CYBERSECURITY PADAWAN

December’s Patch Tuesday comes with numerous security fixes and improvements, including two actively exploited zero-day vulnerabilities. The list features spoofing, denial of service, remote code execution, elevation of privilege, and information disclosure vulnerabilities. Additionally, Microsoft identified and addressed six zero-day vulnerabilities, along with the Windows AppX Installer flaw. On the vendor side, a fix became available for the Apache Log4Shell vulnerability, a severe flaw that affects LDAP, Java-running servers.

Patch Tuesday December Highlights

The Patch Tuesday 2021 roundup features 67 fixes for issues with severity scores ranging from Important to Critical. To mention a few, Microsoft pushes out fixes for the Bot Framework SDK RCE Vulnerability, SharePoint Server Spoofing Vulnerability, PowerShell Spoofing Vulnerability, Hyper-V Denial of Service flaw, Visual Code Studio WSL Extension RCE flaw, DirectX Graphics Kernel File DoS vulnerability, SymCrypt DoS Vulnerability, etc.

Naturally, the ‘weight’ of December’s Patch Tuesday was Microsoft’s resolution for the above-mentioned zero-day vulnerabilities. More specifically, CVE-2021-43240 (NTFS Set Short Name Elevation of Privilege), CVE-2021-41333 (Windows Print Spooler Elevation of Privilege), CVE-2021-43880 (Windows Mobile Device Management Elevation Privilege of Privilege), CVE-2021-43883 (Windows Installer Elevation of Privilege), CVE-2021-43893 (Windows Encrypting Files System Elevation of Privilege), and, of course, the actively exploited CVE-2021-43890 (Windows AppX Installer Spoofing). Additional details can be found in the upcoming section.

CVE-2021-43890 -Windows AppX Installer Spoofing vulnerability

The recently discovered Win AppX Installer Spoofing vulnerability receives an official Microsoft fix on the 14th of December. One interesting aspect about CVE-2021-43890 is its ‘appetite’ for low-level (i.e., user) privileges. Despite most threat actors gunning for EPs (Elevation of Privileges), Win Appx Installer Spoofing goes for the low-hanging fruits in order to compromise a machine. In essence, a threat actor can leverage the Windows Appx framework to trick the users into installing malicious, OS-signed applications on the machine. Combining social engineering and ‘repackaging’, the threat actor can easily convince the user via email or other comm channels that the application about to be downloaded is necessary and safe.

Exploiting the AppX Installer is clever in its own way since the UWP interface for signing and installing UWP apps does not require admin class privileges. Emotet, BazarLoader, and TrickBot operators seem to have a penchant for AppX, leveraging the flaw to compromise hosts via forge Adobe PDF components. Once installed, the malicious PDF software makes its move against the OS itself by self-calling other UWP software installations – instead of doing all the ‘heavy lifting, the package rubber-stamps additional app deployments, each of them having a very specific function. Workarounds are available, but we highly recommend you download and deploy the security patch carrying this fix.

CVE-2021-43240 – NTFS Set Short Name Elevation of Privilege

A local-type vulnerability that would, theoretically, allow a threat actor to gain elevated privileges by exploiting a security flaw found in the NTFS Set Short Name. There are no indications of the vulnerability being actively exploited. Tech details are scarce, but it would appear that the flaw is related to the way security restrictions are addressed in the NTFS Set Short Name.

CVE-2021-41333 – Windows Print Spooler Elevation of Privilege

A newly identified Win Spooler vulnerability that can be leveraged to gain elevated rights. The flaw was marked as ‘fixed’. A security patch carrying the changes is available for download and deployment.

CVE-2021-43880 – Windows Mobile Device Management Elevation Privilege of Privilege

A flaw within Windows’ MDM input service may allow a threat actor to trigger a DoS. The issue was marked as resolved.

CVE-2021-43883 – Windows Installer Elevation of Privilege

A vulnerability discovered in Microsoft Windows’ Installer component may allow an attacker to obtain elevated privileges. Microsoft’s Security Advisor noted that this attack can only be carried out remotely, meaning that the attacker must be authenticated to elicit the response.

