IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - Nov 2021 | Foundation IT

Written by Dan Robinson | Nov 15, 2021 11:50:03 AM

Last week Microsoft released its security updates for November 2021, which has fixes for 55 vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Daniel Robinson has provided our FIT score and tips.

Out of the 55 patches; 6 are classed as critical and 49 as important. There were also 6 Zero-Day vulnerabilities. 

Zero-day vulnerabilities discovered this month:

Actively exploited vulnerabilities:-

  • CVE-2021-42292 - Microsoft Excel Security Feature Bypass Vulnerability.
  • CVE-2021-42321 - Microsoft Exchange Server Remote Code Execution Vulnerability.

Publicly disclosed vulnerabilities that are not known to be exploited:-

  • CVE-2021-38631 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability.
  • CVE-2021-41371 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability.
  • CVE-2021-43208 - 3D Viewer Remote Code Execution Vulnerability.
  • CVE-2021-43209 - 3D Viewer Remote Code Execution Vulnerability.

Other companies who have released security updates this week:

  • Adobe's November security updates were released for various applications.
  • Android's November security updates were released last week.
  • Cisco released security updates for numerous products this month, including a hard-coded password and SSH key vulnerability.
  • SAP released its November 2021 security updates.

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

 

Category

CVE IDs

CVE Title 

Severity

FIT Score & Tip

3D Viewer

2

CVE-2021-43209 CVE-2021-43208

3D Viewer Remote Code Execution Vulnerability

Important

4/5 - This is a Microsoft Store App, which should automatically be updated. You can check the package version in PowerShell, by using: Get-AppxPackage -Name Microsoft.Microsoft3DViewer

Azure

1

CVE-2021-41373

FSLogix Information Disclosure Vulnerability

Important

4/5 - If you are using FSLogix, then this is highly recommended to mitigate against this vulnerability. The Microsoft link on the CVE has been causing problems with redirects, so the fix can be obtained here: https://docs.microsoft.com/en-us/fslogix/whats-new

Azure RTOS

6

CVE-2021-42303 CVE-2021-42302 CVE-2021-42301 CVE-2021-42323 CVE-2021-26444 CVE-2021-42304 

Azure RTOS Elevation of Privilege Vulnerability

Azure RTOS Information Disclosure Vulnerability

Important

4/5 - If you are using RTOS, then you have to recompile your project with updated USBX source code if the project uses host audio/video/CDC-ECM/PIMA, or device storage class to mitigate this vulnerability. In addition, if your USB device driver uses vendor request (registered by ux_device_stack_microsoft_extension_register) you need to update your code to perform memory boundary check. If you are not using vendor requests, (i.e. you don’t register the callback function) you don’t need to update your code.

Azure Sphere

4

CVE-2021-41374 CVE-2021-41376 CVE-2021-42300 CVE-2021-41375

Azure Sphere Information Disclosure Vulnerability

Azure Sphere Tampering Vulnerability

Important

4/5 - Azure Sphere will automatically update itself when it is connected to the Internet, you can run: azsphere device show-deployment-status to show you the update status.

Microsoft Dynamics

1

CVE-2021-42316

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Critical

5/5 - If you use Dynamics 365 On-Prem, then this will be a priority for you. Download links are available from the Microsoft CVE link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316

Microsoft Edge (Chromium-based) in IE Mode

1

CVE-2021-41351

Microsoft Edge (Chrome based) Spoofing on IE Mode

Important

3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Microsoft Exchange Server

3

CVE-2021-42305 CVE-2021-41349 CVE-2021-42321

Microsoft Exchange Server Spoofing Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability

Important

4/5 - This vulnerability is for on-premise Microsoft Exchange Servers, if you have one of these you should get this applied ASAP.

Microsoft Office Access

1

CVE-2021-41368

Microsoft Access Remote Code Execution Vulnerability

Important

3/5 - Updates have been released for all versions of Access which are currently within support.

