The CVE-2021-42321 and CVE-2021-42292 vulnerabilities
Microsoft has addressed 55 issues as part of its monthly Patch Tuesday release cycle. The published security patches include solutions for two actively exploited zero-day vulnerabilities in Excel and Exchange Server that may be exploited to take over an unprotected machine.
Six of the 55 bugs are classified as Critical, 49 as Important, and four were already known to the public at the time of the patch release.
Microsoft Exchange Server’s CVE-2021-42321 (CVSS score: 8.8) and Microsoft Excel’s CVE-2021-42292 (CVSS score: 7.8) are the two most serious issues. The Exchange Server flaw concerns a post-authentication remote code execution bug while the Excel flaw is related to a security bypass vulnerability in versions from 2013 to 2021.
Microsoft has not gone into detail about how the two vulnerabilities were exploited in real-world attacks. Earlier this year it was revealed that APT Group HAFNIUM was attacking four zero-day vulnerabilities in the Microsoft Exchange server.
Microsoft’s November patch includes also a fix for the OpenSSL SM2 decryption issue that was discovered in August 2021. Tracked as CVE-2021-3711, this flaw may be exploited by hackers to execute arbitrary code and create a denial-of-service (DoS) attacks.
Fixes for several remote code execution weaknesses in Chakra Scripting Engine (CVE-2021-42279), Microsoft Virtual Machine Bus (CVE-2021-26443), Remote Desktop Client (CVE-2021-38666), Microsoft Defender (CVE-2021-42298), and on-premises versions of Microsoft Dynamics 365 (CVE-2021-42316).
Four vulnerabilities that have been publicly disclosed but have not been exploited are also addressed in this latest Patch Tuesday update:
- CVE-2021-38631 (CVSS score: 4.4) – RDP Information Disclosure Vulnerability in Windows
- 2021-41371 (CVSS score: 4.4) – RDP Information Disclosure Vulnerability in Windows
- CVE-2021-43208 (CVSS score: 7.8) – Remote Code Execution Vulnerability in 3D Viewer
- CVE-2021-43209 (CVSS score: 7.8) – Remote Code Execution Vulnerability in 3D Viewer
As a final touch, the update includes fixes for several critical privilege escalation vulnerabilities, including those for NTFS (CVE-2021-41367, CVE-2021-4370, CVE-2021-42283), Windows Kernel (CVE-2021-42285), Windows Desktop Bridge (CVE-2021-36957), Windows Fast FAT File System Driver (CVE-2021-41377), and Visual Studio Code (CVE-2021-42322).
Microsoft Exchange servers are a high-value target for hackers attempting to enter important networks. Infectious disease researchers, law companies, universities, military contractors, policy think tanks, and NGOs have all been targeted.
Windows users can go to the Start Menu, select Settings, then go to Update & Security and select Windows Update or choose Check for Windows updates to install the newest security patches.