Microsoft security alert.

February 9, 2021

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 41 vulnerabilities that were fixed in 13 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 13 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft SharePoint Enterprise Server Multiple Vulnerabilities February 2021

    Severity
    Critical 4
    Qualys ID
    110372
    Vendor Reference
    KB4493194, KB4493195, KB4493210, KB4493223
    CVE Reference
    CVE-2021-1726, CVE-2021-24066, CVE-2021-24071, CVE-2021-24072
    CVSS Scores
    Base 6.5 / Temporal 4.8
    Description
    Microsoft has released February 2021 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB4493210
    KB4493223
    KB4493194
    KB4493195

    QID Detection Logic:
    This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2021

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2021

    Severity
    Critical 4
    Qualys ID
    110373
    Vendor Reference
    KB4493192, KB4493196, KB4493204, KB4493211, KB4493222
    CVE Reference
    CVE-2021-24067, CVE-2021-24068, CVE-2021-24069, CVE-2021-24070
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft has released February 2021 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB4493211
    KB4493222
    KB4493196
    KB4493192
    KB4493204

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.

    Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance, KB4493192, KB4493196, KB4493204, KB4493211, KB4493222 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2021

  • Microsoft Mitigation Guidance for TCP/IP IPv4 Source routing Applied (CVE-2021-24074)

    Severity
    Minimal 1
    Qualys ID
    45480
    Vendor Reference
    CVE-2021-24074
    CVE Reference
    N/A
    CVSS Scores
    Base / Temporal
    Description
    Mitigation for "CVE-2021-24074 TCP/IP Vulnerability" is applied on the host.

    QID Detection Logic (Authenticated):

    This QID checks for Windows registry key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters", posts this QID when value "DisableIPSourceRouting" is 2.

    Consequence
    NA
    Solution
    Please refer to the CVE-2021-24074 for more information

  • Microsoft Visual Studio Security Update for February 2021

    Severity
    Critical 4
    Qualys ID
    91729
    Vendor Reference
    CVE-2021-1639
    CVE Reference
    CVE-2021-1639, CVE-2021-1721
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft has released security update for Visual Studio which resolves multiple security vulnerabilities.

    Affected Software:
    Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
    Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
    Microsoft Visual Studio 2019 version 16.7 (includes 16.0 - 16.6)
    Microsoft Visual Studio 2019 version 16.8

    QID Detection Logic:Authenticated
    This QID detects vulnerable versions of Microsoft Visual Studio by checking file version of devenv.exe.

    Consequence
    Successful exploitation can affect confidentiality, integrity and availability.
    Solution
    Customers are advised to refer to CVE-2021-1639 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2021-1639 WIndows

  • Microsoft Windows Servicing Stack Security Update February 2021

    Severity
    Medium 2
    Qualys ID
    91732
    Vendor Reference
    ADV990001
    CVE Reference
    N/A
    CVSS Scores
    Base 3.6 / Temporal 2.7
    Description
    Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.

    Microsoft has released Servicing Stack security updates for Windows.

    QID Detection Logic (Authenticated):
    This authenticated QID will check for file version of CbsCore.dll

    Consequence
    Successful exploitation may allow unauthorized disclosure of information, unauthorized modification or disruption of service.

    Solution
    Customers are advised to refer to advisory ADV990001 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV990001

  • Microsoft .NET Framework Denial of Service Vulnerability - February 2021

    Severity
    Critical 4
    Qualys ID
    91733
    Vendor Reference
    KB4578951, KB4601050, KB4601051, KB4601054, KB4601056, KB4601318, KB4601354, KB4601887, KB4602958, KB4602959, KB4602960, KB4602961, KB4603002, KB4603003, KB4603004, KB4603005
    CVE Reference
    CVE-2021-24111
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    A denial of service vulnerability exist in Microsoft .Net Framework.

