On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated “Critical” and two of them actively exploited spoils the Zen factor somewhat.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesdayupdate。
Exchange Server(再次)
CVE-2021-42321: A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the天富国际网络安全竞赛和requires an authenticated user to run arbitrary code on an on-premise Exchange Server.
其他两个Exchange Server漏洞,被评为“重要”CVE-2021-42305和CVE-2021-41349。两者都是Microsoft Exchange Server欺骗漏洞。剥削似乎很容易,因为可以远程启动攻击,并且成功开发不需要身份验证。但是,成功的剥削确实需要受害者的用户互动。
Excel
CVE-2021-42292:Microsoft Excel安全功能旁路漏洞,该漏洞也在野外利用。微软并不建议漏洞可能产生什么影响,但CVSS得分在10分的7.8中,有两个有趣的笔记Microsoft FAQabout this vulnerability:
- 不,预览窗格不是攻击向量。
- The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.
远程桌面协议(RDP)
好像RDP不是一个足够大的问题already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed underCVE-2021-38666is a “Critical” RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim’s interaction.
3D Viewer
The Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two “Important” RCE vulnerabilities in this utility have been patched in this update. They are listed underCVE-2021-43208和CVE-2021-43209。The Microsoft Store will automatically update affected customers. Alternatively, customers can get the updateimmediately。应用程序包版本7.2107.7012.0及以后包含此更新。
Microsoft Defender
CVE-2021-42298is a Microsoft Defender Remote Code Execution vulnerability that is rated “Critical.” Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.
其他补丁
最近发行了补丁程序,不仅是Microsoft,因此还可以检查您使用以下最新版本的最新版本。
西门子在Nucleus RTO(实时操作系统)版本Nucleus 4和Nucleus Readystart(Nucleus 3)中发布了对斑块漏洞的更新。漏洞CVE-2021-31886,CVE-2021-31887和CVE-2021-31888have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.
citrix发布了有关Citrix ADC(以前称为NetScaler ADC),Citrix Gateway(以前称为NetScaler Gateway)和Citrix SD-Wan Wanop Edition 4000-WO,4100-WO,5000-WO,和5000-WO,和5000-WO和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,和5000-WO,以及5100-wo。
Adobemade security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.
Cisco发布了一个安全咨询,提到了两个“关键”问题。Cisco Policy Suite静态SSH键中的一个,以及有关Cisco Catalyst PON系列的一个开关。光网络终端。
树液有自己的补丁日安全说明。一个列出的一个漏洞CVE-2021-40501CVSS得分为10分中的9.6分,描述缺少ABAP平台内核中的授权检查。
VMWare的安全咨询包括对VMware Vcenter Server的一个关键更新,该服务器解决了多个安全漏洞。
Intel还发布了几个安全咨询,这些咨询是在英特尔产品中确定的漏洞的修复或解决方法。
如果您不知道从哪里开始,也许我们的帖子CISA指令减少已知剥削漏洞的风险will help you on your way.
Update Novermber 17, 2021
微软已发布了一个补丁Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021解决可能的安全功能旁路列出为CVE-2021-42294。Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action.
相同的补丁包括一个解决方案CVE-2021-40442Microsoft Excel远程代码执行漏洞,还影响了Mac 2021的Mac和Microsoft Office LTSC的Microsoft Office 2019。
Stay safe, everyone!
注释