<- All Blogs
Patch Tuesday

Patch Newsday: Wild CVEs & CISA Directives

Written by
Evander Pierre
Published on
November 10, 2021

With 55 vulnerabilities this month, at first glance it didn’t seem to be the most exciting of Patch Tuesdays. However, two vulnerabilities are being exploited in the wild, which is particularly interesting this month as last week CISA issued a binding directive (22-01) instructing the faster patching of exploits that are actively being used by attackers. I expect to see CVE-2021-42321 and CVE-2021-42292 make the list, and I’m quite intrigued to see how this directive will affect patching policies in the future.

So, without further ado, what caught my eye this Patch Tuesday?

CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability

At first glance, CVE-2021-42321 sounds pretty scary, as we have already seen several Exchange Server vulnerabilities this year that were quickly adopted by attackers for exploitation. This one comes with a CVSS score of 8.8, as the attacker must already have authenticated access. While the release does not detail what level of authentication is required, this vulnerability is marked as being actively exploited in the wild – so it should definitely be high on your list to patch.

CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability

Another CVE being actively exploited in the wild is CVE-2021-42292, a “Security Feature Bypass” vulnerability. Microsoft does not offer any suggestion on what effect this vulnerability can have, but its CVSS score of 7.8 puts it in the ‘high’ severity rating category. This lack of detail can make it hard to prioritize, but anything that is being exploited in the wild should be at the very top of your list to patch.

Microsoft has added a note to the advisory saying that updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. As the Office Suite is usually considered to be a Windows application, it is important to check your policies on Apple devices as they may not be managed in the same way as your traditional Windows updates.

With the lack of description and a lack of updates for a vulnerability being exploited in the wild, it may be worth telling anyone in your organization using Office for Mac to be more cautious until patches are made available.

CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability

Any updates to Defender should always be high on the list of things to check. Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. This means an attacker could trigger the exploit by simply sending a file – the victim wouldn’t even need to open or run anything.

For this reason, CVE-2021-42298 is marked as “exploitation more likely”. As it’s not being exploited in the wild, it should get updated without any manual intervention from administrators. That being said, it’s definitely worth checking to make sure your Defender installations are getting their updates set correctly. The advisory from Microsoft includes steps to verify you have the latest versions installed.

CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability

Microsoft’s description for CVE-2021-38666 is not the clearest, but the attack vector suggests that the remote desktop client installed on all supported versions of Windows contains a vulnerability.

To exploit it, an attacker would have to create their own server and convince a user to connect to the attacker. There are several ways an attacker could do this, one of which could be to send the target an RDP shortcut file, either via email or a download. If the target opens this file, which in itself is not malicious, they could be giving the attacker access to their system. In addition to patching this vulnerability, adding detections for RDP files being shared in emails or downloads would also be a sensible step.

That's all, folks!

There are, of course, several other vulnerabilities in the list of releases and we suggest you review them all. As always, you know your own systems and what risk you carry so should make informed decisions on what patches are likely to affect you the most. Patching can be disruptive so ensure that you have a rollback plan in place in case the worst happens and a patch takes a critical service offline.

See you next month!

Kev Breen

Kev Breen,
Director of Cyber Threat Research,
Immersive Labs

@kevthehermit

Share this post