April 2021 Patch Tuesday has seen Microsoft issue 108 patches to correct vulnerabilities across its range of products, including one actively exploited zero-day vulnerability and 4 zero-day remote code execution vulnerabilities in Microsoft Exchange Server that were recently discovered by the NSA. 19 of the flaws have been rated critical, 88 are rated important, and one is rated moderate severity. Earlier this month, Microsoft also released patches to correct 6 vulnerabilities in Microsoft Edge (Chromium).
The actively exploited flaw – CVE-2021-28310 – is a Win32k elevation of privilege vulnerability that is believed to have been exploited by the BITTER APT group and, potentially, several other threat actors. An exploit is believed to have been chained with other flaws such as browser exploits to escape sandboxes or gain system level privileges for further exploitation. While believed to have been actively exploited, the flaw has only been rated as important by Microsoft.
Four vulnerabilities have been fixed which have been disclosed publicly but are not believed to have been exploited in the wild: CVE-2021-27091 (RPC Endpoint Mapper Service elevation of privilege vulnerability), CVE-2021-28312 (Windows NTFS denial of service vulnerability), CVE-2021-28437 (Windows Installer information disclosure vulnerability) and CVE-2021-28458 (Azure ms-rest-nodeauth Library elevation of privilege vulnerability).
The four Microsoft Exchange Server vulnerabilities discovered by the NSA are all remote code execution flaws, none of which are believed to have been exploited to date but should be prioritized as exploitation is likely. The patches could easily be reverse engineered to identify and weaponize the flaws. They are: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. These flaws affect on-premises Exchange Servers 2013, 2016, and 2019. Two of the flaws can be exploited by unauthenticated users without any user interaction and have CVSS scores of 9.8 out of 10.
The remaining critical vulnerabilities are in Azure Sphere (CVE-2021-28460), Windows Media Player (CVE-2021-28315 and CVE-2021-27095), and 12 critical flaws in Windows Remote Procedure Call Runtime (CVE-2021-28336, CVE-2021-28335, CVE-2021-28334, CVE-2021-28338, CVE-2021-28337, CVE-2021-28333, CVE-2021-28329, CVE-2021-28330, CVE-2021-28332, CVE-2021-28331, CVE-2021-28339, and CVE-2021-28343)
Adobe Patches 10 Vulnerabilities; 7 Rated Critical
Adobe has released 10 patches to fix flaws in Adobe Bridge, Adobe Digital Editions, Adobe Photoshop, and RoboHelp, 7 of which are rated critical and 3 important. None of the flaws are believed to have been exploited in the wild and all have received a patching priority rating of 3. While some of the flaws could lead to remote code execution, they affect products that are typically not targeted by hackers; however, prompt patching is still recommended.
Four critical RCE vulnerabilities affect Adobe Bridge (CVE-2021-21093, CVE-2021-21092, CVE-2021-21094, and CVE-2021-21095), the first two are memory corruption vulnerabilities and the latter two are out-of-bounds write bugs. A further two vulnerabilities have been rated important, an out-of-bounds read bug – CVE-2021-21091 – which could result in information disclosure and an improper authorization flaw – CVE-2021-21096 – which could allow privilege escalation. The flaws have been corrected in Adobe Bridge v 11.0.2 for Windows and macOS.
There are two vulnerabilities in Adobe Photoshop – CVE-2021-28548 and CVE-2021-28549 – both of which are buffer overflow flaws that could allow remote code execution. The flaws have been corrected in Photoshop 2020 v 21.2.7 and Photoshop 2021 v 22.3.1 for Windows and macOS.
One critical privilege escalation vulnerability – CVE-2021-21100 – has been patched in Adobe Digital Editions which could allow an arbitrary file system write. The flaw has been fixed in v 188.8.131.52606 for MacOS.
The final vulnerability, rated important, affects RoboHelp, which is an uncontrolled search path element that could allow privilege exploitation. It has been corrected in v. RH2020.0.4 for Windows and macOS.