The CVE-2021-40449 Vulnerability
Yesterday (Tuesday, 12th October), Microsoft released important security patches intended to take care of a total of 71 newly-discovered vulnerabilities in Windows which includes CVE-2021-40449 and other software. Among those vulnerabilities is an actively-exploited bug that can be used in combination with remote code execution vulnerabilities in order to hijack vulnerable machines.
Out of the 71 new vulnerabilities, two are categorized as Critical, 68 as important, and only one has a Low severity rating. Three of the vulnerabilities are said to be publicly known at the moment of writing, and four of the 71 are considered zero-day flaws. The following are the zero-day vulnerabilities:
- CVE-2021-40449 (CVSS score: 7.8) – Win32k Elevation of Privilege Flaw
- CVE-2021-41335 (CVSS score: 7.8) – Windows Kernel Elevation of Privilege Flaw
- CVE-2021-40469 (CVSS score: 7.2) – Windows DNS Server Remote Code Execution Flaw
- CVE-2021-41338 (CVSS score: 5.5) – Windows AppContainer Firewall Rules Security Feature Circumvention Flaw
The MysterySnail zero-day flaw
The first of those four zero-day flaws, the CVE-2021-40449 one, is a use-after-free bug discovered by Kaspersky in the Win32k kernel driver. According to the Kaspersky researchers, the bug has been getting exploited in the wild since late August/early September this year. The bug has been getting used in a large-scale espionage campaign that targets IT firms and organizations, as well as diplomatic entities and defense contractors. The CVE-2021-40449 has been dubbed “MysterySnail” by Kaspersky.
The Kaspersky researchers report that they have been able to link the attacks that used the MysterySnail flaw to the IronHusky threat actor that has been active since 2012. The infection chain that uses MysterySnail, according to the researchers, ends in the deployment of a Trojan that provides the hackers with remote access to the targeted system and allows them to gather system information before being given additional instructions by the cybercriminals.
The other notable flaws are the remote code execution bugs known as CVE-2021-26427 (affecting Microsoft Exchange Server), CVE-2021-38672, CVE-2021-40461 (affecting Windows Hyper-V), CVE-2021-40487, CVE-2021-41344 (affecting SharePoint server), CVE-2021-40486 (affecting Microsoft Word), and CVE-2021-40454 (affecting Rick Text Edit Control) – this last is an information disclosure vulnerability.
The CVE-2021-26427 bug, discovered by the NSA (U.S.) has a CVSS score of 9.0 and is said to primarily target Exchange servers of high-value targets such as the networks of big businesses.
This latest set of Microsoft patches also include fixes for two new Print Spooler vulns – those are the CVE-2021-41332 and CVE-2021-36970. Both of these newly-discovered Print Spooler flaws are of the information disclosure spoofing vulnerability type and are seen as likely to be exploited in the wild.
According to researchers, spoofing vulnerabilities are typically used by attackers in order to impersonate/mimic another user so that they could abuse the Microsoft Spooler service and execute arbitrary code in the targeted systems and other servers.
Software Patches From Other Vendors
To address the newly-discovered flaws, a number of other software vendors have also released their own security patches. Some of those vendors include Apple, Android, SAP, Siemens, Linux, VMware, Adobe, Ciscolntel, and more.