Microsoft Patch Tuesday December 2021. Hello everyone! It’s even strange to talk about other vulnerabilities, while everyone is so focused on vulnerabilities in log4j. But life doesn’t stop. Other vulnerabilities appear every day. And of course, there are many critical ones among them that require immediate patching. This episode will be about Microsoft Patch Tuesday for December 2021.
I will traditionally use my open source Vulristics tool for analysis.
I run Vulristics like this:
python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2021 --mspt-month "December" --rewrite-flag "True"
And get a report:
ms_patch_tuesday_december2021_report_with_comments_ext_img.html
Of course, everything was not entirely smooth. I had to make changes to the script for receiving comments from Tenable, a connector for Microsoft, and edit the detections of products and vulnerability types.
There were 72 vulnerabilities in total. If you look at CVSS only, then 5 will be critical. According to my metric there were no critical vulnerabilities. This is primarily because there were no vulnerabilities with public exploits.
It was not possible to clearly define the type for one vulnerability. I left it as it is. “Insufficient data validation” can mean anything.
The most critical vulnerability is Spoofing in Windows AppX Installer (CVE-2021-43890). AppX installer is used to install AppX apps on Windows 10 systems. It has been linked to attacks associated with the Emotet/TrickBot/Bazaloader family. To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, for example, through a phishing attack. It seems that code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system.
The next most critical vulnerability is Remote Code Execution in iSNS Server (CVE-2021-43215). “This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually.”
Further, the prioritization is not so obvious. Remote Code Execution in Windows Encrypting File System (CVE-2021-43217). “An attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution”. It looks interesting, but the real exploitability is questionable.
Remote Code Execution in Windows Remote Desktop Client (CVE-2021-43233). “Microsoft rated this “Exploitation More Likely.” Exploiting this flaw would require a vulnerable target to connect to a malicious RDP server. Successful exploitation would allow an attacker to execute arbitrary code on the machine of the connected client.”
Remote Code Execution in Microsoft SharePoint (CVE-2021-42309). “The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls.”
Remote Code Execution in Microsoft Office (CVE-2021-43905). “To exploit this vulnerability, an attacker would have to create a malicious Microsoft Office document and convince a user through social engineering to open the document. Microsoft says that the Preview Pane is not an attack vector, which means exploitation requires opening the document, not merely previewing it.”
And this one is my favorite. Remote Code Execution in Microsoft 4K Wireless Display Adapter. Microsoft is not only a software vendor. Sometimes they also have vulnerabilities in their hardware. “This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug.”
Yet another Elevation of Privilege in Windows Print Spooler (CVE-2021-41333). “Exploitation More Likely”. “Given the mass exploitation of prior Print Spooler vulnerabilities, users should apply these patches as soon as possible.”
Elevation of Privilege in Windows Installer (CVE-2021-43883). “To exploit this vulnerability, an attacker would need to convince the target to open a specially crafted installer in order to gain elevated privileges.”
Finally, I would like to note the Memory Corruption in Microsoft Edge (CVE-2021-4102). This is a very low priority vulnerability. However, the description has “Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” However, for some reason Microsoft does not specify exploitability in the wild for this vulnerability, as they do it for their other vulnerabilities. It’s a pity.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.