Windows 10 is probably the most used Operating System (OS) in organizations these days. The fact that every level of user in the organization, from IT experts to entities that has little knowledge in cybersecurity use it, it is prone to be targeted by attackers as a gate to the entire network. A lot of attention is invested in users' behavior and phishing campaigns, while many risks hide in the OS itself.
The following is a list of the most critical Windows 10 vulnerabilities for 2021:
- Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
- Windows Remote Desktop Service Denial of Service Vulnerability
- Windows Kernel Elevation of Privilege Vulnerability
- Windows Hyper-V Elevation of Privilege Vulnerability
- Windows Spoofing Vulnerability
- Windows Print Spooler Remote Code Execution Vulnerability
- Group Policy Elevation of Privilege Vulnerability
- Microsoft Graphics Components Remote Code Execution Vulnerability
- Windows TCP/IP Denial of Service Vulnerability
- NetBT Information Disclosure Vulnerability
Windows Print Spooler Remote Code Execution Vulnerability
CVE-2021-34527
Windows Print Spooler service improperly performs privileged file operations which paves the way for the execution of an arbitrary remote code. After successful exploitation of this vulnerability, the attacker could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The following registry settings should be in place to avoid this vulnerability:
* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
*NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
*UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
If the NoWarningNoElevationOnInstall entry is set to 1, then this makes the Windows print spooler service vulnerable natively for this vulnerability.
How to Mitigate Print Spooler’s PrintNightmare Vulnerability
Group Policy Elevation of Privilege Vulnerability
CVE-2020-16939
This vulnerability abuses a SetSecurityFile operation performed during Group Policy update that is done in the context of NT AUTHORITY\SYSTEM. To improve the system performance GPO settings are locally cached inside the %programdata%\Microsoft\GroupPolicy\Users directory. This %progrmadata directory is by default writeable by all the systems users even with low privilege levels. An attacker can create a directory junction to another folder and can gain full control of that folder. With the successful exploitation of this vulnerability, the attacker can run processes in an elevated context. To exploit the vulnerability, a system log-in is needed.
Microsoft Graphics Components Remote Code Execution Vulnerability
CVE-2020-16923
Object handling in memory is not greatly done by the Microsoft Graphics Component which makes it the basic cause of a Remote code Execution type vulnerability in the system. A specially crafted file needs to be opened into the system to exploit this vulnerability. The attacker can easily send the malicious file into the system and make the innocent user to open that file. The embedded malicious code in the file can cause memory corruption. The successful attacker can execute arbitrary code on a target system and perform all the SYSTEM level tasks.
Windows TCP/IP Denial of Service Vulnerability
CVE-2020-16899
Windows TCP/IP stack does not handle the ICMPv6 Router Advertisement packets appropriately which makes it vulnerable against the DoS and DDoS attacks. This is a remote vulnerability, and the attacker does not have to be on the system to exploit it. Malicious ICMPv6 Router Advertisement packets can be sent remotely to the target system which could cause the memory corruption to exploit the vulnerability. As a result of the successful exploitation, the system would stop responding. The vulnerability would not allow an attacker to execute code or to elevate user rights directly.
NetBT Information Disclosure Vulnerability
CVE-2020-16897
NetBIOS over TCP (NBT) Extensions (NetBT) does not handle objects in memory appropriately which leads to the very dangerous information disclosure vulnerability in the system. The confidentiality of the system is highly compromised in the case of successful exploitation of this vulnerability. The information obtained through this exploitation can be used to exploit the system further.
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
CVE-2020-16896
An information disclosure vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. After exploiting this vulnerability, the attacker can gain some useful information about the system which he can use to launch a bigger attack later on. Basically, the attacker gains unauthorized read access to the RDP process which leads to the information disclosure. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server that provides Remote Desktop Protocol (RDP) services.
Securing Remote Desktop: RDS Configuration & RDS Hardening Guide
Windows Remote Desktop Service Denial of Service Vulnerability
CVE-2020-16863
A denial-of-service vulnerability exists in Windows Remote Desktop Service when an attacker connects to the target system using RDP and sends specially crafted requests. There is not a proper validation of user input in the Windows RDP application. This vulnerability lets an attacker who successfully exploited this vulnerability to cause the Remote Desktop Service on the target system to stop responding. An attacker would need to run a specially crafted application against the RDP server to exploit the vulnerability.
Windows Kernel Elevation of Privilege Vulnerability
CVE-2020-1689
Windows kernel fails to properly handle objects in memory which leads to a kernel-level vulnerability that allows elevating the user privileges without proper authorization. After the exploitation, the attacker can perform any tasks as an administrator user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, a normal level of user access is needed into the system. An attacker could then run a specially crafted application to take control of an affected system.
Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2020-1047
Improper handling of memory objects by the host server on the Windows Hyper-V application leads to the elevation of privileges vulnerability. A local attacker can very well execute the memory corruption tactics such as buffer overflow to exploit this vulnerability to elevate its privileges. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g., a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.
Windows Spoofing Vulnerability
CVE-2020-16922
Incorrect validation of file signatures in Windows OS leads to the Windows spoofing vulnerability. After successful exploitation of this vulnerability, the attacker could bypass security features and load improperly signed files. The attacker could also spoof the page content. An attacker could circumvent security mechanisms designed to prevent poorly signed files from being loaded in an attack scenario.
Mitigation
Mitigating all these vulnerabilities can be handled in two steps of basic information security controls:
- Harden your end-points: Endpoint hardening refers to control over configuration changes in the endpoint's operating system, with the intention of minimizing the attack surface. The configuration changes are usually made on unsecure and unnecessary protocols and services that are enabled by default in the operating system. These protocols and services are usually enabled to provide the endpoint with maximal functionality. Unfortunately, they often expose the network to vulnerabilities.
2. Keep your Windows 10 updated to the latest version: All these vulnerabilities can be mitigated by updating the Windows 10 to 21H update. Microsoft has addressed all these vulnerabilities in their latest Windows 10 update.
