November 2021 Patch Tuesday: two actively exploited zero-days to prioritize

It’s a welcome sign to see the total number of vulnerabilities being addressed this month by Microsoft continue last month’s downward trend, offering lighter workloads for those tasked with ensuring endpoints and servers are in compliance. Unfortunately, six of the 55 security vulnerabilities this month are zero-days and should receive priority attention.

First, let’s take a moment to appreciate what tools, such as patch management from N‑able^™ or WSUS from Microsoft, have done to streamline and automate the workflows around handling system updates. A centrally manageable patching solution offers a significant force multiplier, allowing a single engineer to discover, schedule, deploy, and audit patching on thousands of systems with only the investment of a few hours every month.

Microsoft vulnerabilities

Including Microsoft Edge vulnerabilities (typically patched prior to Patch Tuesdays), we have 56 in total for November. Six of them are zero-days, with two of those under active exploitation. Down significantly from last month, where only three vulnerabilities were listed as Exploitation More Likely—but those should be on everyone’s prioritization list as well.   

The first zero-day under active attack is CVE-2021-42292, a Microsoft Excel vulnerability. It is a security bypass vulnerability that allows loading of malicious code just by opening a payload-laden Excel file. Due to the ability for this malicious code to be additionally obfuscated by an attacker, this threat will likely be moderately effective at evading traditional AV solutions that can’t detect fileless attacks.

The second zero-day under active attack is CVE-2021-42321, a Microsoft Exchange Server Remote Code Execution critical vulnerability. While this isn’t in the same league as Exchange vulnerabilities from earlier in the year—it requires an attacker to already be authenticated to the system—it should still be a prioritization for anyone managing Microsoft Exchange Servers. If you want a deeper explanation on this vulnerability, Microsoft’s Exchange Team has a great write-up here.

Other Microsoft vulnerabilities of note this month are CVE-2021-38631, CVE-2021-41371, and CVE-2021-38666. All are related to Remote Desktop Protocol, which is a common target for threat actors. Despite only one being marked as Critical and Exploitation More Likely, they should all be high priority this month because they are zero-days related to a common threat actor target.

Related Product

N‑sight RMM

Comience a trabajar con rapidez con un RMM diseñado para departamentos de TI y MSP pequeños.

Más información

Vulnerability prioritization

The table below lists Critical, Exploitation More Likely, or Exploitation Detected vulnerabilities. This is to highlight how some might have their patching deferred due to a false sense of importance based on a severity rating. Vulnerabilities marked Exploitation More Likely are just as important to address, and quickly, due to their increased likelihood to cause impacts to an environment.

Cumulative updates

KB5007186 and KB5007189 cumulative updates were released with typical previous security fixes included for Windows 10 versions 21H1, 20H2, and 2004. Windows 10 versions 1809 saw KB5007206 released, containing security fixes and addressed some known issues. As of print, no remarkable bug fixes aside from addressing issues with lock screen backgrounds appearing black when slideshow is used for it.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Más información

End of Service for Windows 10 2004

Joining previous Windows builds that hit EoS this year, Windows 10 2004 will no longer receive security updates after December 14, 2021. That’s only three months to plan for transition to newer builds. If you don’t already have plans in motion, then today is the day to start.

Apple

Apple released Safari 15.1 in late October to address several vulnerabilities. CVE-2021-30889 is marked as High severity and could allow arbitrary code execution from maliciously crafted web content. See Apple’s security updates for information about recent vulnerability fixes.

Cisco

We don’t usually talk about firmware vulnerabilities, but this month is a first. Cisco released security updates to address critical unauthenticated user vulnerabilities involving hard-coded credentials on Catalyst PON Switches or default SSH keys in Cisco Policy Suite. See CVE-2021-34795 and CVE-2021-40119 for information on remediation of these vulnerabilities from Cisco.

Summary

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, now is the time to start including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your patch management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd