Microsoft's August 2021 Patch Tuesday updates

On 10 August 2021, Microsoft released updates in multiple products; seven of the fixed flaws have been marked Critical, one as currently abused. We recommend timely patching of these flaws.

Details

• Microsoft's August 2021 Patch Tuesday has fixed 44 vulnerabilities including 13 that can be used for remote code execution, seven classified as Critical, two that have been publicly disclosed, and one that is actively used by threat actors.
• CVE-2021-36948, a Windows Update Medic Service (WaaSMedicSVC) Elevation of Privilege vulnerability, is marked under active exploitation and received a CVSS:3.0 score of 7.8 / 7.2. WaaSMedicSVC is a background service that was introduced with Windows 10. It enables remediation and protection of Windows Update components.
• Microsoft stated that the details for the following two vulnerabilities were made public:
  • CVE-2021-36942, a Windows LSA Spoofing Vulnerability. CVSS:3.0 7.5 / 7.0. The update mitigates the NTLM Relay Attack method known as PetitPotam by blocking the affected API calls (OpenEncryptedFileRawA and OpenEncryptedFileRawW) through the local security authority RPC (LSARPC) interface.
  • CVE-2021-36936, a Windows Print Spooler Remote Code Execution Vulnerability. CVSS:3.0 8.8 / 8.2. It is unrelated to the previously disclosed issues in Windows Print Spooler; two falling under the class of vulnerabilities known as PrintNightmare (CVE-2021-1675 and CVE-2021-34527), and CVE-2021-34481.

• Microsoft also updated the CVE-2021-34481 guide to further address the PrintNightmare vulnerabilities in the Windows Print Spooler. Windows updates released on 10 August 2021 and later will, by default, require administrative privilege to install drivers.
• Another critical vulnerability was addressed in CVE-2021-26432, a Windows Services for NFS ONCRPC XDR Driver Remote Code Execution vulnerability that requires no prior authentication or user interaction to be exploited. CVSS:3.0 9.8 / 8.5

Recommendations

• We recommend timely patching for the noted Microsoft vulnerabilities as publicly disclosed and exploited flaws make it more likely for unpatched systems to become targets of exploitation.
• In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.
• Systems with backup software using the EFS API OpenEncryptedFileRawA (A/W) function should exercise caution when applying these updates, and refer to Microsoft's guidance on Mitigating NTLM Relay Attacks referenced below.

References

• Microsoft Updates
• KB5005413:Mitigating NTLM Relay Attacks on AD CS
• ADV210003:Mitigating NTLM Relay Attacks on AD CS