Wormable Windows Bug Opens Door to DoS, RCE

Microsoft’s May Patch Tuesday release addressed a modest 55 cybersecurity vulnerabilities, including just four critical bugs. It’s the smallest monthly update from the computing giant since 2020, but it does contain a patch for a concerning wormable vulnerability found in the Windows OS.

The good news is that none of the vulnerabilities are being actively exploited in the wild, according to Microsoft, though three are listed as publicly known.

The fixes address security flaws across Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server. Besides the four critical bugs, 50 are rated “important” and one is moderate in severity.

Critical Microsoft Security Patches for May 2021

The critical bugs in this month’s Patch Tuesday release are:

• CVE-2021-31166: A wormable HTTP protocol-stack issue in Windows 10 and some versions of Windows Server allowing remote code-execution (RCE)
• CVE-2021-26419: A scripting-engine memory corruption vulnerability in Internet Explorer 11 and 9 allowing RCE
• CVE-2021-31194: An RCE bug in the Microsoft Windows Object Linking and Embedding (OLE) Automation
• CVE-2021-28476: An RCE vulnerability in Microsoft Windows Hyper-V

CVE-2021-31166 – Wormable

This most concerning critical bug for researchers is an HTTP protocol-stack issue that would allow RCE with kernel privileges or a denial-of-service (DoS) attack. The HTTP protocol stack enables Windows and applications to communicate with other devices; it can be run standalone or in conjunction with Internet Information Services (IIS).

“If exploited, this vulnerability could enable an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP protocol stack (http.sys) to process packets and ultimately, execute arbitrary code, and take control of the affected system,” Eric Feldman, cybersecurity researcher with Automox, wrote in an analysis.

Worse, Microsoft noted that the bug is wormable, so that it could be used to self-replicate across the internal network and affect internal services that may not have been exposed.

“The vulnerability announced has the potential to be both directly impactful and is also exceptionally simple to exploit, leading to a remote and unauthenticated DoS (Blue Screen of Death) for affected products,” Steve Povolny, head of advanced threat research and principle engineer at McAfee, said via email. “While this vulnerability has the potential to lead to code execution in the Windows kernel, this type of weaponization is a much higher bar for exploitation. However, if RCE can be achieved, cybercriminals would likely have the capability to create a worm, leading to self-propagation of the vulnerability across networks and the internet.”

“For ransomware operators, this kind of vulnerability is a prime target for exploitation,” Kevin Breen, director of cyber-threat research at Immersive Labs, told Threatpost. “Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch.”

Dustin Childs, researcher with Trend Micro’s Zero Day Initiative (ZDI), noted in a blog, “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.”

CVE-2021-26419

This second critical bug affecting Microsoft’s legacy browser allows RCE, and offers several avenues of attack, according to researchers.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” explained Feldman. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

The best way to counteract this bug is ditching IE, noted Breen.

“Internet Explorer needs to die – and I’m not the only one that thinks so,” he told Threatpost. “If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.”

CVE-2021-31194

The third critical bug exists in the Microsoft Windows OLE Automation, which in and of itself should place it on the priority-patch list, according to researchers.

“To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke OLE automation through a web browser,” explained Justin Knapp, Automox researcher. “However, this approach requires that the attacker bait a user into visiting the maliciously crafted website.”

He pointed out that OLE technology has frequently been used to mask malicious code within documents and for linking to external files that infect systems with malware.

“In 2020, the CISA released an alert detailing the top 10 routinely exploited vulnerabilities, which identified Microsoft’s OLE as the most commonly exploited technology by state-sponsored cyber-actors,” he said. “Considering the prevalent exploitation of OLE vulnerabilities, including those that had been flagged years ago, organizations should immediately prioritize patching all outstanding OLE vulnerabilities.”

CVE-2021-28476

The last critical bug is found in Windows Hyper-V, which is a native hypervisor that can create and run virtual machines on x86-64 systems running Windows. It can allow an attacker to execute arbitrary code, Knapp said: “To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data. Successful exploitation could enable an attacker to run malicious binaries on Hyper-V virtual machines or execute arbitrary code on the host system itself.”

