November Patch Tuesday 2021
Microsoft has resolved a total of 55 vulnerabilities (CVE’s) in the November Patch Tuesday release, six of which are rated as Critical. The updates include the normal lineup of Windows OS, Office, Azure, and some dev tools like Visual Studio. The more painful part is likely going to be the Exchange update which contains a fix for one of two exploited vulnerabilities this month. Along with the two Zero Day vulnerabilities there are also four publicly disclosed vulnerabilities. From a risk perspective let’s start with the most severe, the two zero days.
Microsoft resolved a Remote Code Execution vulnerability in Microsoft Exchange server (CVE-2021-42321) that has been confirmed to be exploited in the wild. The vulnerability is rated as Important by Microsoft likely because the attacker must be authenticated to be able to exploit the vulnerability. This is a good example of the limits of vendor severity and CVSS scoring and how more information is required to fully understand what to prioritize. Exchange updates often need to be tested more by exchange admins, but an exploit in the wild puts a tighter timeframe on admins to get this vulnerability resolved.
Microsoft resolved a Security Feature Bypass in Microsoft Excel (CVE-2021-42292) that has been confirmed to be exploited in the wild. The exploit does not require authentication but does require user interaction. The Preview Pane is not an attack vector in this case.
Microsoft resolved a pair of Information Disclosure vulnerabilities in Remote Desktop Protocol (CVE-2021-38631 and CVE-2021-41371)) that could allow an RDP server administrator to read Windows RDP client passwords. These two CVEs have been publicly disclosed, but no exploits have currently been observed. The vulnerabilities are only rated as Important and the fact that the attacker would need to be an RDP admin to exploit the information disclosures would make them seem lower priority, but there could be ways for an insider threat to gain access to users credentials they should not have as an example.
Microsoft resolved a pair of Remote Code Execution vulnerabilities in 3D Viewer (CVE-2021-43209 and CVE-2021-43208) that have been publicly disclosed. The 3D Viewer is a Microsoft Store app and should auto update itself. You can verify the package using PowerShell to be sure the update has been applied. 3D Viewer is one of those apps that was installed by default on fresh Windows installs, but Microsoft announced that fresh installs using Windows 10 build 21332 or later would no longer install Paint 3D or 3D Viewer by default.
The urgency this month is on Exchange and Office updates to resolve the two Zero Day vulnerabilities. Beyond these updates is a broader response to vulnerabilities that are known to be trending amongst threat actors. BOD 22-01 was issued to drive federal agencies to mitigate actively exploited vulnerabilities, but any organization should be taking this as good guidance to improve their vulnerability management processes.
Organizations who adopt a risk-based approach to vulnerability management would identify vulnerabilities that find their way onto a list like this as part of their day-to-day vulnerability management activities. Risk-based analysis of the vulnerabilities in the DHS CISA advisory can help prioritize activities for organizations to respond to, starting with the worst of them first:
- A total 287 CVEs are released in the alert
- 32 of them are trending in the last 30 days where attackers are focused on targeting and advancing their tactics
- 53 CVEs are actively used by Ransomware groups
- 54 CVEs are used by Malware authors
- 87 CVEs are capable of a Remote Code Execution
- 166 CVEs are Weaponized
The focus should be Trending - Ransomware - Malware - RCEs – Weaponized. A Risk-Based Vulnerability Management solution provides this type of analysis out of the box helping prioritize actions quickly and efficiently.