Automox Experts Weigh in on November 2021 Patch Tuesday Release

Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.

November 2021 Overview

General Overview

November brings the start of the holiday season in the United States, anchored by the celebration of Thanksgiving on the fourth Thursday of the month. It also is the beginning of the holiday shopping season with Black Friday the following day, and "Cyber Monday" three days later.

While each of us may have individual reasons to be thankful this month, from a security perspective, the 55 vulnerabilities reported by Microsoft are another good reason. November's total vulnerabilities represent a 27% reduction from the monthly average so far this year. There were 6 critical vulnerabilities reported, and while this is double October’s total of 3, it nonetheless represents a 30% reduction off the monthly average of critical vulnerabilities for 2021.

In addition, there were two vulnerabilities that were publicly exploited. Both are identified as “high rated” vulnerabilities, impacting Microsoft Excel and Microsoft Exchange Server.

November’s vulnerability count of 55 is tied for the third lowest month of 2021, furthering the downward trend of monthly Microsoft vulnerabilities that began mid-year. And when it comes to exploited vulnerabilities, we have much to be thankful for as Microsoft has not reported more than 2 in any month since June.

And as your SecOps and ITOps teams wind down for much-needed time off this month, don't forget that cyber criminals don't take vacations. In fact, bad actors specifically target companies and government agencies during the holidays because of reduced security staff and that often, “no one is minding the store.”

To understand these potential threats during the holidays, please read an advisory from The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). They include the precautions and mitigation steps that public and private sector organizations can take to reduce their risk, specifically leading up to holidays and weekends.

While Automox typically recommends that all critical and exploited vulnerabilities are patched within a 72-hour window, we advise extra vigilance this month and through the rest of the year. We recommend that all critical and exploited vulnerabilities are patched immediately to reduce exposure leading into the holiday season.

Adobe Overview

Adobe’s Patch Tuesday looks quite a bit smaller, after a significant out-of-band release that covered 14 products on October 26. Adobe patched just three products today: Creative Cloud, InCopy, and RoboHelp Server. All of the patches issued by Adobe today are Priority 3, indicating that the vulnerabilities are for a product that has not historically been targeted by attackers.

However, the patches issued for InCopy (macOS and Windows are affected) and RoboHelp Server (Windows is affected) each include remediation for critical vulnerabilities that allow arbitrary code execution. Adobe Creative Cloud’s Desktop application for macOS is also vulnerable to an important vulnerability that leads to application denial-of-service. If you use these products, we recommend patching.

Critical Vulnerability Breakdown

Aleks Haugom - CVE-2021-26443 - Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability - Critical

CVE-2021-26443 is a critical remote code execution vulnerability impacting Microsoft Virtual Machine Bus (VMBus). This low complexity attack requires an authenticated threat actor to send a specially crafted packet via the VMBus to a host. A successful attack requires no user interaction and allows the attacker to execute arbitrary code in the host operating system. Impacted systems include Windows 10, 11, and Windows Server 2019, 2022, 2004. Threat actors can use the exploit for several nefarious activities such as denial of service (DoS) attacks on any virtual machine that shares the same host, access to personal information stored on impacted VMs, and more. Although Microsoft has classified exploitation as less likely, Automox recommends patching this vulnerability within 24 hours (before EOD November 10, 2021).

Maarten Buis - CVE-2021-3711 - OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow - Critical

CVE-2021-3711 is a critical buffer overflow vulnerability in OpenSSL, a widely used software library for applications that secures network communications. A bug in the implementation of the SM2 decryption code allows for a miscalculation of the buffer size in the OpenSSL’s SM2 decryption function. Because of this, up to 62 arbitrary bytes can be written outside the buffer. The vulnerability has been classified as critical because a remote attacker could use this flaw to change application behavior or cause the application to crash without user interaction or escalated privileges. An attacker successfully exploiting this vulnerability can have a high impact on data availability and data integrity.

Gina Geisel - CVE-2021-38666 - Remote Desktop Client Remote Code Execution Vulnerability - Critical

CVE-2021-38666 is a critical remote code execution vulnerability that impacts the Microsoft Remote Desktop Client. With a low attack complexity, an attacker with control of a remote desktop server could trigger a remote code execution (RCE) on the remote desktop protocol (RDP) client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it, for example, via social engineering, DNS poisoning, or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect. Due to the prevalence of Remote Desktop Clients in Microsoft Windows, Automox recommends prioritization in applying this patch.

Jay Goodman - CVE-2021-42279 - Chakra Scripting Engine Memory Corruption Vulnerability - Critical

CVE-2020-42279  is a critical memory corruption vulnerability identified in the Chakra Scripting Engine. This vulnerability exploits how the scripting engine handles objects in memory and can lead to remote code execution. The Chakra Scripting Engine is widely used in Microsoft Edge. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to directly run malicious code on the exploited systems. It is highly recommended that IT administrators remediate this vulnerability within 72 hours to minimize exposure to threat actors.

