Report Name: Microsoft Patch Tuesday, November 2021
Generated: 2021-11-30 00:40:46

Product Name	Prevalence	U	C	H	M	L	Comment
Active Directory	0.9				4		Active Directory is a directory service developed by Microsoft for Windows domain networks
Windows Kernel	0.9			1	1		Windows Kernel
CShell	0.8				1		CShell is a universal Windows Shell for Windows 10 that scales across PC, Mobile, and Xbox
CredSSP	0.8				1		CredSSP is a Security Support Provider that lets an application delegate the user's credentials from the client to the target server for remote authentication
Diagnostics Hub Standard Collector	0.8				1		Diagnostics Hub Standard Collector is part of Windows diagnostics tools and it collects real time ETW (Event Tracing for Windows) events and processes them
FSLogix	0.8				1		FSLogix enhances and enables user profiles in Windows remote computing environments
Media Foundation	0.8			1			Windows component
Microsoft COM	0.8			1			COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact
Microsoft Defender	0.8			1			Anti-malware component of Microsoft Windows
Microsoft Edge	0.8				1		Web browser
Microsoft Exchange	0.8		1		2		Exchange
OpenSSL	0.8				1		A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
Windows Fast FAT File System Driver	0.8				1		Windows component
Windows Hello	0.8			1			Windows component
Windows Installer	0.8				1		Windows Installer
Windows NTFS	0.8			1	3		The default file system of the Windows NT family
Windows Remote Desktop Client	0.8			1	1		Remote Desktop Protocol Client
Windows Remote Desktop Protocol	0.8				2		Windows component
3D Viewer	0.7			2			Standard Windows Application
Windows Desktop Bridge	0.7				1		Windows Desktop Bridge
Windows Feedback Hub	0.7				1		Feedback Hub is a universal app designed to allow users to provide feedback, feature suggestions, and bug reports for the operating system
Chakra	0.6				1		Chakra is a proprietary JScript engine used in the Internet Explorer web browser
Microsoft Access	0.6				1		MS Office product
Microsoft Excel	0.6	1		1			MS Office product
Microsoft Virtual Machine Bus	0.6			1			Hyper-V Virtual Machine Bus (VMBus)
Microsoft Word	0.6			1			MS Office product
Windows Hyper-V	0.6				2		Hardware virtualization component of the client editions of Windows NT
Microsoft Dynamics 365	0.5			1			Microsoft Dynamics 365 is a product line of enterprise resource planning (ERP) and customer relationship management (CRM) intelligent business applications
Azure Sphere	0.4				3	1	Microsoft Azure Sphere is a solution for creating highly-secured, connected, MCU-powered devices
Azure RTOS	0.3				3	3	Azure RTOS is a small, fast, reliable, and easy-to-use real-time operating system (RTOS) for connecting deeply embedded IoT devices
Power BI	0.3				1		Power BI is a business analytics service by Microsoft
Visual Studio	0.3				1		Integrated development environment
Visual Studio Code	0.3				1		Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0		1	11	1		Remote Code Execution
Security Feature Bypass	0.9	1		1			Security Feature Bypass
Denial of Service	0.7			1	2		Denial of Service
Memory Corruption	0.6				2		Memory Corruption
Elevation of Privilege	0.5				21		Elevation of Privilege
Information Disclosure	0.4				6	4	Information Disclosure
Spoofing	0.4				3		Spoofing
Tampering	0.3				1		Tampering

Urgent (1)

1. Security Feature Bypass - Microsoft Excel (CVE-2021-42292) - Urgent [877]

Description: Microsoft Excel Security Feature Bypass Vulnerability

qualys: CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability. The vulnerability in Microsoft Excel can be exploited using a Specially Crafted File, allowing an attacker to execute code. The vulnerability affects both Windows and macOS versions; a patch for the latter has not yet been released.

tenable: CVE-2021-42292 is a security feature bypass zero-day in Microsoft Excel that received a 7.8 CVSSv3 score and has been exploited in the wild. Discovery of this flaw is credited to the Microsoft Threat Intelligence Center (MSTIC) but no further information on the vulnerability or the detected exploitations has been published at this time. Microsoft specifically notes that the Preview Pane is not an attack vector for this vulnerability, which means the victim would need to open a malicious Excel document for exploitation to occur. Microsoft notes that patches for Office for Mac are still in progress.

zdi: CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability. This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature. It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users. They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as “proof of concept”.

