Microsoft has released its April 2021 Patch Tuesday security updates that fix more than a hundred of vulnerabilities across a wide range of its products, including a set of four flaws in Microsoft Exchange software discovered by the NSA and a zero-day issue, which is being actively exploited in the wild.
The four Exchange vulnerabilities, tracked as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 exist due to improper input validation in the Microsoft Exchange Server and lead to remote code execution. The issues impact on-premise Exchange Server versions 2013 through 2019. So far, there is no evidence that these flaws have been exploited by hackers.
To prevent widespread attacks against vulnerable Microsoft Exchange servers users are advised to apply the patches as soon as possible.
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Emergency Directive 21-02 released in March to require federal agencies to install April 13 security updates before 12:01 am Friday, April 16, 2021.
In addition to CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 Microsoft has fixed a Win32k elevation of privilege vulnerability (CVE-2021-28310), which, according to Kaspersky, is being exploited by the Bitter APT group.
“We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities,” Kaspersky wrote in its blog post.
CVE-2021-28310 stems from a boundary error within win32k.sys driver in Microsoft Windows. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.