Microsoft Patch Tuesday Expert Commentary

By   ISBuzz Team
Writer , Information Security Buzz | Sep 15, 2021 05:18 am PST
Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Adam Bunn
Adam Bunn , Lead Software Engineer
InfoSec Expert
September 16, 2021 9:38 am

<p><strong>Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM</strong></p><p>With a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users\’ backups, but the trade-off is that customers will need to do the chore themselves. We\’ve updated our <a href=\"\">blog</a> post with this additional information.</p><p> </p><p><strong>Windows LSA Spoofing Vulnerability aka ADV210003</strong></p><p>Another high-priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see our <a href=\"\">blog</a> post for more information.</p><p> </p><p><strong>Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability</strong></p><p>While <a href=\"\">Microsoft</a> has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that “Exploitation [is] more likely”. Put this update near the top of your TODO list.</p><p> </p><p><strong><a href=\"\">Windows</a> TCP/IP Remote Code Execution Vulnerability</strong></p><p>Last on our list is a vulnerability that can result in remote execution on a Hyper-V host via the IPv6 networking stack. If your environment used Hyper-V this should be first on your list this month.</p>

Last edited 2 years ago by Adam Bunn

Recent Posts

Would love your thoughts, please comment.x