    Following KBs are covered in this detection:
    KB4601056, KB4601318, KB4601354, KB4601887, KB4602958, KB4602959, KB4602960, KB4602961, KB4603002, KB4603003, KB4603004
    This security update is rated Important for supported versions of Microsoft .NET Framework.

    .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 and 4.8

    QID Detection Logic (Authenticated):
    - Checks for vulnerable version of System.web.dll for .Net Framework

    Consequence
    Successful exploitation allows attacker to cause denial of service vulnerability.
    Solution
    Customers are advised to refer to CVE-2021-24111 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2021-24111

  • Microsoft Defender Elevation of Privilege Vulnerability February 2021

    Severity
    Critical 4
    Qualys ID
    91734
    Vendor Reference
    CVE-2021-24092
    CVE Reference
    CVE-2021-24092
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Microsoft Defender is prone to Elevation of Privilege Vulnerability

    Affected Software:
    Microsoft System Center 2012 Endpoint Protection
    Microsoft Security Essentials
    Microsoft System Center 2012 R2 Endpoint Protection
    Microsoft System Center Endpoint Protection
    Windows Defender

    QID Detection Logic (Authenticated):
    Detection checks for mpengine.dll file version less than 1.1.17800.5

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Users are advised to check CVE-2021-24092 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2021-24092

  • Microsoft Windows TCP/IP Remote Code Execution Vulnerabilities

    Severity
    Urgent 5
    Qualys ID
    91738
    Vendor Reference
    CVE-2021-24074, CVE-2021-24086, CVE-2021-24094
    CVE Reference
    CVE-2021-24074, CVE-2021-24086, CVE-2021-24094
    CVSS Scores
    Base 7.5 / Temporal 6.2
    Description
    Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074,CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086).

    All supported version of Windows are affected. The KB Articles associated with the update:
    KB4601345
    KB4601354
    KB4601366
    KB4601348
    KB4601349
    KB4601363
    KB4601360
    KB4601384
    KB4601347
    KB4601357
    KB4601319
    KB4601318
    KB4601315
    KB4601331

    This QID checks for the file version of tcpip.sys

    The following versions of tcpip.sys with their corresponding KBs are verified:
    KB4601345 - 10.0.17763.1757
    KB4601354 - 10.0.17134.2026
    KB4601366 - 6.0.6003.21039
    KB4601348 - 6.2.9200.23267
    KB4601349 - 6.3.9600.19935
    KB4601363 - 6.1.7601.24565
    KB4601360 - 6.0.6003.21039
    KB4601384 - 6.3.9600.19935
    KB4601347 - 6.1.7601.24565
    KB4601357 - 6.2.9200.23267
    KB4601319 - 10.0.19041.804
    KB4601318 - 10.0.14393.4225
    KB4601315 - 10.0.18362.1377
    KB4601331 - 10.0.10240.18841

    Consequence
    Successful exploitation allows attacker to execute remote code and compromise the system.
    Solution
    Customers are advised to refer to KB4601345
    KB4601354
    KB4601366
    KB4601348
    KB4601349
    KB4601363
    KB4601360
    KB4601384
    KB4601347
    KB4601357
    KB4601319
    KB4601318
    KB4601315
    KB4601331
    Note: To fix the issue, use Cumulative updates released in later months that supersede the KB4601318 must be installed for example KB5000803.Workaround:

    1. CVE-2021-24074 : Set sourceroutingbehavior to "drop"
    Use the following command:

    "netsh int ipv4 set global sourceroutingbehavior=drop"

    2. CVE-2021-24086 and CVE-2021-24094: Set global reassemblylimit to 0
    Use the following command:

    "Netsh int ipv6 set global reassemblylimit=0"

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows Security Update for February 2021

