Microsoft Patch Tuesday Expert Commentary

Experts Comments

September 16, 2021
Adam Bunn
Lead Software Engineer
Rapid7.com

Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM

With a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates

.....Read More

Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM

With a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users' backups, but the trade-off is that customers will need to do the chore themselves. We've updated our blog post with this additional information.

 

Windows LSA Spoofing Vulnerability aka ADV210003

Another high-priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see our blog post for more information.

 

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability

While Microsoft has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that “Exploitation [is] more likely”. Put this update near the top of your TODO list.

 

Windows TCP/IP Remote Code Execution Vulnerability

Last on our list is a vulnerability that can result in remote execution on a Hyper-V host via the IPv6 networking stack. If your environment used Hyper-V this should be first on your list this month.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.