For October Patch Tuesday, Microsoft reported more than 70 vulnerabilities, three of which were rated as critical and none actively exploited. However, there was one exploited vulnerability, and while this was only rated “high,” security researchers say it’s important because it involves the Microsoft Windows operating system.
Jay Goodman, director of product marketing at Automox, said the exploited vulnerability — CVE-2021-40449 — is an important-priority privilege elevation vulnerability found in the Microsoft Windows Win32k process. Goodman said the vulnerability has been exploited in the wild and is rated as a "low-complexity, more likely to be exploited vulnerability."
“Attackers could use CVE-2021-40449 to elevate user privileges on the device once compromised,” Goodman said. “Privilege elevation attacks can be used to access beyond what the current user context of the device would allow, enabling attackers to perform unauthorized action, delete or move data, view private information, or install malicious software.”
Two of the critical vulnerabilities — CVE-2021-38672 and CVE-2021-40461 — are a pair of remote control execution (RCE) vulnerabilities found in Windows Hyper-V, a native hypervisor that can create and run virtual machines on x86-64 systems that run Windows. Christopher Hass, director of information security and research at Automox, explained that successful exploitation of the RCEs could let a malicious guest VM read kernel memory in the host. The third critical vulnerability — CVE-2021-40486 — is a Microsoft Word RCE that impacts Microsoft Office, Word, and some versions of SharePoint.
Threat actors are actively exploiting CVE-2021-40449 to elevate from user to administrator permissions on compromised systems, said Jake Williams, co-founder and CTO at BreachQuest.
“While CVE-2021-40449 doesn’t allow for remote exploitation, that doesn’t mean security pros can take it lightly,” Williams said. “Threat actors regularly gain access to target machines using phishing attacks and vulnerabilities such as CVE-2021-40449 allow them to evade more effectively bypass endpoint controls and evade detection. Because the code for this has already been weaponized by one threat actor, we should expect to see it weaponized by others more quickly because there’s already sample exploit code in the wild to work with.”
Danny Kim, principal architect at Virsec, added that RCE vulnerabilities are potentially dangerous and noted that they were also the root cause of the Hafnium and Kaseya attacks.
“Trying to mitigate the attacker’s actions after they have gained access is significantly harder than stopping the actions that led to the successful exploit,” Kim said. “This is why runtime monitoring of enterprises’ server workloads is becoming a key part of today’s cybersecurity. Stopping the exploitation of these vulnerabilities has to start with equipping the servers themselves with constant, deterministic runtime protection, not just detection.”