November 2021 Patch Tuesday: two actively exploited zero-days to prioritize

It’s a welcome sign to see the total number of vulnerabilities being addressed this month by Microsoft continue last month’s downward trend, offering lighter workloads for those tasked with ensuring endpoints and servers are in compliance. Unfortunately, six of the 55 security vulnerabilities this month are zero-days and should receive priority attention.
First, let’s take a moment to appreciate what tools, such as patch management from N‑able™ or WSUS from Microsoft, have done to streamline and automate the workflows around handling system updates. A centrally manageable patching solution offers a significant force multiplier, allowing a single engineer to discover, schedule, deploy, and audit patching on thousands of systems with only the investment of a few hours every month.
Microsoft vulnerabilities
Including Microsoft Edge vulnerabilities (typically patched prior to Patch Tuesdays), we have 56 in total for November. Six of them are zero-days, with two of those under active exploitation. Down significantly from last month, where only three vulnerabilities were listed as Exploitation More Likely—but those should be on everyone’s prioritization list as well.
The first zero-day under active attack is CVE-2021-42292, a Microsoft Excel vulnerability. It is a security bypass vulnerability that allows loading of malicious code just by opening a payload-laden Excel file. Due to the ability for this malicious code to be additionally obfuscated by an attacker, this threat will likely be moderately effective at evading traditional AV solutions that can’t detect fileless attacks.
The second zero-day under active attack is CVE-2021-42321, a Microsoft Exchange Server Remote Code Execution critical vulnerability. While this isn’t in the same league as Exchange vulnerabilities from earlier in the year—it requires an attacker to already be authenticated to the system—it should still be a prioritization for anyone managing Microsoft Exchange Servers. If you want a deeper explanation on this vulnerability, Microsoft’s Exchange Team has a great write-up here.
Other Microsoft vulnerabilities of note this month are CVE-2021-38631, CVE-2021-41371, and CVE-2021-38666. All are related to Remote Desktop Protocol, which is a common target for threat actors. Despite only one being marked as Critical and Exploitation More Likely, they should all be high priority this month because they are zero-days related to a common threat actor target.
Vulnerability prioritization
The table below lists Critical, Exploitation More Likely, or Exploitation Detected vulnerabilities. This is to highlight how some might have their patching deferred due to a false sense of importance based on a severity rating. Vulnerabilities marked Exploitation More Likely are just as important to address, and quickly, due to their increased likelihood to cause impacts to an environment.
CVE |
Description |
Exploitability |
Severity |
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
|
OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow |
Exploitation Less Likely |
Critical |
|
Microsoft Defender Remote Code Execution Vulnerability |
Exploitation More Likely |
Critical |
|
Remote Desktop Client Remote Code Execution Vulnerability |
Exploitation More Likely |
Critical |
|
Chakra Scripting Engine Memory Corruption Vulnerability |
Exploitation Less Likely |
Critical |
|
Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
Exploitation Detected |
Critical |
|
Microsoft Excel Security Feature Bypass Vulnerability |
Exploitation Detected |
Critical |
|
Windows Denial of Service Vulnerability |
Exploitation More Likely |
Important |
Cumulative updates
KB5007186 and KB5007189 cumulative updates were released with typical previous security fixes included for Windows 10 versions 21H1, 20H2, and 2004. Windows 10 versions 1809 saw KB5007206 released, containing security fixes and addressed some known issues. As of print, no remarkable bug fixes aside from addressing issues with lock screen backgrounds appearing black when slideshow is used for it.
End of Service for Windows 10 2004
Joining previous Windows builds that hit EoS this year, Windows 10 2004 will no longer receive security updates after December 14, 2021. That’s only three months to plan for transition to newer builds. If you don’t already have plans in motion, then today is the day to start.
Apple
Apple released Safari 15.1 in late October to address several vulnerabilities. CVE-2021-30889 is marked as High severity and could allow arbitrary code execution from maliciously crafted web content. See Apple’s security updates for information about recent vulnerability fixes.
Cisco
We don’t usually talk about firmware vulnerabilities, but this month is a first. Cisco released security updates to address critical unauthenticated user vulnerabilities involving hard-coded credentials on Catalyst PON Switches or default SSH keys in Cisco Policy Suite. See CVE-2021-34795 and CVE-2021-40119 for information on remediation of these vulnerabilities from Cisco.
Summary
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, now is the time to start including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your patch management routines.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on:
Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.
Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.
N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.