Top 10 Windows Server Vulnerabilities for 2021

By Keren Pollack, on November 8th, 2021

2020-2021 were unusually rough in the information security field. The pandemic accelerated the pace of discovering new attack techniques and the attacker’s motivation was high due to the potential impact of each attack. In addition, work methodologies that have changed led to the exposure of new vulnerabilities and an increase in the organizational attack surface.

5 reasons why system hardening should be your top priority this year

We’ve gathered some of the most critical vulnerabilities in 2020-2021:

1.Zerologon vulnerability- CVE-2020-1472

2.Microsoft DNS vulnerability – CVE-2020-1350

  1. DirectX Elevation of Privilege Vulnerability – CVE-2018-8554
  2. Windows Text Shaping Remote Code Execution Vulnerability – CVE-2021-40465
  3. Windows CryptoAPI Spoofing Vulnerability – CVE-2020-0601
  4. Windows Win32k Elevation of Privileges Vulnerability – CVE-2021-1732
  5. Azure AD Web Sign-in Security Feature Bypass Vulnerability – CVE-2021-27092
  6. Windows WLAN Service Elevation of Privilege Vulnerability – CVE-2021-1646
  7. Kerberos KDC Security Feature Bypass Vulnerability – CVE-2020-17049
  8. Windows Spoofing Vulnerability – CVE-2020-16922

 

 

Zerologon Vulnerability

CVE-2020-1472

Discovered in August 2020, Zerologon was classified as a critical vulnerability. This vulnerability is aroused due to a technical flaw in Netlogon Remote Protocol cryptographic authentication scheme. This protocol is responsible for user authentication in domain-based networks. An attacker with a client’s access can successfully change the password of the domain controller and control the entire domain network active directory services.

3 Key Principles in Active Directory Security

Microsoft DNS Server Vulnerability

CVE-2020-1350

This vulnerability lies in the DNS dns.exe binary. dns.exe is responsible for processing DNS queries for Windows DNS servers. The attack is based on a stack overflow technique when the malicious DNS server sends large volumes of data to the victim DNS server as a SIG response. The 4KB packet size limit of a UDP packet is voided by sending a Truncate flag over UDP as the response header. This forces the victim server to wait and listen to the additional data via a TCP connection. This way the attacker can send packets with a size of more than 64KB which causes the heap to overflow. Dns.exe reads this additional data which leads to the Remote Code Exploitation.

 

A successful attacker can gain full access to the Active Directory with admin privileges and can control the whole network domain. Microsoft recommends restricting the maximum size of an inbound TCP-based DNS response packet to the following value in the system registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

 

DirectX Elevation of Privilege Vulnerability

CVE-2018-8554

Microsoft DirectX is known to contain flaws. One of them is the fact that it cannot handle the memory objects properly. An attacker can use a specially designed application to take advantage of this vulnerability by corrupting the memory. After the memory is corrupted, the attacker can execute remote commands in the Kernel mode. The integrity, confidentiality, and availability of the target system can be hijacked as the attacker would be able to delete, install, modify any programs as well as the user accounts in the system.

 

Windows Text Shaping Remote Code Execution Vulnerability

CVE-2021-40465

Windows Text Shaping is not validating the inputs properly. This causes a Remote code execution vulnerability, which lets the attacker send and execute some malicious codes into a victim Microsoft server. This vulnerability exists in all versions of Windows servers from 2008 to 2019. An attacker can compromise the entire system due to this vulnerability. The attacker does not need physical access to exploit this vulnerability, and it can be exploited remotely.

 

Windows CryptoAPI Spoofing Vulnerability

CVE-2020-0601

Windows CryptoAPI (crypt32.dll) does not properly validate the ECC Certificates. This can lead another Windows Server vulnerability to be relevant – Elliptic Curve Cryptography is a cryptographic technique that Windows servers use to sign the executables. The attacker can exploit this vulnerability and can sign the malicious executables with the spoofed ECC certificate showing that it is signed by a valid source. The user will trust the malicious program and execute it into its system as it appears signed from a legitimate source.

 

Successful exploitation can be used to execute malicious programs into the system legitimately, to conduct Man-In-The-Middle attacks, and to decrypt the user’s sensitive data that is sent via this malicious program.

 

Windows Win32k Elevation of Privileges Vulnerability

CVE-2021-1732

There is a bug that exists in the Windows graphics driver win32kfull!NtUserCreateWindowEx. The WndExtra field of a window can be changed into being treated as an offset rather than being populated by an attacker’s value. This allows the attacker to gain write permissions which eventually escalates the privilege from a normal user to NT AUTHORITY\SYSTEM. The attacker can then control the entire system.

 

Azure AD Web Sign-in Security Feature Bypass Vulnerability

CVE-2021-27092

Microsoft introduced a new way to sign in to the Azure Active Directory joined PCs, unfortunately, it contains a bug. The vulnerability exists in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication. It allows an attacker with physical access to the device to gain unauthorized access.

Windows WLAN Service Elevation of Privilege Vulnerability

CVE-2021-1646

WLAN AutoConfig Service in the Windows servers does not have a proper system for input validation. A remote attacker from within the local network can perfectly execute the arbitrary malicious codes into the system to gain full access to the system. This vulnerability exists in all Windows servers from 2008 to 2019. Attackers do not need any authentication to exploit this vulnerability.

Kerberos KDC Security Feature Bypass Vulnerability

CVE-2020-17049

This vulnerability exists in the Kerberos authentication protocol. KDC does not properly handle the service tickets. The attacker can compromise a service that is bound to use KCD (Kerberos Constrained Delegation) and use it to temper the service ticket that is invalid for delegation. It then forces the KDC to accept it. This allows the attacker to log in to the system as any user including the users from the “protected users” group.

Kerberos Tickets and Authentication in Active Directory

Windows Spoofing Vulnerability

CVE-2020-16922

Incorrect validation of file signatures in Windows OS leads to the Windows spoofing vulnerability. After successful exploitation of this vulnerability, the attacker could bypass security features and load improperly signed files. The attacker could also spoof the page content. An attacker could circumvent security mechanisms designed to prevent poorly signed files from being loaded in an attack scenario.

 

Mitigation

Mitigating all these vulnerabilities can be handled by implementing two basic information security controls:

  1. Harden your servers- Server hardening refers to changing the server’s default configuration to minimize the organization’s attack surface. The configuration changes are usually made on un-secure and unnecessary protocols and services that often expose the network to vulnerabilities.
  2. Keep your servers updated to the latest version. Microsoft addresses most of the vulnerabilities in their Windows server update.

Hardening Tools 101 [updated:2021]