On 9 November 2021, Microsoft released updates to address 55 vulnerabilities, two of which are currently exploited. We recommend applying the latest updates as soon as possible.
- Microsoft’s November 2021 Patch Tuesday updates include six vulnerabilities classified as Critical, as well as four that were publicly disclosed, and two actively abused flaws.
- The two actively abused flaws are:
- CVE-2021-42321 – an issue with improper validation of cmdlet arguments in Exchange Server versions 2013, 2016, and 2019. The vulnerability requires an authenticated user role on the Exchange Server in order to exploit it. Microsoft reported that it is currently being used in “limited targeted attacks”. The issue only affects on-premises instances of Exchange Server, including servers used by customers in Exchange Hybrid mode. CVSS 3.1 score: 8.8.
- CVE-2021-42292 – a Security Feature Bypass vulnerability in Excel. The code execution does involve user interaction via specially-crafted files, but does not require prior authentication. The updates for Office 2019 for Mac and Office LTSC for Mac 2021 are not immediately available but are expected to be released shortly. CVSS 3.1 score: 7.8.
- Current updates also fixed four flaws that were publicly disclosed:
- Two vulnerabilities in 3D Viewer, both rated with CVSS 3.1 score of 7.8. They are tracked as CVE-2021-43208 and CVE-2021-43209; both require user interaction and no prior authentication for exploitation.
- Two Information Disclosure vulnerabilities in Remote Desktop Protocol (RDP), tracked as CVE-2021-38631 and CVE-2021-41371. Both are noted as low severity and are rated with CVSS 3.1 score of 4.4.
- The vulnerabilities that were labelled as Critical are:
- CVE-2021-26443, a Virtual Machine Bus (VMBus) vulnerability due to a VM guest failing to properly handle communication on a VMBus channel. Successful exploitation requires authentication and a specially-crafted communication on the VMBus channel from the guest VM to the host. CVSS 3.1 score: 9.
- CVE-2021-3711, a bug in the implementation of the SM2 decryption code reported in the third-party component, OpenSSL. CVSS 3.1 score: 9.8.
- CVE-2021-38666, a vulnerability in Remote Desktop Client (RDC) that could allow someone with control of a Remote Desktop Server to trigger a remote code execution (RCE) on the vulnerable RDP client machine. The execution requires a victim to connect to the malicious server with the vulnerable RDC. CVSS 3.1 score: 8.8.
- CVE-2021-42279, a memory corruption vulnerability in Chakra Scripting Engine that requires user interaction but no privileges to exploit. CVSS 3.1 score: 4.2.
- CVE-2021-42298, an RCE vulnerability in Defender that can be triggered with user interaction. Microsoft marked the the exploitation likelihood as “more likely”. CVSS 3.1 score: 7.8.
- CVE-2021-42316, a vulnerability in Microsoft Dynamics 365 (on-premises) that requires user interaction and low privileges to perform RCE. CVSS 3.1 score: 8.7.
- We recommend expedited updates for the noted Microsoft flaws as publicly disclosed and exploited flaws make it more likely for vulnerable systems to become targets of exploitation.
- In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.