Virtual Administrator’s August 2021 Patch Recommendations
This month Microsoft released patches for 44 vulnerabilities with 7 rated “Critical” and 37 “Important” in severity.
All patches have been approved in our patch policy.
A light month with 44 vulnerabilities. There are three zero-day vulnerabilities patched. Two are public (CVE-2021-36936, CVE-2021-36942) and one is being exploited (CVE-2021-36948). CVE-2021-36948 is an elevation of privileges vulnerability in the Windows Update Medic Service. A Remote Code Execution (RCE) vulnerability (CVE-2021-26424) is the most concerning. A new Advisory (ADV210003) was posted warning of a NTLM Relay Attack known as “PetitPotam”. The monthly patches (CVE-2021-36942) limit exposure but additional guidance is given in KB5005413. For users still running backup to or from Windows Server 2008 SP2 devices, all patches introduce problems with Encrypted File System (EFS) – see “Known Issues” below.
Head Up!
A standalone SSU for newer versions of Windows 10. Microsoft had started wrapping these SSUs into the Cumulative Updates last March. For unclear reasons they released a standalone KB5005260 this month. They state, “If your devices do not have the May 11, 2021 update (KB5003173) or later LCU, you must install the special standalone August 10, 2021 SSU”. However, we have seen cases where machines with KB5003173 was installed, and the machines continued to have trouble with the patch scans. We recommend partners run our “MS Stack Audit AIO” agent procedure which installs the most current SSU for all Windows versions.
FYI PrintNightmare Over?
Microsoft claims this is now fully patched. The out-of-band patch released last month had several limitations in it. The July cumulative update intended to address the flaws, but more were found. Now they believe it is fully patched with CVE-2021-34481. “Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see KB5005652.”
Another critical Print Spooler flaw (CVE-2021-36936) was release although it’s not clear if this bug is related to PrintNightmare or a different vulnerability.
Disclosed: CVE-2021-36936, CVE-2021-36942
Exploited: CVE-2021-36948
Security Update Guide
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.
We will no longer listing “affected software” in this post. Previously Microsoft listed affected “software”. This month the list includes “products, features and roles” which makes the list too long. If you look at the month’s Release Notes on the Security Update Guide page you can view this list.
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:08/11/2021)
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: KB5005260 for Windows 10 versions 2004, 20H2, and 21H1 rows has been added back to the table for the August 2021 updates. For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog: If your devices do not have the May 11, 2021 update (KB5003173) or later LCU, you must install the special standalone August 10, 2021 SSU (KB5005260).
ADV210003 | Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) (Published:07/23/2021 | Last Updated:07/28/2021)
Summary: Microsoft is aware of PetitPotam which can potentially be used in an attack on Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example, see Microsoft Security Advisory 974926.
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413* instruct customers on how to protect their AD CS servers from such attacks.
You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:
Certificate Authority Web Enrollment
Certificate Enrollment Web Service
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
Known Issues
There is only one new known issue posted by Microsoft. It affect printing to or from Windows Server 2008 SP2.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Backup software may not work to or from a Windows Server 2008 SP2 device
Windows LSA Spoofing Vulnerability (CVE-2021-36942)
Symptom: After installing this update, the Encrypted File System (EFS) API OpenEncryptedFileRaw(A/W), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device. OpenEncryptedFileRaw will continue to work on all other versions of Windows (local and remote).
Workaround: This behavior is expected because we addressed the issue in CVE-2021-36942.
Note If you cannot use backup software on Windows 7 SP1 and Server 2008 R2 SP1 or later after installing this update, contact the manufacturer of your backup software for updates and support.
Good resource for known issues with Windows 10 patches. Find the version and click on “Known issues”.
Windows message center
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/
Security and Quality Rollup
- KB5005088 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5005076 – Windows 8.1, Windows Server 2012 R2
- KB5005099 – Windows Server 2012
- KB5005090 – Windows Server 2008 (ESU)
Security Only Update
- KB5005089 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5005106 – Windows 8.1, Windows Server 2012 R2
- KB5005094 – Windows Server 2012
- KB5005095 – Windows Server 2008 (ESU)
Cumulative Update for Windows 10
- KB5005040 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB5005043 – Version 1607 “Anniversary Update” (OS Build 14393)
- None – Version 1703 “Creators Update” (OS Build 15063)
- None – Version 1709 “Fall Creators Update” (OS Build 16299)
- None – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB5005030 – Version 1809 “October 2018 Update” (OS Build 17763)
- None – Version 1903 “May 2019 Update” (OS Build 18362)
- KB5005031 – Version 1909 “November 2019 Update” (OS Build 18363)
- KB5005033 – Version 2004 “May 2020 Update” (OS Build 19041)
- KB5005033 – Version 20H2 “October 2020 Update” (OS Build 19042)
- KB5005033 – Version 21H1 “May 2021 Update” (OS Build 19043)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
August 2021 updates for Microsoft Office
Notable CVEs
CVE-2021-34481 | Windows Print Spooler Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
UPDATE August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see KB5005652.
CVE-2021-34535 | Remote Desktop Client Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.
In the case of Hyper-V, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer when a victim running on the host connects to the attacking Hyper-V guest.
CVE-2021-26424 | Windows TCP/IP Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
This is remotely triggerable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host utilizing the TCPIP Protocol Stack (tcpip.sys) to process packets.
CVE-2021-36936 and CVE-2021-36947 | Windows Print Spooler Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
CVE-2021-36942 | Windows LSA Spoofing Vulnerability (Cumulative Update/Monthly Rollup)
An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface.
CVE-2021-36948 | Windows Update Medic Service Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/
