Frag out: four remote attack bugs fixed in Microsoft’s February Patch Tuesday

Microsoft’s second monthly security update release of 2021 addresses 56 newly-identified vulnerabilities in the Windows operating system and other products, nine of them designated as critical. But the relatively small number of vulnerabilities doesn’t lessen the importance of the February Patch Tuesday fixes—especially since, once again, one of them is actively being exploited.

That bug, CVE-2021-1732, is a privilege escalation vulnerability in Windows’ Win32k.sys. Even though it’s actively being exploited, 1732 is not the most urgent of February’s fixes—even though it would be ample enough reason on its own to patch. Four network-based vulnerabilities are potentially much more dangerous, and rated by Microsoft as being more likely to be exploited.  Some of them could potentially be exploited in an attack across the Internet.

Bad Packets

Three separate bugs in Windows’ TCP/IP networking stack are addressed in the latest patch release. The first, CVE-2021-24074, is a remote code execution bug in Windows systems’ handling of inbound IPv4 packets. An attacker could exploit this bug by crafting traffic using two IPv4 protocol features:

  •  IP fragmentation: the option to “break” a packet into multiple packet fragments. When all fragments are received, they are reassembled back into a single packet on the endpoint.
  • Loose Source and Record Route (LSRR):  LSRR is an archaic IPv4 header option that implements “Source Routing”, a way for packets to request routers to choose and record the path through which the network will route them.

For the bug to be exploited, both of these features of IPv4 have to be used at the same time—something that would (almost) never happen accidentally. Crafted packets using both features could cause the Windows TCP/IP driver (tcpip.sys) to confuse the internal data structures of the individual packet fragments and those of the reassembled packet. This can cause the driver to read memory outside the boundaries of an internal buffer (an “out-of-bounds read”  condition); with a crafted set of packets, this could lead to an out-of-bounds write condition that could corrupt memory in a way that leads to remote code execution.

This is particularly dangerous, since the vulnerable code is running in the context of a Windows Kernel driver—if successfully exploited, the attacker could execute code with kernel-level privileges. The good news is that remote exploitation of this bug may be thwarted by default by many firewalls and routers. The LSRR option has long been considered insecure because it could be leveraged for address spoofing, and packets containing it are often filtered out of Internet traffic. The bug could still be delivered over less complex local area networks, however, so patching the vulnerability should still be given a high priority.

The two other TCP/IP vulnerabilities revealed in February’s release are related to fragmented packets as well—but in these cases, they’re IPv6 packets.

The more severe of the two is CVE-2021-24094, a bug that is triggered when Windows’ tcpip.sys performs a “recursive reassembly” on fragmented packets. Under certain circumstances, the reassembly process can cause  a dangling pointer condition — with the driver leaving open a pointer to memory space that has been de-allocated that can be exploited to remotely execute code.  

The second IPv6 bug, CVE-2021-24086, also occurs during fragmented packet reassembly. In this case, however, the vulnerability is triggered by a large volume of  extension headers in the fragmented packets.  If the bug is successfully triggered, a NULL pointer dereference occurs, crashing the kernel and the Windows system with it, yielding a Blue Screen of Death.

Microsoft did not indicate whether the two bugs can be triggered over the Internet or if they are limited to being exploited on LAN networks only.

It’s always DNS

Another network-based vulnerability fixed in February’s security patches, CVE-2021-24078, is a bug in Windows DNS Server that could result in remote code execution. This one is definitely exploitable from the Internet, but requires an especially coordinated level of evil to execute. The attacker would have to cause a query to the DNS server for a domain it hasn’t seen before, resulting in a query to a root DNS server. The attacker would then have to spoof the response before it could be returned by the actual root DNS server.

Because the attacker needs to be able to spoof the root server’s response before the real response comes back, the greatest threat of attacks exploiting this bug will come from a threat inside the local network, where packet spoofing is more feasible. But because DNS is based on UDP, the attack could potentially be executed over the Internet.

Other bugs of note

The remaining eight critically-rated vulnerabilities are less likely to be exploited quickly, but all involve potential remote code execution.  Two are in the .NET Core SDK—one in the Windows and Visual Studio SDK (CVE-2021-26701), and the other (CVE-2021-24112) in the software developer kit for Linux. 

CVE-2021-1722 and CVE-2021-2407 are both vulnerabilities in Windows’ Fax Service, which had another, unrelated remote code execution bug patched in January.  The Windows Graphics Component is another feature patched this month (CVE-2021-24093) that also had a vulnerability fixed in January—albeit an information disclosure one). And Windows’ Print Spooler, which had an elevation of privilege vulnerability in January, is patched again this month for RCE (CVE-2021-24088).

Two others (CVE-2021-2408 and CVE-2021-24091) are in Windows codecs associated with image and video handling—the first in Windows’ Codecs Library, and the second in the WIndows Camera Codec Pack. These can be used in remote code execution attacks using a crafted image or video file—a recurring type of vulnerability.  

Beyond those marked as “critical” by Microsoft, there are 10 more remote code execution vulnerabilities patched in the February bug fix release. One of them (CVE-2021-24072) is in SharePoint server; since it’s a network-based vulnerability, Microsoft has rated it as more likely to be exploited.

Sophos protection

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation:

CVE-2021-24072 SID:2304915
CVE-2021-24074 SID:2304906
CVE-2021-24078 SID:2304905

Sophos aims to add detections for critical issues, based on the type and nature of the vulnerabilities, as soon as possible and where we have been given sufficient information to be able to do so. In many cases, existing detections in endpoint products (such as Intercept X) will catch and block exploit attempts without the need for updates.

Latest Posts