Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses Microsoft’s July 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-954 on Wednesday, July 14th.

In-The-Wild & Disclosed CVEs

CVE-2021-34527

The vulnerability dubbed PrintNightmare was patched prior to the Tuesday patch drop, but it is still worth including here. This vulnerability also generated a bit of confusion. There is confusion around the CVE associated with the vulnerability. CVE-2021-1675 was patched in June and the PrintNightmare proof of concept worked on systems with that update. Articles indicated that the patch was broken or it had been bypassed, but Microsoft clarified this in the FAQ for CVE-2021-34527. This vulnerability is distinct from CVE-2021-1675 and existed before the June patch, which is why we now have two CVEs and a lot of confusion in discussions around PrintNightmare.

The vulnerability itself allows an authenticated user to execute code as SYSTEM and as such there are concerns that it could be incorporated into malware for the purpose of lateral movement. It is important to note that there is a registry key that could return a system to a vulnerable state. Additionally, this vulnerability has been publicly disclosed and has been actively exploited.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-33771

This CVE describes an actively exploited elevation of privilege vulnerability in the Windows kernel.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-34448

In order to exploit this vulnerability in a scripting engine, a user would have to visit a malicious page or open a specially crafted file. This vulnerability has seen active exploitation.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-31979

This CVE describes an actively exploited elevation of privilege vulnerability in the Windows kernel.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-34473

This code execution vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 and has been publicly disclosed but is not currently seeing active exploitation. It is important to note that this vulnerability was actually patched in the April patch drop, but Microsoft forgot to include it in the April 2021 Security Updates.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-34492

This vulnerability describes a publicly disclosed certificate spoofing vulnerability that impacts all modern Microsoft platforms.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-34523

This elevation of privilege vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019 and has been publicly disclosed but is not currently seeing active exploitation. It is important to note that this vulnerability was actually patched in the April patch drop, but Microsoft forgot to include it in the April 2021 Security Updates.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-33779

A publicly disclosed bypass in Windows ADFS resolved by this update. The vulnerability is related to Primary Refresh Tokens stored in TPM. The tokens are used for SSO with AzureAD and prior to this update are stored with weak encryption that could potentially allow a malicious administrator to extract and decrypt the tokens.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-33781

A publicly disclosed vulnerability that allows the bypass of an Active Directory security feature is resolved with this vulnerability.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

TagCVE CountCVEs
Windows Installer3CVE-2021-31961, CVE-2021-33765, CVE-2021-34511
Windows Partition Management Driver1CVE-2021-34493
Windows Remote Assistance1CVE-2021-34507
Windows Storage Spaces Controller6CVE-2021-33751, CVE-2021-34509, CVE-2021-34460, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513
Microsoft Windows Media Foundation3CVE-2021-34441, CVE-2021-34439, CVE-2021-34503
Microsoft Scripting Engine1CVE-2021-34448
Microsoft Office SharePoint5CVE-2021-34467, CVE-2021-34468, CVE-2021-34519, CVE-2021-34520, CVE-2021-34517
Windows Authenticode1CVE-2021-33782
Microsoft Windows Codecs Library8CVE-2021-31947, CVE-2021-33740, CVE-2021-33760, CVE-2021-34521, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778
Visual Studio Code3CVE-2021-34528, CVE-2021-34479, CVE-2021-34529
Windows Cloud Files Mini Filter Driver1CVE-2021-33784
Common Internet File System1CVE-2021-34476
Microsoft Office Excel2CVE-2021-34501, CVE-2021-34518
Windows Key Distribution Center1CVE-2021-33764
Dynamics Business Central Control1CVE-2021-34474
Microsoft Graphics Component5CVE-2021-34496, CVE-2021-34498, CVE-2021-34438, CVE-2021-34489, CVE-2021-34440
Windows Event Tracing1CVE-2021-33774
Windows File History Service1CVE-2021-34455
Windows Security Account Manager1CVE-2021-33757
Windows Kernel7CVE-2021-33771, CVE-2021-34500, CVE-2021-31979, CVE-2021-34458, CVE-2021-34508, CVE-2021-34461, CVE-2021-34514
Role: Hyper-V3CVE-2021-33755, CVE-2021-33758, CVE-2021-34450
Windows Remote Access Connection Manager6CVE-2021-33761, CVE-2021-33763, CVE-2021-33773, CVE-2021-34445, CVE-2021-34456, CVE-2021-34457
Windows Shell1CVE-2021-34454
Microsoft Office3CVE-2021-34452, CVE-2021-34469, CVE-2021-34451
Windows Address Book1CVE-2021-34504
Active Directory Federation Services1CVE-2021-33779
Windows AppContainer1CVE-2021-34459
Windows Defender2CVE-2021-34464, CVE-2021-34522
Windows Projected File System1CVE-2021-33743
Windows Desktop Bridge1CVE-2021-33759
Windows AppX Deployment Extensions1CVE-2021-34462
Windows Active Directory1CVE-2021-33781
Windows Local Security Authority Subsystem Service2CVE-2021-33786, CVE-2021-33788
Windows MSHTML Platform2CVE-2021-34447, CVE-2021-34497
Microsoft Exchange Server7CVE-2021-31196, CVE-2021-31206, CVE-2021-34523, CVE-2021-34473, CVE-2021-33766, CVE-2021-33768, CVE-2021-34470
Power BI1CVE-2021-31984
Windows Secure Kernel Mode1CVE-2021-33744
Role: DNS Server10CVE-2021-33780, CVE-2021-34442, CVE-2021-34444, CVE-2021-34494, CVE-2021-33745, CVE-2021-33749, CVE-2021-33750, CVE-2021-33752, CVE-2021-33756, CVE-2021-34525
Windows Win32K3CVE-2021-34491, CVE-2021-34449, CVE-2021-34516
Windows TCP/IP3CVE-2021-31183, CVE-2021-33772, CVE-2021-34490
OpenEnclave1CVE-2021-33767
Microsoft Bing1CVE-2021-33753
Windows Print Spooler Components1CVE-2021-34527
Microsoft Windows DNS3CVE-2021-34499, CVE-2021-33746, CVE-2021-33754
Windows HTML Platform1CVE-2021-34446
Windows Hello1CVE-2021-34466
Windows PFX Encryption1CVE-2021-34492
Windows AF_UNIX Socket Provider1CVE-2021-33785
Visual Studio Code – .NET Runtime1CVE-2021-34477
Windows Console Driver1CVE-2021-34488
Windows SMB1CVE-2021-33783


Other Information

There was an update to an existing advisory in the July security guidance.

Microsoft Guidance for Addressing Security Feature Bypass in GRUB [ADV200011]

Microsoft has updated ADV200011 with details around vulnerabilities that were patched in March related to the “There’s a Hole in the Boot” vulnerability that allowed for Secure Boot bypass with GRUB.

Kerberos KDC Security Feature Bypass Vulnerability [CVE-2020-17049]

Microsoft has released version 6 of this security guidance as the default settings have now changed to Enforcement mode. It is now required that all domain controllers have the December update installed. The PerformTicketSignature registry key setting is now ignored and you cannot override Enforcement mode. You can find more details in KB4598347.

Mastering Configuration Management Across the Modern Enterprise