How can we help?
Microsoft’s monthly patch release includes fixes for a number of critical vulnerabilities including a Remote Code Execution (RCE) in Microsoft Exchange which was disclosed to Microsoft by the US National Security Agency (NSA).
Further Remote Code Execution (RCE) vulnerabilities were identified in:
- Microsoft DNS servers (CVE-2021-40469) which are often co-located services with Active Directory Domain Controllers.
- Microsoft Word (CVE-2021-40486) which would run when a user opens a malicious document.
- Microsoft Hyper-V (CVE-2021-38672 and CVE-2021-40461) which could impact the operation of multiple virtual machines
- Microsoft SharePoint (CVE-2021-40487 and CVE-2021-41344) which may impact the confidentiality, Integrity and Availability of your data
These vulnerabilities could be chained with other vulnerabilities also identified and patched this month, such as the Local Privilege Escalation (EoP) (CVE-2021-40449) via Win32K which has already been seen being exploited in the wild, or CVE-2021-41338, which allows the bypass of Windows AppContainer Firewall Rules.
A remote attacker may be able to exploit vulnerabilities in Microsoft products to execute their own code. Once an attacker has gained access, they could then elevate their permissions on a device from a local user account to that of an administrator or service account.
Security updates have been released for the following products:
- .NET Core & Visual Studio
- Active Directory Federation Services
- Console Window Host
- Microsoft DWM Core Library
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Intune
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Office Word
- Microsoft Windows Codecs Library
- Rich Text Edit Control
- Role: DNS Server
- Role: Windows Active Directory Server
- Role: Windows AD FS Server
- Role: Windows Hyper-V
- System Center
- Visual Studio
- Windows AppContainer
- Windows AppX Deployment Service
- Windows Bind Filter Driver
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Desktop Bridge
- Windows DirectX
- Windows Event Tracing
- Windows exFAT File System
- Windows Fastfat Driver
- Windows Installer
- Windows Kernel
- Windows MSHTML Platform
- Windows Nearby Sharing
- Windows Network Address Translation (NAT)
- Windows Print Spooler Components
- Windows Remote Procedure Call Runtime
- Windows Storage Spaces Controller
- Windows TCP/IP
- Windows Text Shaping
- Windows Win32K
Containment, Mitigations & Remediation
Advice is to patch systems as soon as possible. A number of these patches remediate vulnerabilities that are exploitable via external attacks or could be leveraged via social engineering attacks such as phishing.
While automated patching, to reduce administrative overhead, is advisable there are some patches from this month that do have known issues and may need manual intervention. Check out the bottom of the Microsoft Resource Centre’s release notes for Oct 2021 for these issues.
Most notably, with regards to the Exchange Server patches: if run manually (as some servers in DMZ’s may need to be updated in this way) then if the update is applied in “Normal Mode”, as opposed to being Run as Administrator, the files are updated, but not correctly.
Moreover, it doesn’t produce an error message or any other indication that the patch did not apply correctly.
Indicators of Compromise
Kaspersky has seen these domains in a Remote Access Trojan which makes use of CVE-2021-40449
T1068 – Exploitation for Privilege Escalation
T1548 – Abuse Elevation Control Mechanism
T1133– External Remote Services
T1203 – Exploitation for Client Execution
T1059 – Command and Scripting Interpreter