Overview of CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

This report is about three high severity Windows TCP/IP vulnerabilities tracked as CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. All three are exploitable by a remote, unauthenticated attacker and impact Windows Client and Windows Server OS versions 7 and above. Successful exploitation could result in significant system downtime and the exfiltration of sensitive company data. Microsoft has urged customers to install the most recent Windows security updates as soon as possible to remove these threats from their environment.

TIR-20210213 Tactics, Techniques, and Procedures

CVE-2021-24074 and CVE-2021-24094 are critical Remote Code Execution (RCE) vulnerabilities that expose unpatched systems running Windows 7 and above to RCE attacks by an unauthenticated attacker. RCE vulnerabilities give an attacker the opportunity to run malicious code and may enable them to gain full system access, laterally move through the network, and exfiltrate sensitive data.

CVE-2021-24086 is a high severity Denial of Service (DoS) vulnerability that also affects systems running Windows client and Windows server OS versions 7 and above. This vulnerability could allow a remote attacker to block the availability of targeted resources by triggering a DoS state on the system.

These vulnerabilities are the result of a flaw in Microsoft’s implementation of TCP/IP. Microsoft stated that all three issues could be exploited with a DoS attack and urged customers to install this month’s Windows security updates as soon as possible:

“We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month. The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic. It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible.”

- Microsoft Security Response Center

The most recent Windows security updates can be downloaded from Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/

Microsoft has also provided workarounds for those who are unable to immediately deploy security updates to all Windows devices:

Business Unit Impact

High severity vulnerabilities in commonly used products could greatly impact the security and availability of local resources.

  • Remote code execution vulnerabilities could allow an attacker to access and control sensitive company data and vital assets.
  • Denial of service vulnerabilities exposes devices to DoS attacks which could lead to significant production downtime.

Our Recommendations

If your company uses products running Windows Client or Windows Server OS 7 or above, we recommend ensuring that you have installed the latest security updates. If you are unable to immediately deploy security updates to all Windows devices, we recommend implementing the provided workarounds to reduce the threat of these vulnerabilities in your environment.


MITRE ATT&CK Techniques:

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.