Cybersecurity Vulnerabilities

November 10, 2021

Patch Newsday: Wild CVEs & CISA Directives

Patch Newsday

Request Demo

Contributors

Evander Pierre

a pair of blue jeans with a patch on the back

long exposure image of man walking by blue panels

With 55 vulnerabilities this month, at first glance it didn’t seem to be the most exciting of Patch Tuesdays. However, two vulnerabilities are being exploited in the wild, which is particularly interesting this month as last week CISA issued a binding directive (22-01) instructing the faster patching of exploits that are actively being used by attackers. I expect to see CVE-2021-42321 and CVE-2021-42292 make the list, and I’m quite intrigued to see how this directive will affect patching policies in the future.

So, without further ado, what caught my eye this Patch Tuesday?

CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability

At first glance, CVE-2021-42321 sounds pretty scary, as we have already seen several Exchange Server vulnerabilities this year that were quickly adopted by attackers for exploitation. This one comes with a CVSS score of 8.8, as the attacker must already have authenticated access. While the release does not detail what level of authentication is required, this vulnerability is marked as being actively exploited in the wild – so it should definitely be high on your list to patch.

CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability

Another CVE being actively exploited in the wild is CVE-2021-42292, a “Security Feature Bypass” vulnerability. Microsoft does not offer any suggestion on what effect this vulnerability can have, but its CVSS score of 7.8 puts it in the ‘high’ severity rating category. This lack of detail can make it hard to prioritize, but anything that is being exploited in the wild should be at the very top of your list to patch.

Microsoft has added a note to the advisory saying that updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. As the Office Suite is usually considered to be a Windows application, it is important to check your policies on Apple devices as they may not be managed in the same way as your traditional Windows updates.

With the lack of description and a lack of updates for a vulnerability being exploited in the wild, it may be worth telling anyone in your organization using Office for Mac to be more cautious until patches are made available.

CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability

Any updates to Defender should always be high on the list of things to check. Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. This means an attacker could trigger the exploit by simply sending a file – the victim wouldn’t even need to open or run anything.

For this reason, CVE-2021-42298 is marked as “exploitation more likely”. As it’s not being exploited in the wild, it should get updated without any manual intervention from administrators. That being said, it’s definitely worth checking to make sure your Defender installations are getting their updates set correctly. The advisory from Microsoft includes steps to verify you have the latest versions installed.

CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability

Microsoft’s description for CVE-2021-38666 is not the clearest, but the attack vector suggests that the remote desktop client installed on all supported versions of Windows contains a vulnerability.

To exploit it, an attacker would have to create their own server and convince a user to connect to the attacker. There are several ways an attacker could do this, one of which could be to send the target an RDP shortcut file, either via email or a download. If the target opens this file, which in itself is not malicious, they could be giving the attacker access to their system. In addition to patching this vulnerability, adding detections for RDP files being shared in emails or downloads would also be a sensible step.

That's all, folks!

There are, of course, several other vulnerabilities in the list of releases and we suggest you review them all. As always, you know your own systems and what risk you carry so should make informed decisions on what patches are likely to affect you the most. Patching can be disruptive so ensure that you have a rollback plan in place in case the worst happens and a patch takes a critical service offline.

See you next month!

Kev Breen,
Director of Cyber Threat Research,
Immersive Labs

@kevthehermit

Trusted by top companies worldwide
to enhance cybersecurity

Trusted by some of the world’s biggest brands, we’re committed to taking your cybersecurity readiness to the next level - and we’re just getting started.

What Our Customers
Are Saying About Immersive

Realistic simulation of current threats is the only way to test and improve response readiness, and to ensure that the impact of a real attack is minimized. Immersive’s innovative platform, combined with Kroll’s extensive experience, provides the closest thing to replication of a real incident — all within a safe virtual environment.

Paul Jackson

Regional Managing Director, APAC Cyber Risk, Kroll

The speed at which Immersive produces technical content is hugely impressive, and this turnaround has helped get our teams ahead of the curve, giving them hands-on experience with serious vulnerabilities, in a secure environment, as soon as they emerge.

TJ Campana

Head of Global Cybersecurity Operations, HSBC

We no longer worry about managing infrastructure, leaving us free to build great courses.

Daniel Duggan

Director, Zero-Point Security