Head Nerds
Gestion des mises à jour
Sécurité

November 2021 Patch Tuesday: two actively exploited zero-days to prioritize

It’s a welcome sign to see the total number of vulnerabilities being addressed this month by Microsoft continue last month’s downward trend, offering lighter workloads for those tasked with ensuring endpoints and servers are in compliance. Unfortunately, six of the 55 security vulnerabilities this month are zero-days and should receive priority attention.

First, let’s take a moment to appreciate what tools, such as patch management from N‑able or WSUS from Microsoft, have done to streamline and automate the workflows around handling system updates. A centrally manageable patching solution offers a significant force multiplier, allowing a single engineer to discover, schedule, deploy, and audit patching on thousands of systems with only the investment of a few hours every month.

Microsoft vulnerabilities

Including Microsoft Edge vulnerabilities (typically patched prior to Patch Tuesdays), we have 56 in total for November. Six of them are zero-days, with two of those under active exploitation. Down significantly from last month, where only three vulnerabilities were listed as Exploitation More Likely—but those should be on everyone’s prioritization list as well.   

The first zero-day under active attack is CVE-2021-42292, a Microsoft Excel vulnerability. It is a security bypass vulnerability that allows loading of malicious code just by opening a payload-laden Excel file. Due to the ability for this malicious code to be additionally obfuscated by an attacker, this threat will likely be moderately effective at evading traditional AV solutions that can’t detect fileless attacks.

The second zero-day under active attack is CVE-2021-42321, a Microsoft Exchange Server Remote Code Execution critical vulnerability. While this isn’t in the same league as Exchange vulnerabilities from earlier in the year—it requires an attacker to already be authenticated to the system—it should still be a prioritization for anyone managing Microsoft Exchange Servers. If you want a deeper explanation on this vulnerability, Microsoft’s Exchange Team has a great write-up here.

Other Microsoft vulnerabilities of note this month are CVE-2021-38631, CVE-2021-41371, and CVE-2021-38666. All are related to Remote Desktop Protocol, which is a common target for threat actors. Despite only one being marked as Critical and Exploitation More Likely, they should all be high priority this month because they are zero-days related to a common threat actor target.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Vulnerability prioritization

The table below lists Critical, Exploitation More Likely, or Exploitation Detected vulnerabilities. This is to highlight how some might have their patching deferred due to a false sense of importance based on a severity rating. Vulnerabilities marked Exploitation More Likely are just as important to address, and quickly, due to their increased likelihood to cause impacts to an environment.

CVE

Description

Exploitability

Severity

CVE-2021-42316

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Exploitation Less Likely

Critical

CVE-2021-3711

OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow

Exploitation Less Likely

Critical


CVE-2021-42298

Microsoft Defender Remote Code Execution Vulnerability

Exploitation More Likely

Critical

CVE-2021-38666

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation More Likely

Critical

CVE-021-42279

Chakra Scripting Engine Memory Corruption Vulnerability

Exploitation Less Likely

Critical

CVE-2021-26443

Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

Exploitation Less Likely

Critical

CVE-2021-42321

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploitation Detected

Critical

CVE-2021-42292

Microsoft Excel Security Feature Bypass Vulnerability

Exploitation Detected

Critical

CVE-2021-41356

Windows Denial of Service Vulnerability

Exploitation More Likely

Important

Cumulative updates

KB5007186 and KB5007189 cumulative updates were released with typical previous security fixes included for Windows 10 versions 21H1, 20H2, and 2004. Windows 10 versions 1809 saw KB5007206 released, containing security fixes and addressed some known issues. As of print, no remarkable bug fixes aside from addressing issues with lock screen backgrounds appearing black when slideshow is used for it.

Related Product

N‑sight RMM

RMM est parfait pour les petites entreprises MSP et les départements informatiques qui souhaitent être opérationnels rapidement.

End of Service for Windows 10 2004

Joining previous Windows builds that hit EoS this year, Windows 10 2004 will no longer receive security updates after December 14, 2021. That’s only three months to plan for transition to newer builds. If you don’t already have plans in motion, then today is the day to start.

Apple

Apple released Safari 15.1 in late October to address several vulnerabilities. CVE-2021-30889 is marked as High severity and could allow arbitrary code execution from maliciously crafted web content. See Apple’s security updates for information about recent vulnerability fixes.

Cisco

We don’t usually talk about firmware vulnerabilities, but this month is a first. Cisco released security updates to address critical unauthenticated user vulnerabilities involving hard-coded credentials on Catalyst PON Switches or default SSH keys in Cisco Policy Suite. See CVE-2021-34795 and CVE-2021-40119 for information on remediation of these vulnerabilities from Cisco.

Summary

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, now is the time to start including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your patch management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.