That said, Microsoft noted that an attacker is more likely to abuse the bug for DoS attacks in the form of a system crash rather than RCE, Childs pointed out, which mitigates the vulnerability’s CVSS score of 9.9.

“Because of this, it could be argued that the attack complexity would be high, which changes the CVSS rating to 8.5,” he said. “That still rates as high-severity, but not critical. Still, the bug check [system crash] alone is worth making sure your Hyper-V systems get this update.”

Publicly Disclosed Vulnerabilities

Chris Goettl, senior director of product management at Ivanti, told Threatpost that the biggest patching priority should be the publicly disclosed bugs – even though there is as yet no known malicious exploitation.

“The top concern from the Microsoft updates this month is the update for Microsoft Exchange that includes the fix for CVE-2021-31207, which made its debut in the 2021 Pwn2Own competition,” he said.

The bug tracked as CVE-2021-31207 is only rated as “moderate,” but the “security feature-bypass exploit was showcased prominently in the Pwn2Own contest and at some point details of the exploit will be published,” Goettl explained. “At that point threat actors will be able to take advantage of the vulnerability if they have not already begun attempting to reverse engineer an exploit.”

There two other publicly disclosed vulnerabilities resolved by Microsoft this month that exist in Common Utilities, found in the NNI open-source toolkit (CVE-2021-31200), and in .NET and Visual Studio (CVE-2021-31204).

“Common Utilities and .NET and Visual Studio are less likely to be targeted, but due to the public disclosures they should not be ignored for long,” Goettl added.

Other Notable Microsoft Security Patches for May 2021

As for the other patches in the update that stood out to the research community, ZDI’s Childs highlighted a Windows wireless networking information-disclosure bug, tracked as CVE-2020-24587.

“The ZDI doesn’t normally highlight info disclosure bugs, but this one has the potential to be pretty damaging,” Childs said. “This patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system. It’s not clear what the range on such an attack would be, but you should assume some proximity is needed. You’ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.”

Windows Graphics, SharePoint Server Patches

A trio of local privilege escalation flaws – two in the Windows Graphics Component (CVE-2021-31188, CVE-2021-31170) and one in SharePoint Server (CVE-2021-28474) – caught Breen’s eye.

As for the first two, he noted they could be chained with another bug, such as the wormable bug listed above, to become highly dangerous and allow for WannaCry-style attacks.

“This kind of vulnerability is often used by attackers after they have already gained a foothold through an initial infection vector, like phishing or via another exploit like the RCE in HTTP.sys (CVE-2021-31166),” Breen noted via email. “The attackers are looking to increase their privileges so they can move laterally across a network or gain access to other accounts that may have access to more sensitive information.”

Meanwhile, the SharePoint bug allows an authenticated attacker to run code on remote SharePoint Servers.

“As this is post-authentication, it’s likely to be used as part of post-exploitation and lateral movement phases of an attack, rather than the initial-infection vector,” Breen said. “Attackers could gain access to sensitive documents or even replace real documents with weaponized versions, enabling the compromise of more user devices across the organization’s network.”

Microsoft Exchange Server Patches

Microsoft also patched four vulnerabilities in Microsoft Exchange Server. The flaws (CVE-2021-31198, RCE; CVE-2021-31207, spoofing; CVE-2021-31209, security bypass; and CVE-2021-31195, RCE), are all rated important or moderate.

“CVE-2021-31195 is attributed to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerabilities that [were] patched in an out-of-band release back in March,” Satnam Narang, staff research engineer with Tenable, told Threatpost. “While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible.”

And finally, Ivanti’s Goettl noted that several Microsoft products have reached end-of-life and won’t be getting support going forward.

“This month marks the final update for several Windows 10 and Server editions, so make sure you have updated any systems to newer branches to avoid a disruption in security update coverage come June,” he said. “Windows 10 1803 and 1809 and Server 1909 all received their final update on May Patch Tuesday 2021.”

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.