The final second Tuesday of the month is here, and this month, it brings much more than just patches from Microsoft and Adobe. Take a break from your holiday preparations and join us we review the details of the latest security patches.

CVE-2021-44228: Log4Shell (Log4j)

Unless you have been hiding under a rock with your eyes closed and your fingers in your ears, you have heard of a 0-day exploit in the Java logging library known as Apache Log4j. The vulnerability could allow remote code execution on affected applications and servers by logging a certain string. Of course, the biggest issue is just how large the list of affected application is. No one has a good answer other than “a whole lot,” as this library is nearly ubiquitous. Here’s how an infection flow might look:

Affected products are still being identified and range from web services like Apache Struts to games like Minecraft to banking and financial applications. If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability. Trend Micro has published this blog, which details the bug and provides IOCs and guidance to detect attacks. So far, we’re seeing active exploits dropping Mirai variants and Kinsing coin miners on affected servers. Check with all the vendors in your enterprise to see if they are impacted and what patches are available. We’ve also released a tool you can use to scan your enterprise for affected systems. You can access it at https://log4j-tester.trendmicro.com/.

Apple Patches for December 2021

While Apple doesn’t release on a second Tuesday cycle, they did release significant patches yesterday that shouldn’t be ignored. New updates are available for iOS and iPad OS, macOS Monterey, macOS Big Sur, tvOS, and watchOS. There’s also a security update for Catalina. While none of the bugs patched are listed as being under active attack, several of these vulnerabilities were reportedly used during the last Tianfu Cup. Exploits demonstrated at this contest have received a lot of attention in the past, and this bunch will likely receive the same amount of scrutiny from researchers and attackers alike. 

Adobe Patches for December 2021

For December, Adobe released 11 patches addressing 60 CVEs in Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush. At total of 31 of these bugs were reported by ZDI vulnerability researcher Mat Powell. The most severe of these updates impacts Adobe Experience Manager. This patch fixes eight different bugs, including one rated as CVSS 9.8 and several stored cross-site scripting (XSS) issues. The update for Premiere Rush fixes 16 bugs, many of which are rated Critical. However, there are no CVSS scores listed on this one. Considering many of the bugs result in arbitrary code execution, treat them as you would any other high-scoring vuln.

The patch for Premiere Pro fixes only five CVEs, but one of those is a Critical-rated Out-of-Bounds (OOB) write that could allow arbitrary code execution. The specific flaw exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. The update for After Effects covers 10 CVEs, include two that could allow code execution. Most of the update fixes privilege escalation bugs. The Dimension patch also fixes three Critical-rated code execution bugs to along with a few privilege escalations.

The patch for Adobe Audition fixes three Moderate bugs, while the Lightroom fix addresses a single privilege escalation. The patch for Media Encoder fixes five bugs, two of which are rated Critical and could allow remote code execution. Similarly, the patch for Prelude includes a fix for one Critical code execution bug to go along with an Important LPE. The update for Connect addresses a single CSRF bug. The patch for Photoshop fixes two Critical and one Important-rated bug. The Critical bugs could allow code execution if you open a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Google Chrome Patches for December 2021

Google is another vendor that doesn’t follow the patch Tuesday release cycle but still managed to release a significant update yesterday. The Chrome Stable channel has been updated to 96.0.4664.110, and the patch includes five security fixes. One of these bugs, CVE-2021-4102, a use-after-free bug in V8, is listed as having exploits in the wild. Three other High severity and one Critical severity bugs are also addressed. Tis the season to be shopping online. Make sure your browser is up to date as you do so. These bugs are not included in the Edge (Chromium-based) updates discussed below. If you’re interested in other V8 bugs, check out this series of blogs recently published by ZDI vulnerability researcher Hossein Lotfi.

Microsoft Patches for December 2021

For December, Microsoft released patches today for 67 new CVEs in Microsoft Windows and Windows Components, ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack. This is in addition to the 16 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the December total to 83 CVEs.

This brings the total number of CVEs patched by Microsoft this year to 887 – a 29% decrease from 2020. This excludes the CVEs consumed from Chrome for the Edge (Chromium-based) browser. Based on recent reports, the Microsoft bug bounty program received approximately the same number of vulnerability reports. It’s unclear if Microsoft is combining multiple submissions into a single CVE or if there is a significant back log of patches just waiting to be released. It could lead to a rough 2022 for patching. At least there are no Exchange Server patches to worry about over the holidays.  

Of the CVEs patched today, seven are rated Critical and 60 are rated as Important in severity. A total of 10 of these bugs came through the ZDI program. Five of these bugs are listed as publicly known, and one is listed as being publicly exploited at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the 0-day that was patched:

-       CVE-2021-43890 - Windows AppX Installer Spoofing Vulnerability
Emotet is like that holiday guest that just won’t take a hint and leave. This patch fixes a bug in the AppX installer that affects Windows. Microsoft states they have seen the bug used in malware in the Emotet/Trickbot/Bazaloader family. An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems and code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. This malware family has been going for some time now. It seems like it will be around for a bit longer.

-       CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. This bug is one of three CVSS 9.8 bugs fixed this month. If you have a SAN, prioritize testing and deploying this patch. 

-       CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug. This is the second CVSS 9.8 bug being patched this month.

-       CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability
This is the final CVSS 9.8 vulnerability being patched this month. The impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code. It allows you to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. That sort of cross-platform functionality is used by many in the DevOps community. This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and requires no user interaction, so if you use this extension, get this update tested and deployed quickly.

-       CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug reported through the ZDI program. The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474. However, in this case, the unsafe control is “smuggled” in a property of an allowed control.

Here’s the full list of CVEs released by Microsoft for December 2021:

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the release, the 10 patches – one Critical and nine Important – for the Microsoft Defender for IOT stand out. Several of these were reported to the ZDI program by an anonymous researcher. One of the more severe bugs exists in the password reset mechanism. A password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate. The intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else’s password. Patching these bugs requires a sysadmin to take action on the device itself. Automatic updates are available here.

Moving on to the other Critical-rated bugs, there’s another RDP bug, but this one is in the client instead of the server. There’s a bug in the Microsoft Office app that could allow unauthenticated remote code execution, but it’s not clear how since Microsoft lists user interaction is required. You will likely be automatically updated through the Microsoft Store, but if you have disabled automatic store updates, you’ll need to update manually through the store. The final Critical-rated bug affects the Windows Encrypting File System (EFS). An attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn’t running at the time. EFS interfaces can trigger a start of the EFS service if it is not running.

Of the remaining remote code execution bugs, only a few stand out. A few are in the HEVC Video Extensions and equate to either open-and-own or browse-and-own bugs. Similar to the Office app, the update will be delivered through the Windows Store. If you have disabled Store updates or are in a disconnected environment, you’ll need to use either the Microsoft Store for Business or the Microsoft Store for Education. The same goes for the Web Media Extensions. There are a few RCE bugs in Office applications, but those get updates through the normal methods. Same goes for the Windows Fax service, which is a nice reminder that faxes are a thing that some people still use.

There are 21 patches addressing Elevation of Privilege (EoP) bugs, including all five publicly known vulnerabilities. As always, Microsoft does not give any indication on what information about these bugs is public or where the disclosure was made. For the most part, these bugs require an attacker to log on to an affected system and run a specially crafted application to elevate privileges. A couple of other notable EoP bugs were reported to the ZDI by Abdelhamid Naceri. The first occurs in Windows Remote Access and the second occurs in the Windows Update Assistant. By creating a directory junction, an attacker can abuse Windows Update Assistant to change the DACL on an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

The December release includes fixes for 10 information disclosure bugs. For nine of these bugs, the vulnerabilities result in leaks consisting of unspecified memory contents. However, for the info disclosure bug in Microsoft Defender for IoT, an attacker could disclose device security information, which includes things like the security score, any outdated operating systems, and malware infections.

There are three denial-of-service (DoS)-related patches fixing bugs in Hyper-V, SymCrypt, and the DirectX Graphics component. No additional details are provided by Microsoft regarding these bugs.

This month’s release is rounded out by seven patches for spoofing bugs. Of note, the fix for the Microsoft Office Trust Center requires multiple patches to completely address the bug. On the upside, they can be installed in any order. The other spoofing bugs exist in SharePoint and PowerShell, but no additional details are available.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on January 11, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!