    Severity
    Critical 4
    Qualys ID
    91739
    Vendor Reference
    KB4601315, KB4601318, KB4601319, KB4601331, KB4601345, KB4601347, KB4601348, KB4601349, KB4601354, KB4601357, KB4601360, KB4601363, KB4601366, KB4601384
    CVE Reference
    CVE-2021-1698, CVE-2021-1727, CVE-2021-1731, CVE-2021-1734, CVE-2021-24075, CVE-2021-24076, CVE-2021-24079, CVE-2021-24080, CVE-2021-24081, CVE-2021-24082, CVE-2021-24083, CVE-2021-24084, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24096, CVE-2021-24098, CVE-2021-24102, CVE-2021-24103, CVE-2021-24106, CVE-2021-25195
    CVSS Scores
    Base 6.8 / Temporal 5.3
    Description
    Microsoft releases the security update for Windows February 2021

    The KB Articles associated with the update:
    KB4601345
    KB4601354
    KB4601366
    KB4601348
    KB4601349
    KB4601363
    KB4601360
    KB4601384
    KB4601347
    KB4601357
    KB4601319
    KB4601318
    KB4601315
    KB4601331

    This QID checks for the file version of ntoskrnl.exe

    The following versions of ntoskrnl.exe with their corresponding KBs are verified:
    KB4601345 - 10.0.17763.1757
    KB4601354 - 10.0.17134.2026
    KB4601366 - 6.0.6003.21045
    KB4601348 - 6.2.9200.23272
    KB4601349 - 6.3.9600.19939
    KB4601363 - 6.1.7601.24565
    KB4601360 - 6.0.6003.21045
    KB4601384 - 6.3.9600.19939
    KB4601347 - 6.1.7601.24565
    KB4601357 - 6.2.9200.23272
    KB4601319 - 10.0.19041.804
    KB4601318 - 10.0.14393.4225
    KB4601315 - 10.0.18362.1377
    KB4601331 - 10.0.10240.18841

    Consequence
    A remote attacker could exploit this vulnerability and execute code on the target system.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows DNS Server Remote Code Execution Vulnerability

    Severity
    Urgent 5
    Qualys ID
    91740
    Vendor Reference
    CVE-2021-24078
    CVE Reference
    CVE-2021-24078
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

    Affected Software:

    Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows Server, version 20H2 (Server Core Installation) Windows Server, version 2004 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server 2019 (Server Core installation) Windows Server 2019

    The KB Articles associated with the update:
    KB4601345
    KB4601366
    KB4601348
    KB4601349
    KB4601363
    KB4601360
    KB4601384
    KB4601347
    KB4601357
    KB4601319
    KB4601318
    KB4601315

    QID Detection Logic (Authenticated):

    This QID checks for the file version of dns.exe

    The following versions of dns.exe with their corresponding KBs are verified:
    KB4601345 - 10.0.17763.1757
    KB4601366 - 6.0.6003.21055
    KB4601348 - 6.2.9200.23284
    KB4601349 - 6.3.9600.19939
    KB4601363 - 6.1.7601.24565
    KB4601360 - 6.0.6003.21055
    KB4601384 - 6.3.9600.19939
    KB4601347 - 6.1.7601.24565
    KB4601357 - 6.2.9200.23284
    KB4601319 - 10.0.19041.804
    KB4601318 - 10.0.14393.4225
    KB4601315 - 10.0.18362.1377

    Consequence
    An attacker who successfully exploited the vulnerability could run arbitrary code
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Win32k Elevation of Privilege Vulnerability

    Severity
    Critical 4
    Qualys ID
    91741
    Vendor Reference
    CVE-2021-1732
    CVE Reference
    CVE-2021-1732
    CVSS Scores
    Base 4.6 / Temporal 3.8
    Description
    There is a vulnerability discovered in Microsoft Windows, which can be exploited by malicious users to gain escalated privileges.

