SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft fixes wormable remote code execution vulnerability in HTTP protocol stack
Description: Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities across its suite of products, the fewest in any month since January 2020. There are only three critical vulnerabilities patched in this month, while two are of “moderate” severity and the rest are “important.” All three critical vulnerabilities, however, are considered "more likely” to be exploited, according to Microsoft. This month’s security update provides patches for several major pieces of software, including Microsoft Office, SharePoint and Windows’ wireless networking. The most serious vulnerability exists in the HTTP protocol stack. An unauthenticated attacker could exploit CVE-2021-31166 by sending a specially crafted packet to a targeted server utilizing the stack. If successful, the adversary could gain the ability to execute remote code on the targeted server. According to Microsoft, the vulnerability is wormable and the company “recommends prioritizing the patching of affected servers.” It has a CVSS severity score of 9.8 out of 10.
Snort SIDs: 57539, 57540, 57542 – 57545, 57548 - 57550
Title: Cisco discloses critical vulnerabilities that expose corporate networks
Description: Cisco recently patched three critical security vulnerabilities between the SD-WAN vManage software and the HyperFlex HX platform. These vulnerabilities, if left unpatched, could allow an attacker to completely take over corporate networks that are using this software. vManage is a network management system that allows users to monitor and configure any devices and links they have in the broader SD-WAN. The most serious vulnerability in this group is CVE-2021-1468, which has a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability by submitting a specially crafted input to the service, eventually allowing them to call privileged actions on the affected systems. The adversary could then also create new administrative-level accounts.
Snort SIDs: 57527 – 57530, 57535 - 57538