Patch Tuesday – April 2021
This month Microsoft releases critical patches for on-premises Exchange Server, a fix for the AD Kerberos KDC flaw, and plugs a zero-day elevation of privilege bug in Windows 10.
Windows and Windows Server
This month Microsoft patched an elevation of privilege bug (CVE-2021-28310) in Windows that is already been exploited in the wild. The patch applies to Windows 10, and the equivalent server versions, from version 1803 through version 20H2. The bug was reported by Trend Micro’s Dustin Childs, so it’s likely that Trend has seen the vulnerability exploited by malware. Kaspersky says that the flaw is likely used along with exploits to escape the browser’s sandbox protection.
And of course, there is an array of other patches for vulnerabilities in Windows, including in the Desktop Window Manager, the NTFS file system, Windows Installer, the RPC Endpoint Mapper Service, and much more.
Active Directory Kerberos KDC security feature bypass vulnerability
Microsoft has released a patch for the Kerberos KDC security feature bypass vulnerability (CVE-2020-17049) it flagged in November 2020. Microsoft had previously released an update for the flaw, but it caused more problems than it solved. What we have now is updated version of the patch that hopefully system administrators can deploy to servers and clients safely. Microsoft says about the update:
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, “KRB_GENERIC_ERROR”, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
For a complete rundown of the issue, be sure to check out KB4598347: Managing deployment of Kerberos S4U changes for CVE-2020-17049 on Microsoft’s site.
Azure Active Director web sign-in ‘allows arbitrary browsing from the third-party endpoints used for federated authentication.’
There’s not much information available about this flaw other than it applies to all versions of Windows starting with version 1803 through to version 20H2, and that exploitation isn’t very likely.
Microsoft completely removing RemoteFX vGPU
RemoteFX vGPU is a feature in Windows that lets multiple virtual machines share a physical GPU. The feature was removed from Windows Server 2019 because Microsoft discovered that the way RemoteFX was implemented is susceptible to security vulnerabilities. And in short, because the vulnerabilities are architectural, they cannot be fixed. So, Microsoft is removing RemoteFX vGPU completely from all versions of Windows.
If you are running Windows 10 version 1809 or later, then RemoteFX vGPU has already been removed. And it was disabled in all other versions of Windows in the July 2020 updates. This month’s update removes RemoteFX vGPU from all applicable versions of Windows. Microsoft says that secure GPU virtualization can be achieved using Discrete Device Assignment (DDA) in Windows Server 2016 and 2019, and Semi-Annual Channel (SAC) Windows Server releases starting with version 1803.
Exchange, SQL, and SharePoint Server
Microsoft says that patching Exchange Server 2013, 2016, and 2019 this month should be a priority as it releases four patches, two of which plug remote code execution vulnerabilities (CVE-2021-28480 and CVE-2021-28481). CVE-2021-28480 and CVE-2021-28481 are pre-authentication vulnerabilities, so an attacker doesn’t even need to authenticate to Exchange to exploit these bugs. All four patched flaws were reported by the U.S. National Security Agency (NSA). Although Microsoft says that it also discovered two of the bugs internally.
As you would expect, if you are using Exchange Online, you are already protected. If you have a hybrid Exchange setup, you need to apply these updates to your on-premises Exchange servers, even if they are only used to manage Exchange Online. For more information on these updates, check out the Exchange Team blog here.
Microsoft released patches for several remote code execution vulnerabilities that affect Word and Excel.
Finally, Adobe released security patches this month for Photoshop, Digital Editions, Bridge, and RoboHelp.
And that’s it for another month! Happy patching.