Microsoft Office Excel

2

CVE-2021-40442 CVE-2021-42292 

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Security Feature Bypass Vulnerability

Important

3/5 - Updates have been released for all versions of Excel which are currently within support.

Microsoft Office Word

1

CVE-2021-42296

Microsoft Word Remote Code Execution Vulnerability

Important

3/5 - This update is available for long term support Office and also for the 365 apps. Updates for Office are typically delivered via the Office client.

Microsoft Windows

1

CVE-2021-41356

Windows Denial of Service Vulnerability

Important

3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Microsoft Windows Codecs Library

1

CVE-2021-42276

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Important

3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Power BI

1

CVE-2021-41372

Power BI Report Server Spoofing Vulnerability

Important

3/5 - This is for the Power BI Report Server which is an on-premise application for Power Bi Premium licencing.

Role: Windows Hyper-V

2

CVE-2021-42284 CVE-2021-42274

Windows Hyper-V Denial of Service Vulnerability

Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability

Important

3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. This update is more critical if you utilise Hyper-V

Visual Studio

1

CVE-2021-3711

OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow

Critical

 

4/5 - The update for Visual Studio is available from the Visual Studio portal. As this is flagged as critical, I would ensure this gets applied ASAP.

Visual Studio

1

CVE-2021-42319

Visual Studio Elevation of Privilege Vulnerability

Important

4/5 - Although not flagged as critical, this vulnerability is mitigated in the same update which resolves the above.

Visual Studio Code

1

CVE-2021-42322

Visual Studio Code Elevation of Privilege Vulnerability

Important

3/5 - Not to be confused with the above, this update is for Visual Studio Code and can be downloaded from a separate link: https://code.visualstudio.com/Download

Windows Active Directory

4

CVE-2021-42278 CVE-2021-42291 CVE-2021-42287 CVE-2021-42282 

Active Directory Domain Services Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported server operating systems.

Windows COM

1

CVE-2021-42275

Microsoft COM for Windows Remote Code Execution Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported server operating systems.

Windows Core Shell

1

CVE-2021-42286

Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for Windows 10 operating systems.

Windows Cred SSProvider Protocol

1

CVE-2021-41366

Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Defender

1

CVE-2021-42298

Microsoft Defender Remote Code Execution Vulnerability

Critical

4/5 - This will be delivered automatically via Windows Update. Alternatively, it can be checked within the Windows Security App and the version can then be checked.

Windows Desktop Bridge

1

CVE-2021-36957

Windows Desktop Bridge Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Diagnostic Hub

1

CVE-2021-42277

Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Fastfat Driver

1

CVE-2021-41377

Windows Fast FAT File System Driver Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Feedback Hub

1

CVE-2021-42280

Windows Feedback Hub Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Hello

1

CVE-2021-42288

Windows Hello Security Feature Bypass Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for Windows 10 based operating systems.

Windows Installer

1

CVE-2021-41379

Windows Installer Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Kernel

1

CVE-2021-42285

Windows Kernel Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows NTFS

4

CVE-2021-42283 CVE-2021-41370 CVE-2021-41378 CVE-2021-41367

NTFS Elevation of Privilege Vulnerability

Windows NTFS Remote Code Execution Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems, Windows 10 and 11 based including server.

Windows RDP

1

CVE-2021-38666

Remote Desktop Client Remote Code Execution Vulnerability

Critical

5/5 - Flagged as critical, This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows RDP

3

CVE-2021-38665 CVE-2021-38631  CVE-2021-41371

Remote Desktop Protocol Client Information Disclosure Vulnerability

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Important

4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems.

Windows Scripting

1

CVE-2021-42279

Chakra Scripting Engine Memory Corruption Vulnerability

Critical

5/5 - Flagged as critical, This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems, Windows 10 and 11 based including server.

Windows Virtual Machine Bus

1

CVE-2021-26443

Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability

Critical

5/5 - Flagged as critical, This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems, Windows 10 and 11 based including server.

 

Hope this table with helpful!