Post-Patch Tuesday Roundup: September 2021
Welcome to the October Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Apple, VMware and the other major vendors.
As we rush towards the end of the year, this month’s patches include some notable changes on previous releases, so let’s get stuck in.
Notable in October’s Patch Tuesday from Microsoft is the inclusion of the first batch of Windows 11 patches. Continuing the practice of building on previous operating systems rather than a ground-up redesign, the full launch of Windows 11 on the 5th October inevitably brings with it a round of security patches and bug fixes just a week later.
More than 70 CVE’s have been addressed in the release, of which 3 are rated as Critical and one of which is being actively exploited in the wild. The remainder, while less critical, cover an array of OS and application-level bugs including Hyper-V, Office, SharePoint, scripting engines and even WLAN autoconfig.
Microsoft have released few details on CVE-2021-40449 other than it being an Elevation of Privilege vulnerability in Win32k, but it was reported by researchers as a zero-day seen being actively used in malware and bypassing a previously fixed vulnerability dating to 2016. The vulnerability doesn’t warrant a Critical score though, with a CVSS score 7.8.
More interesting is a Critical vulnerability in the Open Management Infrastructure (OMI) component of Azure, whereby a port listening for OMI can be exploited with a crafted HTTPS connection. This could allow remote code execution and the attacker being able to gain access to the system. Microsoft have provided some guidance to check for the vulnerability in the article for the vulnerability: CVE-2021-38647
Similarly, Exchange is the target for CVE-2021-26427, also a remote code execution bug that enables the attacker to make OS-level changes on the Exchange server. Notably, this one requires the attacker to be on the same network as the server (it can’t be triggered across the open Internet), meaning a prior compromise of the network must have been achieved, but the triviality of the attack itself and the ability to completely take over the target server make it Critical. Exchange admins will want to patch this promptly to reduce the overall attack surface of the network.
Another high scoring vulnerability is CVE-2021-36970, yet another print spooler-related bug, with an Exploitability Assessment of “more likely”. Details are once again scant but the ongoing issues around printing are causing researchers and attackers alike to focus their efforts on finding bugs and building exploits for this ageing OS component. The advice is once again to assess and patch promptly.
Apple released IOS 15 late in September and, similar to Microsoft with Windows 11, promptly dropped a patch (15.0.2) just a few days later. This patch addressed a zero-day bug being actively exploited, making it important for iPhone fleet managers to issue the update promptly, and personal users will also want to ensure auto-update is turned on and the patch installed promptly.
VMware released a critical update to vCenter Server fixing multiple vulnerabilities, including CVE-2021-22005, a critical file upload vulnerability with a CVSS score of 9.8. vCenter servers tend to be isolated inside the network, often in their own management network if possible, and this attack requires access to port 443 on the vCenter server. As such this requires pre-existing access to the network from a previous exploit or misconfiguration, but simply uploading a specially crafted file to the server is enough to trigger the exploit.
The full advisory details many more bugs fixed by this update, and platform admins will wish to get it deployed promptly to address these.