Critical (1)

2. Remote Code Execution - Microsoft Exchange (CVE-2021-42321) - Critical [718]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability

qualys: CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability. This is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution. Microsoft has additional details in a public blog post.

tenable: CVE-2021-42321 is a RCE vulnerability in Microsoft Exchange Server. The flaw exists due to the improper validation of command-let (cmdlet) arguments. To exploit this vulnerability, an attacker would need to be authenticated to a vulnerable Exchange Server. Microsoft says they are aware of “limited targeted attacks” using this vulnerability in the wild. Additionally, this appears to be the same vulnerability in Exchange Server that was exploited at the Tianfu Cup, a Chinese cybersecurity contest.

zdi: CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability. This Exchange bug is listed by Microsoft as currently under active attack; however, authentication is listed as a requirement. As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible. Microsoft has also published this blog to aid Exchange administrators with their patch deployment.

High (13)

3. Remote Code Execution - Windows Remote Desktop Client (CVE-2021-38666) - High [475]

Description: Remote Desktop Client Remote Code Execution Vulnerability

qualys: CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability. This vulnerability in Remote Desktop Clients can be exploited by an attacker who controls a Remote Desktop Server. The attacker can trick a user into connecting to the compromised/malicious Desktop Server, resulting in remote code execution.

tenable: CVE-2021-38666 is a RCE vulnerability in the Remote Desktop Client that received a CVSSv3 score of 8.8. The vulnerability can be exploited when a victim machine connects to an attacker-controlled Remote Desktop server, allowing the attacker to execute arbitrary code on the victim's machine. While no public exploit appears to exist at this time, Microsoft has designated this flaw as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

zdi: CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability. While not as severe as a bug in the RDP Server, this bug in the RDP client is still worth prioritizing. If an attacker can lure a user to connect to a malicious RCP server, they could execute code on the connecting RDP client system. Again, this doesn’t reach the level of the Bluekeep bugs, but definitely something to watch.

4. Remote Code Execution - Microsoft COM (CVE-2021-42275) - High [475]

Description: Microsoft COM for Windows Remote Code Execution Vulnerability

5. Remote Code Execution - Windows NTFS (CVE-2021-41378) - High [462]

Description: Windows NTFS Remote Code Execution Vulnerability

6. Remote Code Execution - Media Foundation (CVE-2021-42276) - High [462]

Description: Microsoft Windows Media Foundation Remote Code Execution Vulnerability

7. Remote Code Execution - Microsoft Defender (CVE-2021-42298) - High [462]

Description: Microsoft Defender Remote Code Execution Vulnerability

qualys: CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability. This vulnerability in Microsoft Defender can be exploited using Maliciously crafted files. The remote code execution vulnerability will be triggered when the malicious file is opened by a user or scanned automatically via an outdated version of Microsoft Defender

8. Remote Code Execution - 3D Viewer (CVE-2021-43208) - High [443]

Description: 3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43209.

qualys: CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. Adobe Patch Tuesday – October 2021

tenable: CVE-2021-43208 and CVE-2021-43209 are RCE vulnerabilities found in 3D Viewer, a 3D object viewer and augmented reality application for Windows. According to Microsoft, these vulnerabilities have both been publicly disclosed and are attributed to Mat Powell of Trend Micro Zero Day Initiative. While no additional details are available at this time, Microsoft’s advisory does note that affected customers should receive updates automatically from the Microsoft Store. Customers that have automatic updates disabled will have to take action in order to receive this update.

9. Remote Code Execution - 3D Viewer (CVE-2021-43209) - High [443]

Description: 3D Viewer Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-43208.

qualys: CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. Adobe Patch Tuesday – October 2021

tenable: CVE-2021-43208 and CVE-2021-43209 are RCE vulnerabilities found in 3D Viewer, a 3D object viewer and augmented reality application for Windows. According to Microsoft, these vulnerabilities have both been publicly disclosed and are attributed to Mat Powell of Trend Micro Zero Day Initiative. While no additional details are available at this time, Microsoft’s advisory does note that affected customers should receive updates automatically from the Microsoft Store. Customers that have automatic updates disabled will have to take action in order to receive this update.

