Patch Tuesday, May 11: Detecting Critical Vulnerabilities

Today was Microsoft Patch Tuesday, and while there were a relatively small number of patches issued—55 as compared to the usual 100 plus—a few of those vulnerabilities require immediate attention.

Of particular concern are two remote code execution vulnerabilities, which allow malicious actors to execute any code on a remote machine via a LAN, WAN, or internet connection.

The first, CVE-2021-31181, is a remote code execution vulnerability in SharePoint servers. As SharePoint servers are often connected to the internet, it is important to patch this immediately. ExtraHop expects to see a proof of concept exploit for this soon.

The second, CVE-2021-31166, is an HTTP protocol stack remote code execution vulnerability that allows unauthenticated users to remotely execute code in the kernel. Attackers can exploit this vulnerability by sending a specially crafted packet to an affected server––an attribute that, as Microsoft notes in the write up, makes this bug wormable. This vulnerability is particularly critical because it also impacts Windows 10 web servers, making it fertile ground for attackers.

The ExtraHop Threat Research team regularly evaluates Patch Tuesday vulnerabilities, and where applicable, creates detections within ExtraHop Reveal(x) and Reveal(x) 360 to help our customers rapidly address the most critical vulnerabilities.

We are releasing detections for behavior associated with CVE-2021-31166 and CVE-2021-31181. ExtraHop Reveal(x) and Reveal(x) 360 customers will get detections associated with these vulnerabilities automatically over the next few days.

For non-ExtraHop customers, we encourage you to act quickly to patch these two vulnerabilities. Both can allow attackers full access to your network, and they pose significant risk.