Patch Tuesday November 2021
Microsoft – https://msrc.microsoft.com/update-guide/vulnerability
Microsoft has released its November 2021 Patch Tuesday Advisory. We have six vulnerabilities classified as critical in nature with two additional vulnerabilities that have been detected as being exploited in the wild. Three vulnerabilities are rated as “Exploitation More Likely”, which imply that these products are well targeted by attackers and will draw attention by threat actors.
Critical Vulnerabilities
- CVE-2021-42316 – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
- CVE-2021-3711 – OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow
- CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability
- CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability
- CVE-2021-42279 – Chakra Scripting Engine Memory Corruption Vulnerability
- CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
Exploitation detected by Microsoft – Patch first
- CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292
- The attack vector is not disclosed but Microsoft has confirmed that it is NOT the Preview Pane.
- CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
- The attacker must be authenticated to exploit.
No Exploits in this list detected but rated as “Exploitation More Likely”
- CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability
- CVE-2021-41356 – Windows Denial of Service Vulnerability
- CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability
SAP – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864
SAP has released their patching notification for November 2021 which includes two new vulnerabilities that impact their ABAP Platform and SAP Commerce products. Both vulnerabilities are missing an authorization check and should be patched as soon as possible.
Critical Vulnerabilities
- CVE-2021-40501 – Missing Authorization check in ABAP Platform Kernel
- https://launchpad.support.sap.com/#/notes/3099776
- SAP ABAP Platform Kernel, Versions - 7.77, 7.81, 7.85, 7.86
- CVE-2021-40502 – Missing Authorization check in SAP Commerce
- https://launchpad.support.sap.com/#/notes/3110328
- SAP Commerce, Versions – 2105.3, 2011.13, 2005.18, 1905.34
Cisco – https://tools.cisco.com/security/center/publicationListing.x
Cisco release a couple of critical vulnerabilities earlier in the month that should be reviewed and address by network operations. The first includes hard coded SSH keys that allow an unauthenticated attacker to login as root. The second would allow command injection and configuration modification. Both are advised to be patched immediately.
- CVE-2021-40119 – Cisco Policy Suite Static SSH Keys Vulnerability
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cps-static-key-JmS92hNv
- A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user.
- CVE-2021-34795, CVE-2021-40112, CVE-2021-40113 – Cisco Catalyst PON Series Switches Optical Network Terminal Vulnerabilities
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catpon-multivulns-CE3DSYGr
- Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions:
- Log in with a default credential if the Telnet protocol is enabled
- Perform command injection
- Modify the configuration
Adobe – https://helpx.adobe.com/security.html/security/security-bulletin.ug.html
Adobe has released two critical patches for Adobe InCopy and RoboHelp Server. Both vulnerabilities allow for arbitrary code execution and should be prioritized for remediation.
- RoboHelp APSB21-87
- https://helpx.adobe.com/security/products/robohelp-server/apsb21-87.html
- Arbitrary code execution in RoboHelp RHS2020.0.1 and earlier versions
- InCopy APSB21-110
- https://helpx.adobe.com/security/products/incopy/apsb21-110.html
- Arbitrary code execution in InCopy 16.4 and earlier version
Citrix – https://support.citrix.com/article/CTX330728
Citrix released a critical patch to address an unauthenticated denial of service on ADC and Gateway devices. The updated versions that remediate this issue are listed below.
- CVE-2021-22955 – Citrix ADC & Citrix Gateway Unauthenticated denial of service
- Pre-conditions: Appliance must be configured as a VPN (Gateway) or AAA virtual server
Remediated Versions:
- Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1
- Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1
- Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1
- Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS
