Overview
On May 12, 2021, Microsoft released May 2021 Security Updates to fix 55 vulnerabilities, including high-risk remote code execution and privilege escalation, in widely used products like Microsoft Windows, Office, Exchange Server, Visual Studio Code, and Internet Explorer.
In the vulnerabilities fixed by this month’s security updates, there are four critical vulnerabilities and 50 important ones. Affected users are advised to patch their installations as soon as possible. For the list of vulnerabilities, see the appendix.
NSFOCUS Remote Security Assessment System (RSAS) can detect most of the vulnerabilities (including high-risk ones such as CVE-2021-26419, CVE-2021-31166, CVE-2021-31194, and CVE-2021-28476) fixed by these security updates. Customers are advised to immediately update the plug-in package of their RSAS to V6.0R02F01.2301, which is available at http://update.nsfocus.com/update/listRsasDetail/v/vulsys.
Reference link: https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-May
Description of Critical Vulnerabilities
Based on the product popularity and vulnerability criticality, we have selected the vulnerabilities with a big impact that users should keep their eyes open for:
HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166)
The HTTP protocol stack (http.sys) is prone to a remote code execution vulnerability that allows unauthenticated, remote attackers to execute arbitrary code on the target system by sending crafted packets to a target host. This vulnerability has a CVSS score of 9.8, and is wormable, as Microsoft acknowledges.
For vulnerability details, visit the following link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
Hyper-V Remote Code Execution Vulnerability (CVE-2021-28476)
Windows Hyper-V, a native hypervisor, is prone to a remote code execution vulnerability with a CVSS score of 9.9. This vulnerability allows guest virtual machines (VMs) to force the Hyper-V host kernel to read arbitrary addresses that may be invalid. In certain cases, an attacker who has successfully exploited this vulnerability could execute binaries on the Hyper-V server or execute arbitrary code on the system.
For vulnerability details, visit the following link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476
Microsoft SharePoint Remote Code Execution Vulnerabilities (CVE-2021-28474, CVE-2021-31181)
An authenticated attacker could exploit this vulnerability to execute arbitrary code on affected installations of Microsoft SharePoint.
For vulnerability details, visit the following link:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28474
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31181
OLE Automation Remote Code Execution Vulnerability (CVE-2021-31194)
This vulnerability exists in Windows OLE and could be exploited via a web browser that invokes OLE automation. An attacker could set up a malicious website and trick users into visiting this website, thus achieving remote code execution.
For vulnerability details, visit the following link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31194
Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
This is one of the vulnerabilities discovered as part of this year’s Pwn2Own competition and its details have been published. An attacker who has successfully exploited this vulnerability could gain a certain degree of control over the server.
For vulnerability details, visit the following link: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
Scope of Impact
The following table lists affected products and versions that require special attention. Please view Microsoft’s security updates for other products affected by these vulnerabilities.
| CVE ID | Affected Products and Versions | |
| CVE-2021-31166 | Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems | |
| CVE-2021-28476 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows 8.1 for x64-based systems Windows 7 for x64-based Systems Service Pack 1 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 for x64-based Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows Server, version 1909 (Server Core installation) Windows 10 Version 1909 for x64-based Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1803 for x64-based Systems | |
| CVE-2021-28474 CVE-2021-31181 | Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2019 Microsoft SharePoint Enterprise Server 2016 | |
| CVE-2021-31194 | Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows Server, version 1909 (Server Core installation) Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows RT 8.1 Windows 8.1 for x64-based systems Windows 8.1 for 32-bit systems Windows 7 for x64-based Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 Windows Server 2016 (Server Core installation) Windows Server 2016 | |
| Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems | ||
| CVE-2021-31207 | Microsoft Exchange Server 2019 Cumulative Update 8 Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft Exchange Server 2016 Cumulative Update 20 Microsoft Exchange Server 2019 Cumulative Update 9 Microsoft Exchange Server 2013 Cumulative Update 23 |
Mitigation
Patch Update
Currently, Microsoft has released security updates to fix the preceding vulnerabilities in product versions supported by Microsoft. Affected users are strongly advised to apply these updates as soon as possible. These updates are available at the following link:
https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-May
Note: Windows Update may fail due to network and computer environment issues. Therefore, users are advised to check whether the patches are successfully applied immediately upon installation.
