Microsoft patches actively exploited Exchange, Excel zero-days (CVE-2021-42321, CVE-2021-42292)
It’s a light November 2021 Patch Tuesday from Microsoft: 55 fixed CVEs, of which two are zero-days under active exploitation: CVE-2021-42321, a Microsoft Exchange RCE, and CVE-2021-42292, a Microsoft Excel security feature bypass bug.
Vulnerabilities of note
CVE-2021-42321, the remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019, is due to issues with the validation of command-let (cmdlet) arguments.
“In order to exploit this flaw, an attacker would need to be authenticated, which limits some of the impact. Microsoft says they are aware of ‘limited targeted attacks’ using this vulnerability in the wild,” says Satnam Narang, staff research engineer at Tenable.
In a blog post published by the Exchange Team, the company recommended that the provided updates for Microsoft Exchange be installed immediately. They delineated two possible update paths, and shared a PowerShell query that security teams can use to check to see if an exploit was attempted on their servers.
The in-the-wild exploitation of CVE-2021-42292, the Microsoft Excel security feature bypass zero-day, was apparently discovered by Microsoft’s Security Threat Intelligence Center (MSTIC).
“This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature,” noted Dustin Childs, with Trend Micro’s Zero Day Initiative.
“It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users.”
Other vulnerabilities worth singling out include:
- CVE-2021-38666, a Remote Desktop Client RCE vulnerability, that could be exploited by attackers if they are able to trick users into connecting to a malicious RCP server
- CVE-2021-42298, a Microsoft Defender RCE hole that will be plugged automatically on internet-connected systems when they receive the malware definition updates and the update for the Microsoft Malware Protection Engine
- CVE-2021-26443 a RCE affecting Microsoft Virtual Machine Bus (VMBus) that may allow a guest-to-host escape. “A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host,” Childs explained.