Microsoft’s May 2021 Security Updates Fix Multiple Products’ High-Risk Vulnerabilities

Microsoft’s May 2021 Security Updates Fix Multiple Products’ High-Risk Vulnerabilities

June 7, 2021 | Jie Ji

Overview

On May 12, 2021, Microsoft released May 2021 Security Updates to fix 55 vulnerabilities, including high-risk remote code execution and privilege escalation, in widely used products like Microsoft Windows, Office, Exchange Server, Visual Studio Code, and Internet Explorer.

In the vulnerabilities fixed by this month’s security updates, there are four critical vulnerabilities and 50 important ones. Affected users are advised to patch their installations as soon as possible. For the list of vulnerabilities, see the appendix.

NSFOCUS Remote Security Assessment System (RSAS) can detect most of the vulnerabilities (including high-risk ones such as CVE-2021-26419, CVE-2021-31166, CVE-2021-31194, and CVE-2021-28476) fixed by these security updates. Customers are advised to immediately update the plug-in package of their RSAS to V6.0R02F01.2301, which is available at http://update.nsfocus.com/update/listRsasDetail/v/vulsys.

Reference link: https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-May

Description of Critical Vulnerabilities

Based on the product popularity and vulnerability criticality, we have selected the vulnerabilities with a big impact that users should keep their eyes open for:

HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166)

The HTTP protocol stack (http.sys) is prone to a remote code execution vulnerability that allows unauthenticated, remote attackers to execute arbitrary code on the target system by sending crafted packets to a target host. This vulnerability has a CVSS score of 9.8, and is wormable, as Microsoft acknowledges.

For vulnerability details, visit the following link:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

Hyper-V Remote Code Execution Vulnerability (CVE-2021-28476)

Windows Hyper-V, a native hypervisor, is prone to a remote code execution vulnerability with a CVSS score of 9.9. This vulnerability allows guest virtual machines (VMs) to force the Hyper-V host kernel to read arbitrary addresses that may be invalid. In certain cases, an attacker who has successfully exploited this vulnerability could execute binaries on the Hyper-V server or execute arbitrary code on the system.

For vulnerability details, visit the following link:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476

Microsoft SharePoint Remote Code Execution Vulnerabilities (CVE-2021-28474, CVE-2021-31181)

An authenticated attacker could exploit this vulnerability to execute arbitrary code on affected installations of Microsoft SharePoint.

For vulnerability details, visit the following link:

OLE Automation Remote Code Execution Vulnerability (CVE-2021-31194)

This vulnerability exists in Windows OLE and could be exploited via a web browser that invokes OLE automation. An attacker could set up a malicious website and trick users into visiting this website, thus achieving remote code execution.

For vulnerability details, visit the following link:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31194

Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)

This is one of the vulnerabilities discovered as part of this year’s Pwn2Own competition and its details have been published. An attacker who has successfully exploited this vulnerability could gain a certain degree of control over the server.

For vulnerability details, visit the following link: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207

 Scope of Impact

The following table lists affected products and versions that require special attention. Please view Microsoft’s security updates for other products affected by these vulnerabilities.

CVE IDAffected Products and Versions
CVE-2021-31166Windows Server, version  20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
CVE-2021-28476Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows 8.1 for x64-based systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 for x64-based Systems
Windows Server, version  20H2 (Server Core Installation)
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version  2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows Server, version  1909 (Server Core installation)
Windows 10 Version 1909 for x64-based Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1803 for x64-based Systems
CVE-2021-28474 CVE-2021-31181Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2016
CVE-2021-31194Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
 Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version  20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
 
CVE-2021-31207Microsoft Exchange Server 2019 Cumulative Update 8
Microsoft Exchange Server 2016 Cumulative Update 19
Microsoft Exchange Server 2016 Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 9
Microsoft Exchange Server 2013 Cumulative Update 23
 

Mitigation

Patch Update

Currently, Microsoft has released security updates to fix the preceding vulnerabilities in product versions supported by Microsoft. Affected users are strongly advised to apply these updates as soon as possible. These updates are available at the following link:

https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-May

Note: Windows Update may fail due to network and computer environment issues. Therefore, users are advised to check whether the patches are successfully applied immediately upon installation.

Right-click the Start button and choose Settings (N) > Update & Security > Windows Update to view the message on the page. Alternatively, you can view historical updates by clicking View update history. If an update fails to be successfully installed, you can click the update name to open the Microsoft’s official update download page. Users are advised to click the links on the page to visit the “Microsoft Update Catalog” website to download and install independent packages.

