VERT Threat Alert: December 2021 Patch Tuesday Analysis


Today’s VERT Alert addresses Microsoft’s December 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-978 on Wednesday, December 15th.

In-The-Wild & Disclosed CVEs

CVE-2021-43890

Up first this month is a vulnerability in the Windows AppX Installer that could allow spoofing. This vulnerability has been actively used in the spread of Emotet malware.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

CVE-2021-41333

CVE-2021-41333 is yet another print spooler vulnerability. All versions of Windows from Server 2008 through to Server 2022 are impacted by this vulnerability.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-43880

This is a Windows 11 only vulnerability that would allow an attacker who successfully exploited the vulnerability to delete files. They would not have additional access to view or modify files.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-43883

A vulnerability in the Windows Installer on all versions of Windows from Server 2008 through to Server 2022 could allow for elevation of privilege.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-43240

A vulnerability in NTFS Set Short Name could allow elevation of privilege. Short name refers to the 8dot3 naming convention. This vulnerability impacts Windows 10 and Windows 11 and related server platforms.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2021-43893

The final vulnerability on this list this month is an elevation of privilege vulnerability in Windows Encrypting File System (EFS).

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that have been disclosed will be bold
Tag CVE Count CVEs
Visual Studio Code – WSL Extension 1 CVE-2021-43907
Microsoft Edge (Chromium-based) 16 CVE-2021-4052, CVE-2021-4053, CVE-2021-4054, CVE-2021-4055, CVE-2021-4056, CVE-2021-4057, CVE-2021-4058, CVE-2021-4059, CVE-2021-4061, CVE-2021-4062, CVE-2021-4063, CVE-2021-4064, CVE-2021-4065, CVE-2021-4066, CVE-2021-4067, CVE-2021-4068
Microsoft Devices 1 CVE-2021-43899
Windows Media 1 CVE-2021-40441
Microsoft Local Security Authority Server (lsasrv) 1 CVE-2021-43216
Remote Desktop Client 1 CVE-2021-43233
Windows Common Log File System Driver 3 CVE-2021-43224, CVE-2021-43226, CVE-2021-43207
Windows Storage Spaces Controller 1 CVE-2021-43227
Windows DirectX 1 CVE-2021-43219
Azure Bot Framework SDK 1 CVE-2021-43225
Microsoft Defender for IoT 10 CVE-2021-42310, CVE-2021-42311, CVE-2021-42312, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43888, CVE-2021-43889, CVE-2021-41365
Microsoft Office SharePoint 4 CVE-2021-42294, CVE-2021-42309, CVE-2021-42320, CVE-2021-43242
Microsoft Windows Codecs Library 6 CVE-2021-40452, CVE-2021-40453, CVE-2021-43214, CVE-2021-43243, CVE-2021-43248, CVE-2021-41360
Visual Studio Code 2 CVE-2021-43891, CVE-2021-43908
ASP.NET Core & Visual Studio 1 CVE-2021-43877
Windows SymCrypt 1 CVE-2021-43228
Microsoft Office Excel 1 CVE-2021-43256
Windows Event Tracing 1 CVE-2021-43232
Windows Kernel 1 CVE-2021-43244
Windows Remote Access Connection Manager 2 CVE-2021-43223, CVE-2021-43238
Microsoft Office 3 CVE-2021-43875, CVE-2021-42295, CVE-2021-43905
Microsoft PowerShell 1 CVE-2021-43896
Apps 1 CVE-2021-43890
Office Developer Platform 1 CVE-2021-43255
BizTalk ESB Toolkit 1 CVE-2021-43892
Microsoft Message Queuing 2 CVE-2021-43222, CVE-2021-43236
Windows Digital TV Tuner 1 CVE-2021-43245
Windows TCP/IP 1 CVE-2021-43247
Windows Update Stack 2 CVE-2021-43237, CVE-2021-43239
Windows Encrypting File System (EFS) 2 CVE-2021-43217, CVE-2021-43893
Microsoft Office Access 1 CVE-2021-42293
Windows Print Spooler Components 1 CVE-2021-41333
Role: Windows Hyper-V 1 CVE-2021-43246
Windows Mobile Device Management 1 CVE-2021-43880
Windows Storage 1 CVE-2021-43235
Windows Installer 1 CVE-2021-43883
Internet Storage Name Service 1 CVE-2021-43215
Role: Windows Fax Service 1 CVE-2021-43234
Windows NTFS 4 CVE-2021-43229, CVE-2021-43230, CVE-2021-43231, CVE-2021-43240

Other Information

There were no new advisories included with the December Security Guidance.

We should, however, reference the log4j vulnerability (CVE-2021-44228) that is getting a lot of attention. CISA has compiled detailed guidance around these vulnerabilities. On Saturday, December 11, Tripwire released ASPL-977 out-of-band for IP360, which included an authenticated test for the vulnerability. The latest information on Tripwire’s products regarding Log4j2 can be found at tripwire.com/log4j.

In ASPL-978, Tripwire will include additional coverage for CVE-2021-44228. This coverage will include tests for vulnerable versions of IBM WebSphere, Apache Tomcat, VMware vCenter, and Elasticsearch. It will also include improvements to our authenticated tests. We are also actively exploring additional detection methods that can be utilized.



Source link