VERT Threat Alert: June 2021 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s June 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-947 on Wednesday, June 9th.

In-The-Wild & Disclosed CVEs

CVE-2021-31955

This is one of two vulnerabilities fixed in today’s patch drop which were reported by Kaspersky Lab after detecting exploitation by threat actor PuzzleMaker. This Windows Kernel Information Disclosure could allow an attacker to read kernel memory via a user mode process via a vulnerable function call related to SuperFetch. The vulnerability in ntoskrnl.exe has been exploited in the wild.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-31956

This is the second of two vulnerabilities fixed in today’s patch drop which were reported by Kaspersky Lab after detecting exploitation by threat actor PuzzleMaker. This vulnerability requires that an authenticated user execute code locally in order to exploit a heap-based buffer overflow in NTFS (ntfs.sys) that will allow for privilege escalation.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-33739

This CVE describes a publicly disclosed and exploited vulnerability in Desktop Window Manager (DWM) Core that could lead to privilege escalation via the execution of a malicious script or executable by an authenticated user.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-33742

Google’s Threat Analysis Group (TAG) reported this vulnerability in MSHTML that has been exploited in the wild to Microsoft. Microsoft has included an important to read FAQ entry on this vulnerability. They note that while Internet Explorer 11 is being retired on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying technology – MSHTML, EdgeHTML, and scripting platforms – are still supported. You can read more on the retirement in this Microsoft FAQ published last month. According to a tweet from Shane Huntley, this appears to be “a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting”

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-31201

This is the first of two vulnerabilities related to Adobe’s APSB21-29 security bulletin. A privilege escalation exists within the Microsoft Enhanced Cryptographic Provider that has been publicly exploited. Microsoft has indicate that you must install the June patch bundle in order to be protected against all three CVEs.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-31199

This is the second of two vulnerabilities related to Adobe’s APSB21-29 security bulletin. A privilege escalation exists within the Microsoft Enhanced Cryptographic Provider that has been publicly exploited. Microsoft has indicate that you must install the June patch bundle in order to be protected against all three CVEs.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-31968

This vulnerability has been disclosed but not publicly exploited and could allow a remote, unauthenticated attacker to perform a denial of service against Windows Remote Desktop Services.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

Tag CVE Count CVEs
Windows DCOM Server 1 CVE-2021-26414
.NET Core & Visual Studio 1 CVE-2021-31957
Visual Studio Code – Kubernetes Tools 1 CVE-2021-31938
Windows Bind Filter Driver 1 CVE-2021-31960
Windows Cryptographic Services 2 CVE-2021-31199, CVE-2021-31201
Windows Installer 1 CVE-2021-31973
Windows Common Log File System Driver 1 CVE-2021-31954
Windows Network File System 3 CVE-2021-31974, CVE-2021-31975, CVE-2021-31976
Microsoft Scripting Engine 1 CVE-2021-31959
Microsoft Office SharePoint 7 CVE-2021-26420, CVE-2021-31963, CVE-2021-31964, CVE-2021-31965, CVE-2021-31966, CVE-2021-31948, CVE-2021-31950
Microsoft Windows Codecs Library 1 CVE-2021-31967
Microsoft Office Excel 1 CVE-2021-31939
3D Viewer 3 CVE-2021-31942, CVE-2021-31943, CVE-2021-31944
Windows Kernel 2 CVE-2021-31951, CVE-2021-31955
Role: Hyper-V 1 CVE-2021-31977
Paint 3D 3 CVE-2021-31945, CVE-2021-31946, CVE-2021-31983
Microsoft DWM Core Library 1 CVE-2021-33739
Microsoft Office 2 CVE-2021-31940, CVE-2021-31941
Windows Defender 2 CVE-2021-31978, CVE-2021-31985
Windows Remote Desktop 1 CVE-2021-31968
Windows NTLM 1 CVE-2021-31958
Windows MSHTML Platform 1 CVE-2021-33742
Windows Event Logging Service 1 CVE-2021-31972
Windows Filter Manager 1 CVE-2021-31953
Windows Drivers 1 CVE-2021-31969
Microsoft Office Outlook 1 CVE-2021-31949
Windows TCP/IP 1 CVE-2021-31970
Windows Kerberos 1 CVE-2021-31962
Windows Kernel-Mode Drivers 1 CVE-2021-31952
Windows Print Spooler Components 1 CVE-2021-1675
Windows HTML Platform 1 CVE-2021-31971
Microsoft Edge (Chromium-based) 1 CVE-2021-33741
Microsoft Intune 1 CVE-2021-31980
Windows NTFS 1 CVE-2021-31956

Other Information

There were no advisories included in the June Security Guidance.