December 2021 Patch Tuesday: 76 vulnerabilities and 5 zero days to round out the year
By Lewis Pope
Happy holidays! Congratulations on making it through another year of keeping your systems patched and environments secure. The final Patch Tuesday of 2021 brings us a year-end gift of patches for 72 new vulnerabilities with 4 old vulnerabilities receiving updated patches, for a total of 76. There are also 5 zero days, with one actively exploited Windows AppX Installer spoofing vulnerability in Emotet and Trickbot campaigns—which should be high on priorities lists.
The big story is the Log4Shell CVE-2021-44228 vulnerability. N‑able RMM and N‑central have been cleared as either not using the vulnerable Log4J Java library or have had the vulnerability mitigated where Log4J is used. For more information on the N‑able response to Log4Shell, please check our updated statement here. The silver lining is that the Log4J library typically exists in server-side applications, so efforts can focus on those systems first. For additional information and guidance on Log4Shell, check these Microsoft and CISA resources.
Microsoft vulnerabilities
Microsoft released fixes for 59 vulnerabilities marked as Important and eight as Critical. It’s going to be a busy month for teams responsible for patching, with nine of those marked as exploitation more likely. Your teams may need additional bandwidth to deal with these vulnerabilities this month.
While it might be overshadowed by Log4Shell, the Windows AppX Installer vulnerability CVE-2021-43890 should also be one of your top priorities. It is a zero day under active exploit, and it requires end-user interaction. However, threat actors leveraging the vulnerability to deliver malware like Emotet and Trickbot are proficient at exploiting end users. Informing end users about this spoofing attack and how to avoid it might be warranted if fixes cannot be immediately applied to environments. See Microsoft’s mitigation and workaround information here.
Vulnerability prioritization
As always, it is important to not just prioritize vulnerabilities based on their severity but also on how likely they are to be exploited. Addressing vulnerabilities marked as exploitation more likely is as important—some might say even more so—due to their increased likelihood to actually affect an environment. These 10 CVEs from Microsoft should be top of the list, because they are all marked as Exploitation More Likely or Exploitation Detected.
- CVE-2021-43890 – Windows AppX Installer Spoofing
- CVE-2021-43905 – Microsoft Office App Remote Code Execution
- CVE-2021-43883 – Windows Installer Elevation of Privilege
- CVE-2021-43880 – Windows Mobile Device Management Elevation of Privilege
- CVE-2021-43233 – Remote Desktop Client Remote Code Execution
- CVE-2021-43226 – Windows Common Log File System Driver Elevation of Privilege
- CVE-2021-43215 – iSNS Server Memory Corruption Vulnerability
- CVE-2021-43207 – Windows Common Log File System Driver Elevation of Privilege
- CVE-2021-41333 – Windows Print Spooler Elevation of Privilege
- CVE-2019-0887 – Remote Desktop Services Remote Code Execution
Cumulative updates
Nothing out of the ordinary for cumulative updates this month. KB5008212 and KB5008206 were released for Windows 10 Version 2004, 20H2, 21H1, and 21H2. These include security improvements and bug fixes.
End of service for Windows 10 2004
Windows 10 Version 2004 receives its last security update this month, as it has hit EOS. It’s a good time to audit for this older build of Windows 10 in your environments and plan upgrades accordingly.
Apple
If you are supporting Apple devices, make sure to review Apple’s security updates.
Cisco
Cisco published advisories this month concerning Log4Shell along with security updates. If you have Cisco equipment in your stack, you should review security updates.
VMWare
If you support VMWare, check out their advisory about impacts of Log4j and the affected products.
Summary
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally dealt only with patches by applying them based on their severity, now is the time to start including prioritization of patches for zero-day, exploitation detected, and exploitation more likely vulnerabilities in your Patch Management routines.
Lewis Pope is the head security nerd at N‑able. You can follow him on:
Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.
Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.
As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.