May 2021 Patch Tuesday
Overall, this Patch Tuesday is rather “modest,” containing fixes for only 55 flaws. In fact, this is the smallest batch of patches from Microsoft since last year. But one of the vulnerabilities is rather concerning, as it creates a wormable opportunity for threat actors. There are no indications that any of the vulnerabilities addressed this month are exploited in the wild.
So, what are the four critical vulnerabilities Microsoft fixed this month?
- CVE-2021-31166: A wormable HTTP protocol-stack flaw in Windows 10 and some versions of Windows Server that could lead to remote code execution (RCE) attacks;
- CVE-2021-26419: A scripting-engine memory corruption flaw that resides in Internet Explorer 11 and 9 allowing RCE;
- CVE-2021-31194: An RCE bug located in the Microsoft Windows Object Linking and Embedding (OLE) Automation;
- CVE-2021-28476: An RCE vulnerability discovered in Microsoft Windows Hyper-V.
The most dangerous of these vulnerabilities is CVE-2021-31166, the critical wormable issue. According to Automox security researchers, upon exploitation, this flaw could enable unauthenticated attackers to spend malicious packets to a targeted server using the HTTP protocol stack (http.sys) to process the packets and execute arbitrary code. This could then lead to taking control over the targeted system. Microsoft also added that vulnerability is worm-like, and that it could be deployed to self-replicate across the internal network, compromising internal services within the organization.
The Growing Threat of Wormable Exploits
In a conversation with Threatpost, Kevin Breen of Immersive Labs said that the CVE-2021-31166 vulnerability is of prime interest for ransomware operators.
One of the ransomware families updated with a wormable capability is Ryuk. The capability allows the ransomware to spread across compromised networks, making it even more dangerous. The new malicious capability in the ransomware was unearthed by ANSSI in March. “A Ryuk sample with worm-like capabilities allowing it to spread automatically within networks it infects,was discovered during an incident response handled by the ANSSI in early 2021,” the researchers share.
Another example of a recent worm-like malware affects Android devices. The malware is capable of automatically replying to a victim’s incoming WhatsApp messages with a payload received from its command-and-control server. The discovery comes from security firm Check Point. According to the researchers’ report, this capability could have enabled threat actors to spread phishing attacks, spread fake information, or steal sensitive credentials and data from the victims’ WhatsApp accounts.
“Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch,” Kevin Breen added.