Exploits & Vulnerabilities
July Patch Tuesday: DNS Server, Exchange Server Vulnerabilities Cause Problems
After two relatively quiet months, July has proven to be another busy month for Microsoft security bulletins. A total of 117 bulletins were issued for various security vulnerabilities fixed in the July Patch Tuesday cycle.
After two relatively quiet months, July has proven to be another busy month for Microsoft security bulletins. A total of 117 bulletins were issued for various security vulnerabilities fixed in the July Patch Tuesday cycle. Thirteen of these were rated as Critical, 103 as Important, and one was classified as Moderate. Fifteen were submitted via the Trend Micro Zero Day Initiative.
PrintNightmare patched out-of-band
Before the second Tuesday hit, however, system administrators were already busy remediating PrintNightmare. This bug (CVE-2021-34527), which was inadvertently disclosed soon after June’s Patch Tuesday, allowed for remote code execution on affected machines via a bug in the print spooler. This was not resolved until an out-of-band patch was released over the first weekend of July. Microsoft blamed later reports of an incomplete patch on insecure settings related to the Point and Print feature, which led to the company issuing “clarified guidance.” It’s worth noting that PrintNightmare is one of the four vulnerabilities fixed that Microsoft noted as being currently exploited.
Exchange, DNS Server bugs multiply
Seven of the bulletins issued this month were in the Exchange Server. While only one (CVE-2021-34473) was rated as Critical, it appears to be potentially problematic: not only was it publicly disclosed before the patch, but Microsoft also classified it as more likely to be exploited for both current and older versions. All this means that it is very likely to be targeted for exploitation by various threat actors. Note, however, that three of the bulletins cover vulnerabilities that were silently patched in April.
Windows’s DNS Server is also a fertile source of potential exploits for this month. Microsoft fixed nine vulnerabilities in this product, and while only one of these is rated Critical (CVE-2021-34494), this particular one could allow for remote code execution at a privileged service level without user interaction. Combined with the inherent importance of DNS servers, this one is worth patching quickly.
Other vulnerabilities of note
Among the other vulnerabilities, some still deserve special attention. A trio of vulnerabilities in the TCP/IP driver stack could allow for a denial-of-service attack on machines, causing them to go offline. Microsoft Defender, Storage Spaces, and the SharePoint Server are all components/applications that are covered by multiple patches this month.
Trend Micro Solutions
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers.Note that our solutions to PrintNightmare are also covered in our Knowledge Base specifically, as well as being listed below.
The Trend Micro™ Deep Security™ solution provides network security, system security, and malware prevention. Combined with Vulnerability Protection, it can protect user systems from a wide range of upcoming threats that might target vulnerabilities. Both solutions protect users from exploits that target these vulnerabilities via the following rule:
- 1011016 - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol (CVE-2021-34527)
- 1011018 - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol (CVE-2021-34527)
- 1011040 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448)
TippingPoint® Next-Generation Intrusion Prevention System (NGIPS) is a network traffic solution that uses comprehensive and contextual awareness analysis for advanced threats that exploit vulnerabilities.
TippingPoint protects customers through the following rule:
- 39940: RPC: Microsoft Windows AddPrinterDriverEx Request (CVE-2021-34527)
- 39954: RPC: Microsoft Windows AsyncEnumPrinterDrivers/AsyncAddPrinterDriver Request (CVE-2021-34527)
- 39959: HTTP: Microsoft SharePoint Code Execution Vulnerability (CVE-2021-34467)
- 39997: TCP: Microsoft SharePoint Explicit Logon AutoDiscover Request (CVE-2021-34473)