    Affected Software:

    Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows Server, version 1909 (Server Core installation) Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems

    The KB Articles associated with the update:
    KB4601345
    KB4601319
    KB4601315
    KB4601354

    This QID checks for the file version of win32kfull.sys

    The following versions of win32kfull.sys with their corresponding KBs are verified:
    KB4601345 - 10.0.17763.1757
    KB4601319 - 10.0.19041.804
    KB4601315 - 10.0.18362.1377
    KB4601354 - 10.0.17134.2026

    Consequence
    Successful exploitation may allow execution of arbitrary code with kernel privileges.
    Solution
    Please refer to the Security Update CVE-2021-1732 for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Fax Service Remote Code Execution Vulnerabilities

    Severity
    Urgent 5
    Qualys ID
    91742
    Vendor Reference
    CVE-2021-1722, CVE-2021-24077
    CVE Reference
    CVE-2021-1722, CVE-2021-24077
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    Microsoft Windows Fax Service is exposed to two remote code execution vulnerabilities. (CVE-2021-1722,CVE-2021-24077)

    Vulnerabilities details are unknown at this time.


    Note:To exploit this vulnerability, the Windows Fax and Scan feature needs to be enabled, and the Fax service needs to be running. Systems that do not have the Fax service running are not vulnerable.

    Affected Software:
    All supported version of Windows are affected.

    The KB Articles associated with the update:
    KB4601345
    KB4601354
    KB4601366
    KB4601348
    KB4601349
    KB4601363
    KB4601360
    KB4601384
    KB4601347
    KB4601357
    KB4601319
    KB4601318
    KB4601315
    KB4601331

    This QID checks for the file version of fxssvc.exe

    The following versions of fxssvc.exe with their corresponding KBs are verified:
    KB4601345 - 10.0.17763.1757
    KB4601354 - 10.0.17134.2026
    KB4601366 - 6.0.6003.21045
    KB4601348 - 6.2.9200.23274
    KB4601349 - 6.3.9600.19941
    KB4601363 - 6.1.7601.24565
    KB4601360 - 6.0.6003.21045
    KB4601384 - 6.3.9600.19941
    KB4601347 - 6.1.7601.24565
    KB4601357 - 6.2.9200.23274
    KB4601319 - 10.0.19041.804
    KB4601318 - 10.0.14393.4225
    KB4601315 - 10.0.18362.1377
    KB4601331 - 10.0.10240.18841

    Consequence
    An attacker who successfully exploited the vulnerability could run arbitrary code
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft ASP.NET Core Security Update February 2021

    Severity
    Critical 4
    Qualys ID
    91743
    Vendor Reference
    CVE-2021-1721
    CVE Reference
    CVE-2021-1721, CVE-2021-24112
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    A denial of service vulnerability exists when .NET Core improperly handles web requests.
    This security update is rated Important for supported versions of .NET Core.

    Affected versions:
    Any .NET Core 2.1 , 3.1 or .NET 5.0 application running on .NET Core 2.1.25, 3.1.12 or .NET 5.0.3 or lower respectively.

    QID Detection Logic (Authenticated):
    The qid looks for sub directories under %programfiles%\dotnet\shared\Microsoft.NETCore.App, %programfiles(x86)%\dotnet\shared\Microsoft.NETCore.App and checks for vulnerable versions in .version file on Windows.
    QID Detection Logic (Authenticated):
    This QID will detect the vulnerable version of Microsoft ASP.NET Core by using commands:
    ls -d /usr/share/dotnet/shared/Microsoft.NETCore.App/*
    ls -d /usr/local/share/dotnet/shared/Microsoft.NETCore.App/*

    Consequence
    Successful exploitation allows attacker to bypass the security feature and allows set a second cookie with the name being percent encoded.
    Solution
    Customers are advised to refer to CVE-2021-1721 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2021-1721 MAC
    CVE-2021-1721 WIndows

These new vulnerability checks are included in Qualys vulnerability signature 2.5.103-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110372
    • 110373
    • 45480
    • 91729
    • 91732
    • 91733
    • 91734
    • 91738
    • 91739
    • 91740
    • 91741
    • 91742
    • 91743
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.