Right-click the Start button and choose Settings (N) > Update & Security > Windows Update to view the message on the page. Alternatively, you can view historical updates by clicking View update history. If an update fails to be successfully installed, you can click the update name to open the Microsoft’s official update download page. Users are advised to click the links on the page to visit the “Microsoft Update Catalog” website to download and install independent packages.
Appendix: Vulnerability List
| Affected Product | CVE ID | Vulnerability Title | Severity |
| Internet Explorer | CVE-2021-26419 | Scripting Engine Memory Leak Vulnerability | Critical |
| Windows | CVE-2021-31166 | HTTP Protocol Stack Remote Code Execution Vulnerability | Critical |
| Windows | CVE-2021-31194 | OLE Automation Remote Code Execution Vulnerability | Critical |
| Windows | CVE-2021-28476 | Hyper-V Remote Code Execution Vulnerability | Critical |
| Windows | CVE-2020-24588 | Windows Wireless Networking Spoofing Vulnerability | Important |
| Windows | CVE-2020-24587 | Windows Wireless Networking Information Disclosure Vulnerability | Important |
| Microsoft VisualStudio | CVE-2021-27068 | Visual Studio Remote Code Execution Vulnerability | Important |
| Windows | CVE-2020-26144 | Windows Wireless Networking Spoofing Vulnerability | Important |
| Windows, Microsoft Office | CVE-2021-28455 | Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Dynamics | CVE-2021-28461 | Dynamics Finance and Operations Cross-Site Scripting Vulnerability | Important |
| Windows | CVE-2021-28479 | Windows CSC Service Information Disclosure Vulnerability | Important |
| Windows | CVE-2021-31165 | Windows Container Manager Service Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31167 | Windows Container Manager Service Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31168 | Windows Container Manager Service Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31169 | Windows Container Manager Service Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31170 | Windows Graphics Component Privilege Escalation Vulnerability | Important |
| Microsoft Office | CVE-2021-31171 | Microsoft SharePoint Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2021-31172 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office | CVE-2021-31173 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2021-31174 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2021-31175 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-31176 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-31177 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-31178 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2021-31179 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-31180 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-31181 | Microsoft SharePoint Remote Code Execution Vulnerability | Important |
| Windows | CVE-2021-31182 | Microsoft Bluetooth Driver Spoofing Vulnerability | Important |
| Windows | CVE-2021-31184 | Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability | Important |
| Windows | CVE-2021-31185 | Windows Desktop Bridge Denial-of-Service Vulnerability | Important |
| Windows | CVE-2021-31186 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows | CVE-2021-31187 | Windows WalletService Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31188 | Windows Graphics Component Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31190 | Windows Container Isolation FS Filter Driver Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31191 | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | Important |
| Windows | CVE-2021-31192 | Windows Media Foundation Core Remote Code Execution Vulnerability | Important |
| Windows | CVE-2021-31193 | Windows SSDP Service Privilege Escalation Vulnerability | Important |
| Exchange Server | CVE-2021-31195 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| Exchange Server | CVE-2021-31198 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| .NET, .NET Core, Visual Studio, MicrosoftVisual Studio | CVE-2021-31204 | .NET and Visual Studio Privilege Escalation Vulnerability | Important |
| Windows | CVE-2021-31205 | Windows SMB Client Security Feature Bypass Vulnerability | Important |
| Windows | CVE-2021-31208 | Windows Container Manager Service Privilege Escalation Vulnerability | Important |
| Exchange Server | CVE-2021-31209 | Microsoft Exchange Server Spoofing Vulnerability | Important |
| Visual Studio Code | CVE-2021-31211 | Visual Studio Code Remote Code Execution Vulnerability | Important |
| Visual Studio Code Remote – ContainersExtension | CVE-2021-31213 | Visual Studio Code Remote Containers Extension Remote Code Execution Vulnerability | Important |
| Visual Studio Code | CVE-2021-31214 | Visual Studio Code Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-26421 | Skype for Business and Lync Spoofing Vulnerability | Important |
| Microsoft Office | CVE-2021-26422 | Skype for Business and Lync Remote Code Execution Vulnerability | Important |
| Windows | CVE-2021-28465 | Web Media Extensions Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-28474 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-28478 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office | CVE-2021-26418 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Open Source Software | CVE-2021-31200 | Common Utilities Remote Code Execution Vulnerability | Important |
| Azure | CVE-2021-31936 | Microsoft Accessibility Insights for Web Information Disclosure Vulnerability | Important |
| Exchange Server | CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability | Moderate |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
