September’s Patch Tuesday landed late on (quelle surprise) Tuesday night for UK IT professionals as ever. For those still rubbing their eyes and reaching for coffee before they start plugging various holes in widely used software (you do do that, right?) here are some highlights and patch priorities.
(Microsoft patched 66 new CVEs: three rated Critical, 62 rated Important. Adobe released 15 patches covering 59 CVEs — including 13 Critical bugs in Adobe Acrobat alone. Apple and Chrome also patched vulnerabilities that have been actively attacked. RedHat meanwhile today pushed out an important fix for a vulnerability in the Cyrus IMAP server that provides access to personal mail, system-wide bulletin boards, news-feeds, calendar and contacts through the IMAP, JMAP, NNTP, CalDAV and CardDAV protocols.)
CVE-2021-40444 is a Microsoft MSHTML Remote Code Execution (RCE) vulnerability that has been increasingly widely exploited, as POCs circulate. As Christopher Hass, director of information security and research at Automox, notes, while initial attacks in the wild exploited this vulnerability by using specially-crafted Microsoft Office documents, “it was later discovered that rich text documents could be used to deliver malicious payloads as well. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document or a rich text file that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Due to this vulnerability already being used by attackers, and a public proof of concept is available, defenders should patch this vulnerability as soon as possible.”
Other Microsoft patch priorities for September’s Patch Tuesday include CVE-2021-36965 — which fixes a vulnerability that could allow network adjacent attackers to run their code on affected systems at SYSTEM level. (Dangerous in a coffee shop scenario where multiple people are using an unsecured WiFi network. As the Zero Day Initiative notes: “This requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly.
CVE-2021-38647 meanwhile rates as the highest CVSS (9.8) vulnerability this month and should be a real priority. It patches an RCE bug in the Open Management Infrastructure (OMI) (an open source project behind the DMTF CIM/WBEM standards that patched the vulnerability in August). As the ZDI points out, the vulnerability “requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system. OMI users should test and deploy this one quickly.”
(Microsoft points out in its advisory that some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986 ). This configuration where the HTTP/S listener is enabled could allow remote code execution, adding that “it is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port.”