Weekly threat roundup: Windows 11, Cloudflare, Google Chrome

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Any user can gain admin rights on Windows

A local elevation of privilege flaw is embedded in Windows 11 and Windows 10 that can allow users with low privileges to access sensitive Registry database files, according to BleepingComputer.

Researcher Jonas Lykkegaard discovered that Windows Registry files associated with the Security Account Manager (SAM), and all other Registry databases, can be read by anyone in the ‘Users’ group with low privileges on a device. This might be exploited by a cyber criminal with limited privileges to extract hashed passwords for all accounts and use those hashes in pass-the-hash attacks to gain elevated privileges.

Microsoft has acknowledged the flaw and is tracking it as CVE-2021-36934. No patch is currently available, although Microsoft has outlined a workaround in a security advisory.

PrintSpooler embedded with two more flaws

Microsoft is urging users to disable the PrintSpooler service entirely to safeguard against fresh vulnerabilities discovered in the beleaguered Windows component.

Although Microsoft patched the infamous PrintNightmare vulnerability last week, the developer acknowledged another flaw just days later, which is being tracked as CVE-2021-034481. This elevation of privilege vulnerability can be exploited to allow an attacker to run arbitrary code with system privileges.

This is in addition to researchers discovering a fourth potential PrintSpooler flaw within a matter of weeks, which centres on the fact that the point and print feature allows non-admin users to install printer drivers. Security researcher Benjamin Delpy has also demonstrated a proof-of-concept for successful exploitation of the flaw.

Cloudflare vulnerability might have led to supply-chain attacks

A flaw in the CDNJS library update server, managed by Cloudflare and used by 12.7% of all sites on the internet, might have been abused to execute arbitrary commands and seize control of the CDNJS.

This is an open source software content delivery network that hosts thousands of JavaScript and CSS libraries that sites can adopt to embed features and tools. However, a vulnerability in the update server may have allowed hackers to execute arbitrary commands and infiltrate the CDNJS catalogue, according to security researcher Ryotak.

Compromising CDNJS may have, in turn, led to a series of supply-chain attacks, particularly due to the propensity of the update server to automatically push updates by running scripts on the server to download files from coding repositories.

After Cloudflare was made aware of the flaw on 6 April, it applied a complete fix on 3 June.

Google fixes yet another exploited Chrome zero-day

Google issued an emergency update for a vulnerability embedded in the open source V8 JavaScript engine in Chrome. This is yet another zero-day vulnerability that hackers have exploited in the wild.

The firm has declined to reveal the precise nature of the vulnerability tracked as CVE-2021-30563 until it’s comfortable that a majority of users have installed the update, although it’s rated as highly severe in Google’s security advisory.

This is the eighth vulnerability in Google Chrome to be exploited since the start of 2021, and one that has been patched alongside seven other flaws in the web browser. Users are urged to update to version 91.0.4472.164 for Windows, Mac, and Linux as soon as possible.

Fortinet fixes critical RCE flaw in its software

Fortinet has warned its customers of a critical vulnerability in its software that hackers might be able to exploit to gain full control over targeted devices if the ‘fgfmsd’ daemon is enabled.

This use-after-free vulnerability, present in FortiManager nad FortiAnalyzer, may lead to remote code execution attacks if exploited, the company confirmed in a security advisory. The flaw, tracked as CVE-2021-32589, was first discovered by Cyrille Chatras of Orange Group, and is rated 7.7 out of ten on the CVSS threat severity scale.

FortiManager is a tool that allows customers to centrally manage their Fortinet devices, while FortiAnalyzer is a security analysis tool that provides insights into security threats and offers mitigation steps. The firm has advised customers that disabling the ‘fgfmsd’ daemon serves as a workaround, although updating their software to the latest versions is preferable.

Millions of printers haunted by 16-year-old vulnerability

Researchers have disclosed a previously undiscovered critical vulnerability in the drivers for millions of printers manufactured by HP, Xerox, and Samsung that might allow hackers to seize control of vulnerable devices.

The highly severe heap buffer overflow vulnerability, tracked as CVE-2021-3438, has been embedded in drivers for printers made since 2005, according to Sentinal Labs. The researchers identified that the vulnerable drivers came preloaded on devices, or were silently downloaded when a user installed a legitimate software bundle.

Because this driver is often installed without the knowledge of users, and because it's loaded by Windows on every boot, it makes the driver the perfect candidate for hackers to target. Exploiting this driver flaw could lead to an unprivileged user gaining system privileges, with potential abuses including bypassing security products.