10. Remote Code Execution - Microsoft Virtual Machine Bus (CVE-2021-26443) - High [437]

Description: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

qualys: CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability. The vulnerability exists when a VM Guest fails to handle communication on a VMBus Channel. An authenticated user can exploit this vulnerability by sending a specially crafted communication on the VMBus Channel from the Guest to the Host, allowing the attacker to execute arbitrary code on the Host.

zdi: CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability. This patch addresses a guest-to-host escape through the virtual machine bus (VMBus). A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host. With a CVSS of 9.0, this is one of the more severe vulnerabilities fixed this month. Based on the CVE number, this has been known to Microsoft for a few months.

11. Remote Code Execution - Microsoft Excel (CVE-2021-40442) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability

12. Remote Code Execution - Microsoft Word (CVE-2021-42296) - High [424]

Description: Microsoft Word Remote Code Execution Vulnerability

13. Denial of Service - Windows Kernel (CVE-2021-41356) - High [420]

Description: Windows Denial of Service Vulnerability

14. Remote Code Execution - Microsoft Dynamics 365 (CVE-2021-42316) - High [418]

Description: Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

qualys: CVE-2021-42316 – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability. This vulnerability is a Remote Code Execution bug in on-prem Microsoft Dynamics 365 setups. There are very few public details regarding this vulnerability.

15. Security Feature Bypass - Windows Hello (CVE-2021-42288) - High [414]

Description: Windows Hello Security Feature Bypass Vulnerability

Medium (36)

16. Remote Code Execution - Microsoft Access (CVE-2021-41368) - Medium [397]

Description: Microsoft Access Remote Code Execution Vulnerability

17. Memory Corruption - OpenSSL (CVE-2021-3711) - Medium [381]

Description: In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

qualys: CVE-2021-3711 – OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow. This is a Buffer Overflow vulnerability in OpenSSL software which is embedded in Microsoft Visual Studio. The vulnerability was introduced due to a miscalculation in the buffer size in OpenSSL’s SM2 function. An attacker can exploit this vulnerability to crash the application and potentially execute arbitrary code with the user’s permission to run the application.

18. Elevation of Privilege - Active Directory (CVE-2021-42278) - Medium [379]

Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291.

19. Elevation of Privilege - Active Directory (CVE-2021-42282) - Medium [379]

Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42287, CVE-2021-42291.

20. Elevation of Privilege - Windows Kernel (CVE-2021-42285) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability

21. Elevation of Privilege - Active Directory (CVE-2021-42287) - Medium [379]

Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.

22. Elevation of Privilege - Active Directory (CVE-2021-42291) - Medium [379]

Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42287.

23. Elevation of Privilege - Windows NTFS (CVE-2021-42283) - Medium [374]

Description: NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-41370.

24. Elevation of Privilege - CredSSP (CVE-2021-41366) - Medium [360]

Description: Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability

25. Elevation of Privilege - Windows NTFS (CVE-2021-41367) - Medium [360]

Description: NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41370, CVE-2021-42283.

26. Elevation of Privilege - Windows NTFS (CVE-2021-41370) - Medium [360]

Description: NTFS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-41367, CVE-2021-42283.

27. Elevation of Privilege - Windows Fast FAT File System Driver (CVE-2021-41377) - Medium [360]

Description: Windows Fast FAT File System Driver Elevation of Privilege Vulnerability

28. Elevation of Privilege - CShell (CVE-2021-42286) - Medium [360]

Description: Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability

29. Denial of Service - Windows Hyper-V (CVE-2021-42274) - Medium [350]

Description: Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability

30. Denial of Service - Windows Hyper-V (CVE-2021-42284) - Medium [350]

Description: Windows Hyper-V Denial of Service Vulnerability

31. Elevation of Privilege - Windows Desktop Bridge (CVE-2021-36957) - Medium [341]

Description: Windows Desktop Bridge Elevation of Privilege Vulnerability

32. Elevation of Privilege - Windows Installer (CVE-2021-41379) - Medium [333]

Description: Windows Installer Elevation of Privilege Vulnerability

33. Elevation of Privilege - Diagnostics Hub Standard Collector (CVE-2021-42277) - Medium [333]

Description: Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability

34. Information Disclosure - Windows Remote Desktop Client (CVE-2021-38665) - Medium [327]

Description: Remote Desktop Protocol Client Information Disclosure Vulnerability

35. Spoofing - Microsoft Exchange (CVE-2021-41349) - Medium [327]

Description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42305.

