In its Patch Tuesday release for May 2021 Microsoft released guidance and a patch for CVE-2021-31166. We’ve been tracking the research on it, and recommend that those with this vulnerability on their Microsoft IIS servers patch it immediately.
To give you a little insight, there are a few reasons that this particular vulnerability has warranted the additional research from the industry and our team:
- It’s a critical vulnerability: This vulnerability would let an attacker take control of an affected system and shut them down (even without remote code execution (RCE)), and is wormable, so could be used to move across the internal network.
- Discovery of these servers is easy: The discovery of potentially vulnerable servers by attackers is very easy, and IIS servers are pretty common.
- POC exploit code has been released: The first proof-of-concept (POC) exploit code has been released, which generally is the first step before there are more attempts at exploitation. The POC can result in a denial of service (DOS), and is relatively easy to exploit.
- But RCE is difficult: It is not trivial to transform this into an RCE as it requires crafting careful memory manipulations, but some groups could and would accomplish this.
- And it’s only on newer Windows servers: This vulnerability is only applicable to more recent versions of these Windows servers, including Windows 10 2004 and 20H2, and Windows Server 2004 and 20H2. Basically, the Windows 10 and Windows Server OS versions released last year.
Given the rise in ransomware, and the wormability of this vulnerability, it’s a good time to check your IIS servers and make sure that for those newer Windows 10 servers affected that CVE-2021-31166 has been patched. Let’s get it off of those systems before attackers find a way to exploit it.
What to do next…
If you’re not yet familiar with CyCognito, sign up for a demo and let us show you all of your IIS servers. The ones you know about, and the ones you don’t.
Our platform takes the attackers’ perspective to help you dramatically reduce your overall business risk and increase efficiency. With no deployment required, it autonomously discovers and maps your organization’s entire attack surface, including previously unknown assets in on-premises, cloud, partner and subsidiary environments. With an understanding of the business context of your assets and what is most attractive to attackers, it then detects and prioritizes your organization’s most easily exploitable exposures, the attackers’ paths of least resistance. Your security team knows where to focus first to eliminate those risks, while prescriptive remediation guidance and efficient validation speed their work.
Alex Zaslavsky, a former Senior Product Manager at CyCognito, has more than 15 years of infosec experience working on data analytics, system development, architecture and technical product management, in addition to being a veteran of the 8200 unit.
Attack Surface