Eric Feldman - CVE-2021-42298- Microsoft Defender Remote Code Execution Vulnerability - Critical

CVE-2021-42298 is a remote code execution vulnerability that affects Microsoft Defender, an embedded antivirus solution in every Microsoft Windows operating system release since Microsoft Vista. Microsoft has advised that devices that have Microsoft Defender disabled are not vulnerable as these systems are not in an exploitable state. Microsoft additionally noted that vulnerability scanners may still falsely flag as they are looking for specific binaries and version numbers on devices, and Microsoft Defender files are still on disk even when disabled. As Microsoft typically releases an update for the Microsoft Malware Protection Engine used by Microsoft Defender once a month, or as needed to protect against new threats, Microsoft advises that no immediate action is required to install an update. Customers should however, verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft anti-malware products, and that the Microsoft Malware Protection Engine version is 1.1.18700.3 or later.

Jay Goodman - CVE-2021-42316 - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability - Critical

CVE-2020-42316 is a critical memory corruption vulnerability identified in Microsoft Dynamics 365. This vulnerability can lead to remote code execution. Microsoft Dynamics 365 is a resource planning and CRM tool from Microsoft and this vulnerability is present in the 9.0 and 9.1 versions of their on-premise option. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to directly run malicious code on the exploited systems. It is highly recommended that IT administrators remediate this vulnerability within 72 hours to minimize exposure to threat actors, especially in a tool with access to sensitive customer and business data like a CRM solution.

Jessica Onorati - CVE-2021-42292 - Microsoft Excel Security Feature Bypass Vulnerability - High and Exploited

CVE-2021-42292 is a security feature bypass vulnerability that exists in Microsoft Office software. While public details on the nature of the vulnerability are undisclosed at this time, Microsoft has published this as being exploited in the wild. Affected versions of excel should be patched with some urgency.

Eric Feldman - CVE-2021-42321 - Microsoft Exchange Server Remote Code Execution Vulnerability - High and Exploited

CVE-2021-42321 is a Remote Code Execution Vulnerability that impacts Microsoft Exchange Server 2013, 2016 and 2019. This is a post-authentication vulnerability that affects on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Note that Exchange Online customers are already protected and do not need to take any action. A post-authentication vulnerability is one where a behavior can only be exercised by an authenticated user. As Microsoft is aware of limited targeted attacks in the wild from exploiting this vulnerability, Automox recommends installing this update immediately to protect your environment.

Peter Pflaster - CVE-2021-38631 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability - High and Publicly Disclosed

CVE-2021-41371 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability - High and Publicly Disclosed

CVE-2021-38631 and CVE-2021-41371 are both important, publicly-disclosed information disclosure vulnerabilities in the Windows Remote Desktop Protocol (RDP). RDP enables remote access to Windows machines over an internal network or via the internet, based on how it is configured.

Threat actors with administrative privileges can exploit these vulnerabilities with a low complexity attack locally (with a login session on the vulnerable system). If successful, the attacker would gain read access to Windows RDP client passwords. Exposed systems include Windows 7+ (including Windows 11), as well as Windows Server 2004+ (including Server 2022).

Although exploitation is classified as “less likely” by Microsoft, it is highly recommended that organizations patch these vulnerabilities immediately due to the prevalence of RDP and popularity as an attack vector, often used for intrusion into a network, reconnaissance, lateral movement within a network, and command and control (C2) communication.

Nick Colyer - CVE-2021-42319 - Visual Studio Elevation of Privilege Vulnerability - High and Publicly Disclosed

CVE-2021-42319 is an important privilege elevation vulnerability affecting Microsoft Visual Studio across multiple releases of 2017 and 2019 editions. Exploitation of the vulnerability is considered to be limited currently and exposure would be relegated to developer systems where privileges are limited as a default security posture. This vulnerability can be remediated by updating to build 15.9.41 and may require a system restart after installation.

Chad McNaughton - CVE-2021-43208 - 3D Viewer Remote Code Execution Vulnerability - High and Publicly Disclosed

CVE-2021-43209 - 3D Viewer Remote Code Execution Vulnerability - High and Publicly Disclosed

CVE-2021-43208 & CVE-2021-43209 are Remote Code Execution vulnerabilities for Microsoft 3D Viewer that can affect elevation of privileges. An actor exploiting these vulnerabilities would be able to elevate their privileges within the system, enabling them to execute the remote code of their choice. The app in question is a 3D object viewer and Augmented Reality application originally included with Windows 10. 3D Viewer is no longer included in the operating system as of Windows 11, but is still available for download from the Microsoft Store.

Both CVEs have been publicly disclosed, however, have not yet been publicly exploited. Updates will automatically deploy through the Microsoft Store for those with auto updates, though users can also get the update manually from Microsoft. To note: app package versions 7.2107.7012.0 and later contain this update. Because these vulnerabilities are categorized as having a low attack complexity but require user interaction, they’ve been given an “important” severity score, and should be patched as soon as possible.

About Automox Automated Patch Management

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.