Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses Microsoft’s April 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-939 on Wednesday, April 14th.

In-The-Wild & Disclosed CVEs

CVE-2021-28310

Borin Larin of Kaspersky Lab discovered this vulnerability being actively used for exploitation and suspects that it is tied to the BITTER APT group. Larin and co-authors have released a detailed technical write-up on this vulnerability that impacts the Desktop Window Manager.

Microsoft has rated this as Exploit Detected on the latest software release on the Exploitability Index.

CVE-2021-28312

This publicly disclosed denial of service impacts the Windows NTFS file system. Newer versions of Windows 10 as well as Windows Server 2019 and Server version 20H2 are impacted. This appears to be the same vulnerability detailed by BleepingComputer back in January. While an unpatched system will output, “The file or directory is corrupted and unreadable.” when executing the proof of concept, a patched system will output, “The directory name is invalid.”

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-28437

A publicly disclosed information disclosure in the Windows Installer could allow attackers to read from the file system. Based on the Microsoft security guidance, all versions of Windows from Windows 7 to Windows 10 and their associated server platforms are vulnerable.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-28458

The final publicly disclosed vuln this month is found in @azure/ms-rest-nodeauth, a node-js library for Azure authentication. The fix for this vulnerability was committed on March 23, 2021 and can be reviewed on github.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-27091

This publicly disclosed privilege elevation vulnerability in the RPC Endpoint Mapper Service only affects older operating systems with patches available for Windows 7, Windows Server 2008 R2, and Windows Server 2012. 

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

TagCVE CountCVEs
Visual Studio Code – Kubernetes Tools1CVE-2021-28448
Microsoft NTFS2CVE-2021-27096, CVE-2021-28312
Open Source Software1CVE-2021-28458
Microsoft Office Word1CVE-2021-28453
Microsoft Windows Speech3CVE-2021-28347, CVE-2021-28351, CVE-2021-28436
Windows Resource Manager1CVE-2021-28320
Windows Installer4CVE-2021-26413, CVE-2021-26415, CVE-2021-28437, CVE-2021-28440
Visual Studio1CVE-2021-27064
Visual Studio Code – GitHub Pull Requests and Issues Extension1CVE-2021-28470
Windows Network File System1CVE-2021-28445
Microsoft Office SharePoint1CVE-2021-28450
Microsoft Windows Codecs Library5CVE-2021-27079, CVE-2021-28317, CVE-2021-28464, CVE-2021-28466, CVE-2021-28468
Visual Studio Code6CVE-2021-28457, CVE-2021-28469, CVE-2021-28471, CVE-2021-28475, CVE-2021-28477, CVE-2021-28473
Windows Application Compatibility Cache1CVE-2021-28311
Visual Studio Code – Maven for Java Extension1CVE-2021-28472
Microsoft Office Excel4CVE-2021-28449, CVE-2021-28451, CVE-2021-28454, CVE-2021-28456
Microsoft Graphics Component4CVE-2021-28318, CVE-2021-28348, CVE-2021-28349, CVE-2021-28350
Azure AD Web Sign-in1CVE-2021-27092
Windows Event Tracing2CVE-2021-27088, CVE-2021-28435
Windows Kernel2CVE-2021-27093, CVE-2021-28309
Windows Services and Controller App1CVE-2021-27086
Role: Hyper-V4CVE-2021-26416, CVE-2021-28314, CVE-2021-28441, CVE-2021-28444
Microsoft Exchange Server4CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483
Windows ELAM1CVE-2021-27094
Windows Remote Procedure Call Runtime27CVE-2021-28327, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342, CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28352, CVE-2021-28353, CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434
Microsoft Internet Messaging API1CVE-2021-27089
Windows Registry1CVE-2021-27091
Azure Sphere1CVE-2021-28460
Windows AppX Deployment Extensions1CVE-2021-28326
Windows Diagnostic Hub3CVE-2021-28313, CVE-2021-28321, CVE-2021-28322
Windows Portmapping1CVE-2021-28446
Windows Overlay Filter1CVE-2021-26417
Windows Secure Kernel Mode1CVE-2021-27090
Windows Win32K2CVE-2021-27072, CVE-2021-28310
Microsoft Office Outlook1CVE-2021-28452
Windows TCP/IP3CVE-2021-28319, CVE-2021-28439, CVE-2021-28442
Windows Early Launch Antimalware Driver1CVE-2021-28447
Microsoft Windows DNS2CVE-2021-28323, CVE-2021-28328
Windows SMB Server2CVE-2021-28324, CVE-2021-28325
Windows Media Player2CVE-2021-27095, CVE-2021-28315
Microsoft Edge (Chromium-based)6CVE-2021-21194, CVE-2021-21195, CVE-2021-21196, CVE-2021-21197, CVE-2021-21198, CVE-2021-21199
Windows WLAN Auto Config Service1CVE-2021-28316
Azure DevOps2CVE-2021-27067, CVE-2021-28459
Windows Console Driver2CVE-2021-28438, CVE-2021-28443

Other Information

There were no advisories included in the April security guidance. There are, however, other vulnerabilities of note.

Apply Microsoft April 2021 Security Update to Mitigate Newly Discovered Microsoft Exchange Vulnerabilities. [US-CERT]

The National Cyber Awareness System has a new update regarding a set of vulnerabilities discovered by the NSA in Microsoft exchange. They recommend applying these updates immediately and have issued Supplemental Directive Version 2 to the previously released ED 21-02. This includes:

Kerberos KDC Security Feature Bypass Vulnerability [CVE-2020-17049]

Microsoft has released version 5 of this security guidance as the default settings have now changed. It is now assumed that all domain controllers have the December update installed. Additionally, the PerformTicketSignature registry key can no longer be set to 0, which previously disabled Kerberos Service Ticket Signatures, leaving domains unprotected. Now, if you set PerformTicketSignature to 0, it will act the same as if it were set to 1. You can find more details in KB4598347.

Mastering Configuration Management Across the Modern Enterprise