36. Spoofing - Microsoft Exchange (CVE-2021-42305) - Medium [327]

Description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-41349.

37. Elevation of Privilege - Windows Feedback Hub (CVE-2021-42280) - Medium [314]

Description: Windows Feedback Hub Elevation of Privilege Vulnerability

38. Information Disclosure - FSLogix (CVE-2021-41373) - Medium [313]

Description: FSLogix Information Disclosure Vulnerability

39. Memory Corruption - Chakra (CVE-2021-42279) - Medium [289]

Description: Chakra Scripting Engine Memory Corruption Vulnerability

qualys: CVE-2021-42279 – Chakra Scripting Engine Memory Corruption Vulnerability. The Buffer Overflow vulnerability is because of a boundary error issue in Chakra Scripting Engine, which allows remote attackers to execute arbitrary code by initiating the memory corruption.

40. Information Disclosure - Windows Remote Desktop Protocol (CVE-2021-38631) - Medium [286]

Description: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41371.

qualys: CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. Adobe Patch Tuesday – October 2021

tenable: Microsoft also provided two other patches for Windows Remote Desktop Protocol (RDP) this month which could be used in a related scenario. If an attacker is able to take control of an account with RDP server administrator privileges, they could exploit CVE-2021-41371 or CVE-2021-38631 to read Windows RDP client passwords. Both CVE-2021-41371 and CVE-2021-38631 were publicly disclosed, according to Microsoft.

41. Spoofing - Microsoft Edge (CVE-2021-41351) - Medium [286]

Description: Microsoft Edge (Chrome based) Spoofing on IE Mode

42. Information Disclosure - Windows Remote Desktop Protocol (CVE-2021-41371) - Medium [286]

Description: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-38631.

qualys: CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. Adobe Patch Tuesday – October 2021

tenable: Microsoft also provided two other patches for Windows Remote Desktop Protocol (RDP) this month which could be used in a related scenario. If an attacker is able to take control of an account with RDP server administrator privileges, they could exploit CVE-2021-41371 or CVE-2021-38631 to read Windows RDP client passwords. Both CVE-2021-41371 and CVE-2021-38631 were publicly disclosed, according to Microsoft.

43. Elevation of Privilege - Power BI (CVE-2021-41372) - Medium [266]

Description: Power BI Report Server Spoofing Vulnerability. A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded. The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads.

44. Elevation of Privilege - Visual Studio Code (CVE-2021-42322) - Medium [266]

Description: Visual Studio Code Elevation of Privilege Vulnerability

45. Elevation of Privilege - Azure RTOS (CVE-2021-42302) - Medium [252]

Description: Azure RTOS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42303, CVE-2021-42304.

46. Elevation of Privilege - Azure RTOS (CVE-2021-42303) - Medium [252]

Description: Azure RTOS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42302, CVE-2021-42304.

47. Elevation of Privilege - Azure RTOS (CVE-2021-42304) - Medium [252]

Description: Azure RTOS Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42302, CVE-2021-42303.

48. Information Disclosure - Azure Sphere (CVE-2021-41374) - Medium [251]

Description: Azure Sphere Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41375, CVE-2021-41376.

49. Elevation of Privilege - Visual Studio (CVE-2021-42319) - Medium [225]

Description: Visual Studio Elevation of Privilege Vulnerability

50. Tampering - Azure Sphere (CVE-2021-42300) - Medium [217]

Description: Azure Sphere Tampering Vulnerability

51. Information Disclosure - Azure Sphere (CVE-2021-41375) - Medium [210]

Description: Azure Sphere Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41374, CVE-2021-41376.

