Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 41 vulnerabilities that were fixed in 13 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Microsoft has released 13 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
This security update contains the following KBs:
KB4493210
KB4493223
KB4493194
KB4493195
QID Detection Logic:
This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2021
This security update contains the following KBs:
KB4493211
KB4493222
KB4493196
KB4493192
KB4493204
QID Detection Logic:
This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.
Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2021
QID Detection Logic (Authenticated):
This QID checks for Windows registry key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters", posts this QID when value "DisableIPSourceRouting" is 2.
Affected Software:
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 - 16.6)
Microsoft Visual Studio 2019 version 16.8
QID Detection Logic:Authenticated
This QID detects vulnerable versions of Microsoft Visual Studio by checking file version of devenv.exe.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-1639 WIndows
Microsoft has released Servicing Stack security updates for Windows.
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV990001
Following KBs are covered in this detection:
KB4601056, KB4601318, KB4601354, KB4601887, KB4602958, KB4602959, KB4602960, KB4602961, KB4603002, KB4603003, KB4603004
This security update is rated Important for supported versions of Microsoft .NET Framework.
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 and 4.8
QID Detection Logic (Authenticated):
- Checks for vulnerable version of System.web.dll for .Net Framework
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-24111
Affected Software:
Microsoft System Center 2012 Endpoint Protection
Microsoft Security Essentials
Microsoft System Center 2012 R2 Endpoint Protection
Microsoft System Center Endpoint Protection
Windows Defender
QID Detection Logic (Authenticated):
Detection checks for mpengine.dll file version less than 1.1.17800.5
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-24092
All supported version of Windows are affected.
The KB Articles associated with the update:
KB4601345
KB4601354
KB4601366
KB4601348
KB4601349
KB4601363
KB4601360
KB4601384
KB4601347
KB4601357
KB4601319
KB4601318
KB4601315
KB4601331
This QID checks for the file version of tcpip.sys
The following versions of tcpip.sys with their corresponding KBs are verified:
KB4601345 - 10.0.17763.1757
KB4601354 - 10.0.17134.2026
KB4601366 - 6.0.6003.21039
KB4601348 - 6.2.9200.23267
KB4601349 - 6.3.9600.19935
KB4601363 - 6.1.7601.24565
KB4601360 - 6.0.6003.21039
KB4601384 - 6.3.9600.19935
KB4601347 - 6.1.7601.24565
KB4601357 - 6.2.9200.23267
KB4601319 - 10.0.19041.804
KB4601318 - 10.0.14393.4225
KB4601315 - 10.0.18362.1377
KB4601331 - 10.0.10240.18841
1. CVE-2021-24074 : Set sourceroutingbehavior to "drop"
Use the following command:
"netsh int ipv4 set global sourceroutingbehavior=drop"
2. CVE-2021-24086 and CVE-2021-24094: Set global reassemblylimit to 0
Use the following command:
"Netsh int ipv6 set global reassemblylimit=0"
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
The KB Articles associated with the update:
KB4601345
KB4601354
KB4601366
KB4601348
KB4601349
KB4601363
KB4601360
KB4601384
KB4601347
KB4601357
KB4601319
KB4601318
KB4601315
KB4601331
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB4601345 - 10.0.17763.1757
KB4601354 - 10.0.17134.2026
KB4601366 - 6.0.6003.21045
KB4601348 - 6.2.9200.23272
KB4601349 - 6.3.9600.19939
KB4601363 - 6.1.7601.24565
KB4601360 - 6.0.6003.21045
KB4601384 - 6.3.9600.19939
KB4601347 - 6.1.7601.24565
KB4601357 - 6.2.9200.23272
KB4601319 - 10.0.19041.804
KB4601318 - 10.0.14393.4225
KB4601315 - 10.0.18362.1377
KB4601331 - 10.0.10240.18841
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
Affected Software:
Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows Server, version 20H2 (Server Core Installation) Windows Server, version 2004 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server 2019 (Server Core installation) Windows Server 2019
The KB Articles associated with the update:
KB4601345
KB4601366
KB4601348
KB4601349
KB4601363
KB4601360
KB4601384
KB4601347
KB4601357
KB4601319
KB4601318
KB4601315
QID Detection Logic (Authenticated):
This QID checks for the file version of dns.exe
The following versions of dns.exe with their corresponding KBs are verified:
KB4601345 - 10.0.17763.1757
KB4601366 - 6.0.6003.21055
KB4601348 - 6.2.9200.23284
KB4601349 - 6.3.9600.19939
KB4601363 - 6.1.7601.24565
KB4601360 - 6.0.6003.21055
KB4601384 - 6.3.9600.19939
KB4601347 - 6.1.7601.24565
KB4601357 - 6.2.9200.23284
KB4601319 - 10.0.19041.804
KB4601318 - 10.0.14393.4225
KB4601315 - 10.0.18362.1377
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
Affected Software:
Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows Server, version 1909 (Server Core installation) Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems
The KB Articles associated with the update:
KB4601345
KB4601319
KB4601315
KB4601354
This QID checks for the file version of win32kfull.sys
The following versions of win32kfull.sys with their corresponding KBs are verified:
KB4601345 - 10.0.17763.1757
KB4601319 - 10.0.19041.804
KB4601315 - 10.0.18362.1377
KB4601354 - 10.0.17134.2026
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
Vulnerabilities details are unknown at this time.
Note:To exploit this vulnerability, the Windows Fax and Scan feature needs to be enabled, and the Fax service needs to be running. Systems that do not have the Fax service running are not vulnerable.
Affected Software:
All supported version of Windows are affected.
The KB Articles associated with the update:
KB4601345
KB4601354
KB4601366
KB4601348
KB4601349
KB4601363
KB4601360
KB4601384
KB4601347
KB4601357
KB4601319
KB4601318
KB4601315
KB4601331
This QID checks for the file version of fxssvc.exe
The following versions of fxssvc.exe with their corresponding KBs are verified:
KB4601345 - 10.0.17763.1757
KB4601354 - 10.0.17134.2026
KB4601366 - 6.0.6003.21045
KB4601348 - 6.2.9200.23274
KB4601349 - 6.3.9600.19941
KB4601363 - 6.1.7601.24565
KB4601360 - 6.0.6003.21045
KB4601384 - 6.3.9600.19941
KB4601347 - 6.1.7601.24565
KB4601357 - 6.2.9200.23274
KB4601319 - 10.0.19041.804
KB4601318 - 10.0.14393.4225
KB4601315 - 10.0.18362.1377
KB4601331 - 10.0.10240.18841
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
Affected versions:
Any .NET Core 2.1 , 3.1 or .NET 5.0 application running on .NET Core 2.1.25, 3.1.12 or .NET 5.0.3 or lower respectively.
QID Detection Logic (Authenticated):
The qid looks for sub directories under %programfiles%\dotnet\shared\Microsoft.NETCore.App, %programfiles(x86)%\dotnet\shared\Microsoft.NETCore.App and checks for vulnerable versions in .version file on Windows.
QID Detection Logic (Authenticated):
This QID will detect the vulnerable version of Microsoft ASP.NET Core by using commands:
ls -d /usr/share/dotnet/shared/Microsoft.NETCore.App/*
ls -d /usr/local/share/dotnet/shared/Microsoft.NETCore.App/*
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-1721 MAC
CVE-2021-1721 WIndows
These new vulnerability checks are included in Qualys vulnerability signature 2.5.103-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Platforms and Platform Identification
For more information, customers may contact Qualys Technical Support.
The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.