www.belgium.be Logo of the federal government

Patch Tuesday: Multiple severe vulnerabilities in multiple Microsoft products

Reference: 
Advisory #2021-0006
Version: 
1.0
Affected software: 
Various software and operating systems, including:
Microsoft Windows 10
Microsoft Windows Server 2019
Microsoft Exchange Server
Microsoft Azure
Type: 
Several types, ranging from information disclosure to privilege escalation and remote code execution.
CVE/CVSS: 

108 vulnerabilities, of which:

Critical:

  • CVE-2021-28460
  • CVE-2021-28480
  • CVE-2021-28481
  • CVE-2021-28482
  • CVE-2021-28483
  • CVE-2021-28329
  • CVE-2021-28330
  • CVE-2021-28331
  • CVE-2021-28332
  • CVE-2021-28333
  • CVE-2021-28334
  • CVE-2021-28335
  • CVE-2021-28336
  • CVE-2021-28337
  • CVE-2021-28338
  • CVE-2021-28339
  • CVE-2021-28343
  • CVE-2021-27095
  • CVE-2021-28315

Disclosed:

  • CVE-2021-28458
  • CVE-2021-27091
  • CVE-2021-28437
  • CVE-2021-28312

Actively exploited:

  • CVE-2021-28310
Date: 
14/04/2021

Risks

Multiple vulnerabilities in Microsoft products, carrying a range of risks. Some vulnerabilities may only crash the targeted device, while others can be used to take complete control over the device.

This month’s Patch Tuesday includes several severe vulnerabilities for Microsoft Exchange, that can be used to run arbitrary code on the vulnerable device. These vulnerabilities are marked as “Critical” by Microsoft and require urgent attention.

The patch list also includes several critical vulnerabilities in the Remote Procedure Call (RPC) implementation. These vulnerabilities can again be used to run arbitrary code on the vulnerable device. This is true for both workstations and servers.

Other vulnerabilities are also present, ranging from “Moderate” to “Critical”. In total, Microsoft released patches for 108 vulnerabilities. 19 of these vulnerabilities have the highest severity (Critical) and 1 is actively being exploited.

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday”, and contain security fixes for Microsoft devices and software. This month’s release covers 108 vulnerabilities, 19 of which are considered “Critical”. One of these vulnerabilities is also actively exploited. Due to the high severity and risk of these vulnerabilities, urgent patching is advised.

Recommended Actions

CERT.be recommends installing updates for vulnerable devices with the highest priority. Updates can be done through Microsoft’s Update panel, and/or through their Security Advisory website (1)

References

  1. https://msrc.microsoft.com/update-guide
  2. https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306/
  3. https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr
  4. https://www.tenable.com/blog/microsoft-s-april-2021-patch-tuesday-addres...