Low (4)

52. Information Disclosure - Azure Sphere (CVE-2021-41376) - Low [183]

Description: Azure Sphere Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-41374, CVE-2021-41375.

53. Information Disclosure - Azure RTOS (CVE-2021-26444) - Low [178]

Description: Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-42301, CVE-2021-42323.

54. Information Disclosure - Azure RTOS (CVE-2021-42301) - Low [178]

Description: Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42323.

55. Information Disclosure - Azure RTOS (CVE-2021-42323) - Low [178]

Description: Azure RTOS Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-26444, CVE-2021-42301.

Exploitation in the wild detected (2)

Security Feature Bypass (1)

• Microsoft Excel (CVE-2021-42292)

qualys: CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability. The vulnerability in Microsoft Excel can be exploited using a Specially Crafted File, allowing an attacker to execute code. The vulnerability affects both Windows and macOS versions; a patch for the latter has not yet been released.

tenable: CVE-2021-42292 is a security feature bypass zero-day in Microsoft Excel that received a 7.8 CVSSv3 score and has been exploited in the wild. Discovery of this flaw is credited to the Microsoft Threat Intelligence Center (MSTIC) but no further information on the vulnerability or the detected exploitations has been published at this time. Microsoft specifically notes that the Preview Pane is not an attack vector for this vulnerability, which means the victim would need to open a malicious Excel document for exploitation to occur. Microsoft notes that patches for Office for Mac are still in progress.

zdi: CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability. This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature. It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users. They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as “proof of concept”.

Remote Code Execution (1)

• Microsoft Exchange (CVE-2021-42321)

qualys: CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability. This is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution. Microsoft has additional details in a public blog post.

tenable: CVE-2021-42321 is a RCE vulnerability in Microsoft Exchange Server. The flaw exists due to the improper validation of command-let (cmdlet) arguments. To exploit this vulnerability, an attacker would need to be authenticated to a vulnerable Exchange Server. Microsoft says they are aware of “limited targeted attacks” using this vulnerability in the wild. Additionally, this appears to be the same vulnerability in Exchange Server that was exploited at the Tianfu Cup, a Chinese cybersecurity contest.

zdi: CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability. This Exchange bug is listed by Microsoft as currently under active attack; however, authentication is listed as a requirement. As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible. Microsoft has also published this blog to aid Exchange administrators with their patch deployment.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (53)

Remote Code Execution (12)

• Microsoft COM (CVE-2021-42275)
• Windows Remote Desktop Client (CVE-2021-38666)

qualys: CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability. This vulnerability in Remote Desktop Clients can be exploited by an attacker who controls a Remote Desktop Server. The attacker can trick a user into connecting to the compromised/malicious Desktop Server, resulting in remote code execution.

tenable: CVE-2021-38666 is a RCE vulnerability in the Remote Desktop Client that received a CVSSv3 score of 8.8. The vulnerability can be exploited when a victim machine connects to an attacker-controlled Remote Desktop server, allowing the attacker to execute arbitrary code on the victim's machine. While no public exploit appears to exist at this time, Microsoft has designated this flaw as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

zdi: CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability. While not as severe as a bug in the RDP Server, this bug in the RDP client is still worth prioritizing. If an attacker can lure a user to connect to a malicious RCP server, they could execute code on the connecting RDP client system. Again, this doesn’t reach the level of the Bluekeep bugs, but definitely something to watch.

• Media Foundation (CVE-2021-42276)
• Microsoft Defender (CVE-2021-42298)

qualys: CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability. This vulnerability in Microsoft Defender can be exploited using Maliciously crafted files. The remote code execution vulnerability will be triggered when the malicious file is opened by a user or scanned automatically via an outdated version of Microsoft Defender

• Windows NTFS (CVE-2021-41378)
• 3D Viewer (CVE-2021-43208, CVE-2021-43209)

qualys: CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. Adobe Patch Tuesday – October 2021

tenable: CVE-2021-43208 and CVE-2021-43209 are RCE vulnerabilities found in 3D Viewer, a 3D object viewer and augmented reality application for Windows. According to Microsoft, these vulnerabilities have both been publicly disclosed and are attributed to Mat Powell of Trend Micro Zero Day Initiative. While no additional details are available at this time, Microsoft’s advisory does note that affected customers should receive updates automatically from the Microsoft Store. Customers that have automatic updates disabled will have to take action in order to receive this update.

