icetray - Fotolia

Exchange zero-day corrected on November Patch Tuesday

Microsoft released a security update to shut down a publicly exploited vulnerability in the beleaguered on-premises messaging platform.

November Patch Tuesday arrived with a relatively light number of vulnerabilities fixed by Microsoft, but Exchange admins should focus on quick correction for a zero-day on the server-based messaging platform.

Microsoft released security updates for 55 bugs this month, with six rated critical. Microsoft resolved two zero-day vulnerabilities and four flaws designated as publicly disclosed. In addition to Exchange Server, affected product families include a Microsoft app, Azure, Microsoft Edge (Chromium-based) browser, Microsoft Visual Studio and Visual Studio Code, Microsoft Dynamics, Microsoft Office, SQL Server, System Center and the Windows desktop and server operating systems.

Zero-day puts Exchange Server back in the spotlight

While the intense scrutiny Exchange Server received from hackers has dissipated over the last several months, it flared up with an actively exploited remote code execution vulnerability (CVE-2021-42321) rated important.  

On the Common Vulnerability Scoring System (CVSS), the bug has a score of 8.8 out of 10 and requires the attacker to be authenticated to exploit the vulnerability, which could account for the lower-than-critical rating. The on-premises email product remains a tempting enough target for threat actors to put in the work to infiltrate an organization's network, elevate their privilege level and wait for this type of vulnerability to launch an attack.

"What does it take to get to an authenticated role in the Exchange Server? It's more of a matter of how long will it take for an attacker to get to that point?" said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. "A lot of organizations don't have tight enough security to keep an attacker out. If the effort is concerted, then it's only a matter of time."

Chris GoettlChris Goettl

Microsoft's Exchange team released a blog to assist administrators in the patching process and flagged a potential issue for some organizations.

"We are aware of an issue that Exchange 2013 CU23 customers who use Windows Server Update Services (WSUS) to download Security Updates might see an error with the installation of November SU (error 0x80070643 in the event log, event ID 20). We are working on resolving this issue ASAP," the blog said.

In addition to the zero-day security update, Microsoft addressed two other Exchange Server flaws. CVE-2021-41349 and CVE-2021-42305 are both spoofing vulnerabilities rated important that affect supported Exchange Server products. Each CVE has a base CVSS score of 6.5 and both require user interaction to exploit the vulnerabilities.

Microsoft Excel zero-day resolved

The other vulnerability that administrators should resolve quickly is a publicly exploited Microsoft Excel security feature bypass vulnerability (CVE-2021-42292) rated important with a 7.8 CVSS score. Microsoft's notes indicated the preview pane is not an attack vector, which makes triggering the exploit slightly more difficult.

"No authentication is required, but user interaction is required. But how hard is it to phish a user? It's a very low bar to convince a user to do something for you," Goettl said.

The flaw affects both Windows and Mac versions, but a patch for affected Mac systems was not ready at the time of publication.

"The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information," Microsoft wrote in the CVE's FAQ section.

Four public disclosures resolved

Microsoft issued security updates for two publicly disclosed Windows Remote Desktop Protocol (RDP) information disclosure vulnerabilities (CVE-2021-38631 and CVE-2021-41371), both rated important. A successful exploit requires both administrative privileges and local network access. Goettl said this is one instance where an inside threat might do more harm than an external one.

"If a rogue admin is able to see a password and use it without anybody knowing that they had access to it, then what could they gain access to? And for how long before something bad happens?" Goettl said.

The other two public disclosures are 3D Viewer remote code execution vulnerabilities (CVE-2021-43208 and CVE-2021-43209), both rated important. This app installs by default on Windows devices and automatically updates via the Microsoft Store. Microsoft said administrators can run a PowerShell command to check the app package version to make sure it is 7.2107.7012.0 or later. The exploit requires user interaction to succeed.  

Other security updates of note from November Patch Tuesday

Administrators will also want to verify Windows systems that use Microsoft Defender for malware protection have the update that resolves a remote code execution vulnerability (CVE-2021-42298) rated critical.

Microsoft Defender is active by default, but some organizations may have disabled it in lieu of another protection product. According to Microsoft, this CVE does not affect those systems. Internet-connected devices should automatically install an update to the Microsoft Malware Protection Engine that corrects this issue, but administrators should verify the version is 1.1.18700.3 or later.

A Microsoft Virtual Machine Bus (VMBus) remote code execution vulnerability (CVE-2021-26443) rated critical for affected Windows systems has the highest CVSS at 9.0 and does not require user interaction.

"A remote code execution vulnerability exists when a VM guest fails to properly handle communication on a VMBus channel. To exploit the vulnerability, an authenticated attacker could send a specially crafted communication on the VMBus channel from the guest VM to the Host. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system," Microsoft wrote.

Dig Deeper on Microsoft messaging and collaboration