Microsoft’s Patch Tuesday for November 2021 fixed 55 bugs across several products, six of which are rated critical. It’s recommended to apply updates ASAP.
Priority vulnerabilities
Of the 55 vulnerabilities patched, six are rated as critical, with two observed as being actively exploited in the wild. Given this year’s high activity of Exchange attacks leveraging ProxyLogon and ProxyShell vulnerabilities, adopting expedient continuous patching for Exchange is highly recommended. The ubiquity of Excel in the workplace makes it an ideal target; it should be a priority for patching as well.
CVE-2021-42321: Microsoft Exchange Server Remote Code Execution
This RCE vulnerability with CVSS score of 8.8 is described as being low complexity. The issue stems from improper validation of cmdlet (“command-let”) arguments in the Powershell runtime. While an attacker must be authenticated, Microsoft says they are aware of this exploit occurring in the wild.
The update process for Exchange Server is detailed in Tuesday’s blog post from the Exchange Team.
CVE-2021-42292: Microsoft Excel Security Feature Bypass
Reportedly exploited in the wild as a zero-day, this vulnerability affecting both Windows and MacOS platforms allows bypass of security features in Excel which in turn can allow code execution on the client when a specially-crafted file is opened. There is little in the way of description of the exploit, but given its actively-exploited status it is ranked high.
Other high rated vulnerabilities
While not known to be actively exploited, these vulnerabilities are still significant risks and have been patched by the latest round of updates from Microsoft:
CVE-2021-42298: Microsoft Defender Remote Code Execution
Ironically, Microsoft Defender is an ideal target of RCE as it’s designed to touch every file in an endpoint’s filesystem, and does so with fairly high system privileges. These types of exploits are being called “no click” exploits as the payload of malicious file can be triggered without user activity.
CVE-2021-38666: Remote Desktop Client Remote Code Execution
An attacker can remotely execute code on a Remote Desktop client if the client connects to a compromised RDP server. This vulnerability is somewhat lower risk, as the attacker would need to bait or convince a user to connect to their RDP server.
CVE-2021-38631 / CVE-2021-41371: Information Disclosure Vulnerabilities in Microsoft Remote Desktop Protocol (RDP)
This vulnerability can allow an attacker to see passwords on an unpatched Windows 7 – 11 and Windows Server 2008 – 2019 systems running RDP. While disclosed by researchers and not known to be actively exploited, this password scraping can be a stepping stone to a greater attack.
Resources
Microsoft Exchange Team blog
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169
Threatpost Patch Tuesday article
https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/