Appendix: Vulnerability List

Affected ProductCVE IDVulnerability TitleSeverity
Internet ExplorerCVE-2021-26419Scripting Engine Memory Leak VulnerabilityCritical
WindowsCVE-2021-31166HTTP Protocol Stack Remote Code Execution VulnerabilityCritical
WindowsCVE-2021-31194OLE Automation Remote Code Execution VulnerabilityCritical
WindowsCVE-2021-28476Hyper-V Remote Code Execution VulnerabilityCritical
WindowsCVE-2020-24588Windows Wireless Networking Spoofing VulnerabilityImportant
WindowsCVE-2020-24587Windows Wireless Networking Information Disclosure VulnerabilityImportant
Microsoft VisualStudioCVE-2021-27068 Visual Studio Remote Code Execution VulnerabilityImportant
WindowsCVE-2020-26144Windows Wireless Networking Spoofing VulnerabilityImportant
Windows, Microsoft OfficeCVE-2021-28455Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution VulnerabilityImportant
Microsoft DynamicsCVE-2021-28461Dynamics Finance and Operations Cross-Site Scripting VulnerabilityImportant
WindowsCVE-2021-28479Windows CSC Service Information Disclosure VulnerabilityImportant
WindowsCVE-2021-31165Windows Container Manager Service Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31167Windows Container Manager Service Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31168Windows Container Manager Service Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31169Windows Container Manager Service Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31170Windows Graphics Component Privilege Escalation VulnerabilityImportant
Microsoft OfficeCVE-2021-31171Microsoft SharePoint Information Disclosure VulnerabilityImportant
Microsoft OfficeCVE-2021-31172Microsoft SharePoint Spoofing VulnerabilityImportant
Microsoft OfficeCVE-2021-31173Microsoft SharePoint Server Information Disclosure VulnerabilityImportant
Microsoft OfficeCVE-2021-31174Microsoft Excel Information Disclosure VulnerabilityImportant
Microsoft OfficeCVE-2021-31175Microsoft Office Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-31176Microsoft Office Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-31177Microsoft Office Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-31178Microsoft Office Information Disclosure VulnerabilityImportant
Microsoft OfficeCVE-2021-31179Microsoft Office Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-31180Microsoft Office Graphics Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-31181Microsoft SharePoint Remote Code Execution VulnerabilityImportant
WindowsCVE-2021-31182Microsoft Bluetooth Driver Spoofing VulnerabilityImportant
WindowsCVE-2021-31184Microsoft Windows Infrared Data Association (IrDA)  Information Disclosure VulnerabilityImportant
WindowsCVE-2021-31185Windows Desktop Bridge Denial-of-Service VulnerabilityImportant
WindowsCVE-2021-31186Windows Remote Desktop Protocol (RDP) Information Disclosure VulnerabilityImportant
WindowsCVE-2021-31187Windows WalletService Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31188Windows Graphics Component Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31190Windows Container Isolation FS Filter Driver Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31191Windows Projected File System FS Filter Driver Information Disclosure VulnerabilityImportant
WindowsCVE-2021-31192Windows Media Foundation Core Remote Code Execution VulnerabilityImportant
WindowsCVE-2021-31193Windows SSDP Service Privilege Escalation VulnerabilityImportant
Exchange ServerCVE-2021-31195Microsoft Exchange Server Remote Code Execution VulnerabilityImportant
Exchange ServerCVE-2021-31198Microsoft Exchange Server Remote Code Execution VulnerabilityImportant
.NET, .NET Core, Visual Studio, MicrosoftVisual StudioCVE-2021-31204.NET and Visual Studio Privilege Escalation VulnerabilityImportant
WindowsCVE-2021-31205Windows SMB Client Security Feature Bypass VulnerabilityImportant
WindowsCVE-2021-31208Windows Container Manager Service Privilege Escalation VulnerabilityImportant
Exchange ServerCVE-2021-31209Microsoft Exchange Server Spoofing VulnerabilityImportant
Visual Studio CodeCVE-2021-31211Visual Studio Code Remote Code Execution VulnerabilityImportant
Visual Studio Code Remote – ContainersExtensionCVE-2021-31213Visual Studio Code Remote Containers Extension Remote Code Execution VulnerabilityImportant
Visual Studio CodeCVE-2021-31214Visual Studio Code Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-26421Skype for Business and Lync Spoofing VulnerabilityImportant
Microsoft OfficeCVE-2021-26422Skype for Business and Lync Remote Code Execution VulnerabilityImportant
WindowsCVE-2021-28465Web Media Extensions Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-28474Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2021-28478Microsoft SharePoint Spoofing VulnerabilityImportant
Microsoft OfficeCVE-2021-26418Microsoft SharePoint Spoofing VulnerabilityImportant
Open Source SoftwareCVE-2021-31200Common Utilities Remote Code Execution VulnerabilityImportant
AzureCVE-2021-31936Microsoft Accessibility Insights for Web Information Disclosure VulnerabilityImportant
Exchange ServerCVE-2021-31207Microsoft Exchange Server Security Feature Bypass VulnerabilityModerate

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.