CVE-2021-43893 – Windows Encrypting Files System Elevation of Privilege

Leveraging a flaw in the Operating System’s EF component, a threat actor can remotely gain elevated privileges. Microsoft issued a fix for this issue.

In case you’ve missed it….

Although not as ‘invigorating’ as Patch Tuesday December, October and November do have their merits. Here’s a quick roundup of what happened in the last couple of months.

Patch Tuesday October 2021 Highlights

During October’s patch batch, Microsoft released fixes for 71 vulnerabilities, including four zero-day flaws. To name a few, we have an information disclosure patch for Windows Server 2019, a Windows Server 2022 Remote Code Execution vulnerability, Win32k Elevation of Privilege vulnerability, Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution vulnerability, and others. Concerning zero-days, Microsoft announced fixes for CVE-2021-41335 (Windows Kernel Elevation of Privilege Vulnerability), CVE-2021-40449 (Win32K Use-after-free Elevation of Privilege Escalation vulnerability), CVE-2021-41338 (Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability), and CVE-2021-40469 (Windows DNS Server Remote Code Execution Vulnerability).

CVE-2021-41335 – Windows Kernel Elevation of Privilege Vulnerability

A vulnerability in the Win kernel allows the attacker to bypass standard security controls in order to obtain elevated privileges.

CVE-2021-40449 – Win32K Use-after-free Elevation of Privilege Escalation vulnerability

A threat actor may leverage a use-after-free flaw hidden in one of the Win32k driver’s functions (i.e., NtGdiResetDC) to trigger a kernel module leak. This behavior allows the threat actor to obtain elevated privileges.

CVE-2021-41338 – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

A vulnerability that allows a threat actor to bypass security controls by leveraging a code block inside the AppContainer Firewall Rules component.

CVE-2021-40469 – Windows DNS Server Remote Code Execution Vulnerability

By leveraging a Win DNS Server Misconfig, an attacker can trigger arbitrary code execution on the victim’s machine.

Patch Tuesday November 2021

In November, Microsoft released 55 fixes for known vulnerabilities, including one zero-day flaw. Counting off, we have fixes for the Microsoft Exchange Server RCE vulnerability, Microsoft Excel Security Feature Bypass vulnerability, 3D Viewer RCE vulnerability, Windows Remote Desktop Protocol (RDP) Information Disclosure vulnerability, and many more. In addition, Microsoft has released security fixes Azure, Windows Defender, Microsoft Office, and Microsoft Edge.

CVE-2021-42292 – Microsoft Excel Security Feature Bypass vulnerability

An attacker can trigger arbitrary code execution by tricking the user into opening a forged excel document.

CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability

A flaw in Exchange’s Server may allow a threat actor to run malicious code on the victim’s machine.

Additional Cybersecurity Advice

Here’s a quick list of some of my favorite patching/cybersecurity advice.

  • Regular patching/updating. I recommend you download and install critical patches as soon as they become available. If you’re managing a large infrastructure, go with an automated patch deployment tool. Heimdal™ Patch & Asset Management is a fully automatic patch and update deployment tool that allows you to push & test 3rd party, Windows, and proprietary patches.
  • Forged documents. Refrain from opening Excel or Word documents received from untrusted sources.
  • Complementary cybersecurity products. Most highlighted vulnerabilities can be mitigated with the aid of complementary cybersec products – next-gen AV, ransomware encryption protection, and advanced firewalls.

Additional Resources:

Conclusion

December Patch Tuesday has brought us numerous fixes for actively exploited threats. As always, patch ASAP, stay away from dubious links, scan your machines, and train your staff to identify cyber threats.

WSUS vs. SCCM vs. Intune Comparison – Benefits, Ease of Use, and Deployment

Enterprise Patch Management: What It Is and Why You Need It

15+ Experts Explain Why Software Patching is Key for Your Online Security

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP