Dec. 2021 Patch Tues. – Actively Exploited Microsoft Zero-Day Allows App Spoofing & Malware Delivery!

Dec. 2021 Patch Tues. – Actively Exploited Microsoft Zero-Day Allows App Spoofing & Malware Delivery!

Dec’s Patch Tues. updates address 6 publicly known bugs & 7 critical security vulnerabilities.

Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot etc. in the form of fake applications.

The patch came as part of their Dec. Patch Tues. update, which included a total of 67 fixes for security vulnerabilities.

Range of Portfolio

The patches cover the range of Microsoft’s portfolio, affecting ASP.NET Core & Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office & Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, & the Windows Update Stack.

7 of the bugs addressed are rated critical, 6 were previously disclosed as zero-days & 60 are considered “important.”

The update brings the total number of CVEs patched by Microsoft this year to 887, which is down 29% in volume from a busy 2020.

Zero-Day Exploited in Wild

The zero-day (CVE-2021-43890) is an important-rated spoofing vulnerability in the Windows AppX Installer, which is a utility for side-loading Windows 10 apps, available on the App Store.

Kevin Breen, director of cyber-threat research at Immersive Labs, explained that the bug “allows an attacker to create a malicious package file and then modify it to look like a legitimate application, & has been used to deliver Emotet malware, which made a comeback this year.”

Breen warned, “the patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files.”

Multiple Attacks

Prior to its fix today, the bug was seen in multiple attacks associated with Emotet, TrickBot & Bazaloader, says Satnam Narang, Staff Research Engineer at Tenable.

“To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack,” he explained. “Once exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim’s account has administrative privileges on the system.”

If patching is not an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.

Other Known Microsoft Vulnerabilities

Note that Microsoft also patched CVE-2021-43883, a privilege-escalation vulnerability in Windows Installer, for which there’s been an exploit circulating, &, reportedly, active targeting by attackers – even though Microsoft stated it has seen no exploitation.

“This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation-of-privilege vulnerability in Windows Installer that was reportedly fixed in Nov.,” Narang explained. “However, researchers discovered that fix was incomplete, & a proof-of-concept was made public late last month.”

Highly Sought After

Breen noted that this kind of vulnerability is highly sought after by attackers looking to move laterally across a network.

“After gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools & deploy additional malware or tools like Mimikatz,” he outlined.

“Almost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware.”

4 Other Bugs

4 other bugs were listed as “publicly known” but not exploited, all rated important & allowing privilege escalation:

The update does not address CVE-2021-24084, an unpatched Windows security vulnerability disclosed in late Nov., which could allow information disclosure & local privilege escalation (LPE).

Critical-Rated Microsoft Security Bugs for Dec.

  1. CVE-2021-43215 in iSNS Server

The 1st critical bug (CVE-2021-43215) to cover allows remote code-execution (RCE) on the Internet Storage Name Service (iSNS) server, which enables automated discovery & management of iSCSI devices on a TCP/IP storage network. It rates 9.8 out of 10 on the vulnerability-severity scale.

The bug can be exploited if an attacker sends a specially crafted request to an affected server, according to Microsoft’s advisory.

“In other words, if you’re running a storage-area network (SAN) in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually,” stated Trend Micro Zero Day Initiative researcher Dustin Childs, in a Tues. blog. “If you have a SAN, prioritise testing & deploying this patch.”

Breen concurred that it is critical to patch quickly if an organisation operates iSNS services.

Default Component

“Remember that this is not a default component, so check this before you bump it up the list,” he said via email.

However, “as this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organisation’s ability to recover from attacks like ransomware.

These services are also typically trusted from a network perspective – which is another reason attackers would choose this kind of target.”

  1. CVE-2021-43907 in Visual Studio Code WSL Extension

Another 9.8-out-of-10-rated bug is CVE-2021-43907, an RCE issue in Visual Studio Code WSL Extension that Microsoft stated can be exploited by an unauthenticated attacker, with no user interaction. It did not provide further details.

“This impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code,” Childs explained.

“It allows you to develop in a Linux-based environment, use Linux-specific tool chains & utilities, & run & debug Linux-based applications all from within Windows. This sort of cross-platform functionality is used by many in the DevOps community.”

  1. CVE-2021-43899 – Microsoft 4K Wireless Display Adapter

The 3rd & final 9.8 CVSS-rate bug is CVE-2021-43899, which also allows RCE on an affected device, if the attacker has a foothold on the same network as the Microsoft 4K Display Adapter. Exploitation is a matter of sending specially crafted packets to the affected device, according to Microsoft.

“Patching this won’t be an easy chore,” Childs outlined. “To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can they use the ‘Update & Security’ section of the app to download the latest firmware to mitigate this bug.”

  1. CVE-2021-43905 in Microsoft Office

Another critical RCE bug (CVE-2021-43905) exists in the Microsoft Office app; it rates 9.6 on the CVSS vulnerability-severity scale, & Microsoft marked it as “exploitation more likely.”

“Very little is given away in the advisory to identify what the immediate risk is – it simply states the affected product as ‘Office App,’” Breen noted.

“This can make it difficult for security teams to prioritise or put mitigations in place if quick patching is not available – especially when security teams are already tied down with other critical patching.”

However, Aleks Haugom, Researcher at Automox, explained it should be a priority for patching.

“As a low-complexity vulnerability, an attacker can expect repeated results,” he outlined in a Tues. analysis.

“Although Microsoft has not disclosed exactly what user interaction is required for the attacker to succeed they have confirmed that the Preview Pane is not an attacker vector.

Given that this threat can impact resources beyond the security scope managed by the security authority immediate remediation actions are advised.”

  1. CVE-2021-42310 in Microsoft Defender for IoT

One of 10 issues found in Defender for IoT, this bug (CVE-2021-42310) allows RCE & rates 8.1 on the CVSS scale.

“A password reset request consists of a signed JSON document, a signing certificate, & an intermediate certificate that was used to sign the signing certificate,” explained Childs.

“The intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else’s password. Patching these bugs requires a sysadmin to take action on the device itself.”

The other 9 bugs in the platform include 7 other RCE vulnerabilities, 1 elevation of privilege vulnerability & 1 data disclosure vulnerability, all rated “important.”

  1. CVE-2021-43217 in the Windows Encrypting File System (EFS)

This bug (CVE-2021-43217) allows RCE & rates 8.1 on the CVSS scale.

“An attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn’t running at the time,” Childs explained. “EFS interfaces can trigger a start of the EFS service if it is not running.”

Jay Goodman, in the Automox posting, noted that it can be chained with the publicly disclosed elevation of privilege vulnerability in EFS & presents a special threat.

Critical to Securing

“While either of these vulnerabilities constitute impactful disclosures that need to be managed quickly, the combination of the 2 in a near universal service critical to securing & protecting data creates a unique situation,” he said.

“Attacks could use the combination of RCE with privilege elevation to quickly deploy, elevate & execute code on a target system with full system rights. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread laterally.”

This is a critical pair of vulnerabilities to address as soon as possible to minimize organisational risk.

  1. CVE-2021-43233 in Remote Desktop Client

The flaw (CVE-2021-43233) allows RCE & rates 7 on the CVSS scale. It is listed as “exploitation more likely.”

“This one…would likely require a social engineering or phishing component to be successful,” Breen explained.

“A similar vulnerability, CVE-2021-38666, was reported & patched in Nov. While it was also marked as ‘exploitation more likely,’ thankfully there have been no reports of proof-of-concept code or of it being exploited in the wild, which goes to show how important it is to make your own risk-based approach to prioritising patches.”

High Complexity

Automox Researcher Gina Geisel emphasised the bug’s high complexity for exploitation.

“To exploit this vulnerability, an attacker requires control of a server & then must convince users to connect to it, through social engineering, DNS poisoning or using a man-in-the-middle (MITM) technique, as examples,” she explained.

“An attacker could also compromise a legitimate server, host malicious code on it, & wait for the user to connect.”

Other Microsoft Bugs for Dec.

Childs also tagged CVE-2021-42309, an RCE issue in Microsoft SharePoint Server, as a vulnerability to prioritise. It allows an attacker to bypass the restriction against running arbitrary server-side web controls.

“The vulnerability allows a user to elevate & execute code in the context of the service account,” he explained.

“An attacker would need ‘Manage Lists’ permissions on a SharePoint site, but by default, any authorised user can create their own new site where they have full permissions.”

Unsafe Control

He suggested the issue is similar to the previously patched CVE-2021-28474, except that the unsafe control “is ‘smuggled’ in a property of an allowed control.”

Operating system bugs should be prioritised, researchers added.

“The disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS & Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month,” Chris Goettl, VP of Product Management at Ivanti, concluded.