Purpose of Work:
February's Patch Tuesday is underway, and there are some notably bad vulnerabilities this time around. We will install the latest patches in our FULLY managed servers during night time only.
First and foremost, there's
CVE-2021-24078. This one is a remote code execution vulnerability that affects a privileged service, the DNS server, on Server 2008+. With a low attack complexity that can be done over the network, and requiring no user interaction, this is likely a wormable vulnerability, and any code run using it will run in the System context automatically. Microsoft has yet to provide a mitigation or workaround in their executive summary. To those fully managed customers yet to move away from a host running Windows Server 2008 R2 or earlier: these kinds of vulnerabilities are exactly the reason to move away from end-of-life operating systems that will not be patched ASAP.
Second, there's
CVE-2021-24094 and
CVE-2021-24074. These are both remote code execution vulnerabilities affecting the TCP/IP Stack (ipv4 and ipv6, respectively) on Server 2008+. Like the previous vulnerability, these are pre-authentication, network-accessible vulnerabilities that would allow injected code to run in a privileged service context. What's different here is that Microsoft has provided workarounds in their executive summary for both, and by default, the IPv4 mitigation should already be in place. We look into confirming this on all managed hosts we are unable to patch this cycle.
Third, there's
CVE-2021-26701, a remote code execution vulnerability affecting .net 5.0 and certain versions of .net core. There is little information about this one, but the attack complexity is high, and this likely will result in websites using the listed frameworks being easily compromised and used to attempt to take over a host. The vulnerability does not include escalation of privilege on its own, unlike the last two.
Fourth, there's
CVE-2021-1732, an escalation of privilege exploit leveraging the kernel on Server 2019+ and Windows 10 1803+. This one appears to have functional exploits that have already been detected in the wild, making it truly 0-day. We will be patching it tonight alongside the rest.
