The November 2021 Security Update Review

November 09, 2021 | Dustin Childs

The second Tuesday of the month is upon us, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for November 2021

For November, Adobe released only three patches correcting four CVEs in Creative Cloud Desktop, InCopy, and RoboHelp. The patch for Creative Cloud fixes a single Important-rated denial-of-service (DoS) bug. The InCopy patch fixes two bugs, including a Critical-rated code execution. The release for RoboHelp Server is listed as a security hotfix rather than a security patch, but it’s not clear why there’s a difference in the nomenclature. Either way, a Critical-rated arbitrary code execution bug is being fixed, so if you still use RoboHelp, apply this hotfix.

If this seems especially light, Adobe did release fixes for more than 80 CVEs in late October for critical code execution flaws, privilege escalation, denial-of-service, and memory leaks across multiple products. None of these fixes were listed as under active attack, so it’s unclear why Adobe released so many patches out of band.

None of the patches released today by Adobe are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for November 2021

For November, Microsoft released patches today for 55 new CVEs in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.

Historically speaking, 55 patches in November is a relatively low number. Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors. It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.

Of the CVEs patched today, six are rated Critical and 49 are rated as Important in severity. Four of these bugs came through the ZDI program. Four of these bugs are listed as publicly known and two are listed as under active exploit at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the two bugs listed as under active attack:

-       CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Exchange bug is listed by Microsoft as currently under active attack; however, authentication is listed as a requirement. As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible. Microsoft has also published this blog to aid Exchange administrators with their patch deployment.

-       CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability
This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature. It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users. They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as “proof of concept”.

-       CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
This patch addresses a guest-to-host escape through the virtual machine bus (VMBus). A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host. With a CVSS of 9.0, this is one of the more severe vulnerabilities fixed this month. Based on the CVE number, this has been known to Microsoft for a few months.

-       CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability
While not as severe as a bug in the RDP Server, this bug in the RDP client is still worth prioritizing. If an attacker can lure a user to connect to a malicious RCP server, they could execute code on the connecting RDP client system. Again, this doesn’t reach the level of the Bluekeep bugs, but definitely something to watch.

Here’s the full list of CVEs released by Microsoft for November 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No Yes SFB
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No Yes RCE
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.2 No No RCE
CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.7 No No RCE
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow Critical 9.8 No No RCE
CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability Important 6.7 No No Info
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability Important 2.3 No No Info
CVE-2021-42300 Azure Sphere Tampering Vulnerability Important 6 No No Tampering
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-41373 FSLogix Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode Important 4.3 No No Spoofing
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability Important 4.7 No No EoP
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41356 Windows Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability Important 7.8 No No RCE

Looking at the remaining Critical-rated patches for November, the entries for Chakra and Dynamics (On-Prem) stand out. The Chakra patch fixes a bug that could allow an attacker to execute their own code on affected systems, usually in a browse-and-own or open-and open-and-own scenario. Microsoft doesn’t make it clear how the code execution on Dynamics would occur but considering the types of infrastructure and supply chains managed by Dynamics, this Critical-rated bug should be taken seriously.  The patch for Defender should be of concern for those disconnected from the Internet, but for others will likely not need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. You should still verify the version and manually apply the update if needed. Finally, Microsoft is releasing its update of an OpenSSL patch from August. This is a good reminder that if you ship open-source code, you should always check to ensure you’re shipping the latest, most secure version.

Moving on to the other code execution bugs, two can be found in the 3D Viewer. These were reported by ZDI’s Mat Powell, but Microsoft failed to meet our disclosure timeline. That’s why these are listed as publicly known as we published some details about these bugs back in June and July. The other code execution bugs mostly reside in one of the Office components. In these cases, opening a specially crafted file could lead to code execution. The final code exec bug resides in NTFS, but it’s not clear from Microsoft how this could work. They list no user interaction required, while also listing the vector as local. This removes the open-and-own scenario as well as the browse-to-a-remote-folder vector. This bug came through the THEORI team, who had quite the showing at the recent Pwn2Own Austin. Hopefully, they will release additional details in the near future.

There are 20 elevation of privilege (EoP) bugs patches in this release, with the most severe impacting NTFS, Active Directory Domain Service, and Azure RTOS. The NTFS bugs are confusing as they list no user interaction needed while still being a local vector with low privileges required. Those are the same ratings for the NTFS RCE bug, so it’s not clear how these are different. The patches for ADDS also should not be ignored as bugs here could make lateral movement within an enterprise easier. It’s also not clear how many people are using Azure RTOS, but they have a tough road ahead of them. They can’t just apply a patch. Instead, they will need to recompile their project with updated USBX source code then redeploy the new code. Failure to do so could result in an EoP if an attacker plugged in a malicious USB device. The remaining EoP patches fix more traditional issues where an attacker is required to log on to a system and run their own code to take advantage of an affected component.

There are some heavy-hitting information disclosure bugs being patched this month. First up are three patches for Azure RTOS that could lead to info disclosure, although Microsoft does not state what type of information could be disclosed. Again, a recompile and redeploy is required to stop a malicious USB attack. More disturbingly, there are two publicly known info disclosure bugs in RDP that could allow read access to Windows RDP client passwords by RDP administrators. That could be a game-changer to inside threats since we all know users would NEVER reuse a password – at least that’s what they swear to me (and this time, they mean it).

There’s also an info disclosure bug being fixed in FSLogix. This bug could allow an attacker to disclose user data redirected to the profile or Office container via FSLogix Cloud cache, which includes user profile settings and files. Surprisingly, only one of the 10 info disclosure bugs results in a leak consisting of unspecified memory contents.

Three info disclosure impact Azure Sphere devices, but these devices should receive updates automatically if they are connected to the internet. There’s also a tampering bug being fixed in Azure Sphere, but again, provided you are connected to the internet, there’s no action to take.

Looking at patches for denial-of-service (DoS) bugs, the most important is the one impacting Windows – not a subcomponent – Windows. A remote attacker with no permissions could create a DoS on all supported Windows versions (including Windows 11). It’s not clear if this would result in a system hang or a reboot, but either way, do not bypass this impactful DoS. The other two DoS bugs impact Hyper-V, and one of those requires GRE to be enabled.

Besides the Excel bug already mentioned, there’s only one other Security Feature Bypass (SFB) being fixed in November. This impacts Windows Hello on Windows 10 and Server 2019 systems. No details are provided, but just by the component and impact, it seems there’s a way to access affected systems without using a PIN, facial recognition, or fingerprint. If you use this feature for authentication, you may want to disable it until you are sure all affected systems are patched.

Finally, the November release contains fixes for four spoofing bugs, including one for Exchange that must be obvious when you look for it as eight different researchers are all acknowledged by Microsoft for reporting it. Of course, they provide no info on what sort of spoofing is being fixed by this patch, the other Exchange spoofing bug, or by the Edge (Chrome-based) spoofing bug while on IE Mode. Microsoft does state the fix for the Power BI Report Server addresses a Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability with the template file.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV90001.

Looking Ahead

The next Patch Tuesday falls on December 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!