intrusion exploit – further down the attack chain – but still a useful tool for attackers,” he noted.

“Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface. This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function,” explained Dustin Childs, with Trend Micro’s Zero Day Initiative.

“You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.”

CVE-2021-34535 is a critical RCE flaw in the Remote Desktop Client that should not be ignored, Childs added and explained: “An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.”

Don't miss