• Microsoft Virtual Machine Bus (CVE-2021-26443)

qualys: CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability. The vulnerability exists when a VM Guest fails to handle communication on a VMBus Channel. An authenticated user can exploit this vulnerability by sending a specially crafted communication on the VMBus Channel from the Guest to the Host, allowing the attacker to execute arbitrary code on the Host.

zdi: CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability. This patch addresses a guest-to-host escape through the virtual machine bus (VMBus). A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host. With a CVSS of 9.0, this is one of the more severe vulnerabilities fixed this month. Based on the CVE number, this has been known to Microsoft for a few months.

• Microsoft Excel (CVE-2021-40442)
• Microsoft Word (CVE-2021-42296)
• Microsoft Dynamics 365 (CVE-2021-42316)

qualys: CVE-2021-42316 – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability. This vulnerability is a Remote Code Execution bug in on-prem Microsoft Dynamics 365 setups. There are very few public details regarding this vulnerability.

• Microsoft Access (CVE-2021-41368)

Denial of Service (3)

• Windows Kernel (CVE-2021-41356)
• Windows Hyper-V (CVE-2021-42274, CVE-2021-42284)

Security Feature Bypass (1)

• Windows Hello (CVE-2021-42288)

Memory Corruption (2)

• OpenSSL (CVE-2021-3711)

qualys: CVE-2021-3711 – OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow. This is a Buffer Overflow vulnerability in OpenSSL software which is embedded in Microsoft Visual Studio. The vulnerability was introduced due to a miscalculation in the buffer size in OpenSSL’s SM2 function. An attacker can exploit this vulnerability to crash the application and potentially execute arbitrary code with the user’s permission to run the application.

• Chakra (CVE-2021-42279)

qualys: CVE-2021-42279 – Chakra Scripting Engine Memory Corruption Vulnerability. The Buffer Overflow vulnerability is because of a boundary error issue in Chakra Scripting Engine, which allows remote attackers to execute arbitrary code by initiating the memory corruption.

Elevation of Privilege (21)

• Active Directory (CVE-2021-42278, CVE-2021-42282, CVE-2021-42287, CVE-2021-42291)
• Windows Kernel (CVE-2021-42285)
• Windows NTFS (CVE-2021-41367, CVE-2021-41370, CVE-2021-42283)
• CShell (CVE-2021-42286)
• CredSSP (CVE-2021-41366)
• Windows Fast FAT File System Driver (CVE-2021-41377)
• Windows Desktop Bridge (CVE-2021-36957)
• Diagnostics Hub Standard Collector (CVE-2021-42277)
• Windows Installer (CVE-2021-41379)
• Windows Feedback Hub (CVE-2021-42280)
• Power BI (CVE-2021-41372)
• Visual Studio Code (CVE-2021-42322)
• Azure RTOS (CVE-2021-42302, CVE-2021-42303, CVE-2021-42304)
• Visual Studio (CVE-2021-42319)

Information Disclosure (10)

• Windows Remote Desktop Client (CVE-2021-38665)
• FSLogix (CVE-2021-41373)
• Windows Remote Desktop Protocol (CVE-2021-38631, CVE-2021-41371)

qualys: CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability. CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. Adobe Patch Tuesday – October 2021

tenable: Microsoft also provided two other patches for Windows Remote Desktop Protocol (RDP) this month which could be used in a related scenario. If an attacker is able to take control of an account with RDP server administrator privileges, they could exploit CVE-2021-41371 or CVE-2021-38631 to read Windows RDP client passwords. Both CVE-2021-41371 and CVE-2021-38631 were publicly disclosed, according to Microsoft.

• Azure Sphere (CVE-2021-41374, CVE-2021-41375, CVE-2021-41376)
• Azure RTOS (CVE-2021-26444, CVE-2021-42301, CVE-2021-42323)

Spoofing (3)

• Microsoft Exchange (CVE-2021-41349, CVE-2021-42305)
• Microsoft Edge (CVE-2021-41351)

Tampering (1)

• Azure Sphere (CVE-2021-42300)