Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery

December’s Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities.

Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications.

The patch came as part of the computing giant’s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft’s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.

Seven of the bugs addressed are rated critical, six were previously disclosed as zero-days and 60 are considered “important.”

Infosec Insiders Newsletter

The update brings the total number of CVEs patched by Microsoft this year to 887, which is down 29 percent in volume from a very busy 2020.

Zero-Day Exploited in Wild

The zero-day (CVE-2021-43890) is an important-rated spoofing vulnerability in the Windows AppX Installer, which is a utility for side-loading Windows 10 apps, available on the App Store.

Kevin Breen, director of cyber-threat research at Immersive Labs, explained that the bug “allows an attacker to create a malicious package file and then modify it to look like a legitimate application, and has been used to deliver Emotet malware, which made a comeback this year.”

Breen warned, “the patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files.”

Prior to its fix today, the bug was seen in multiple attacks associated with Emotet, TrickBot and Bazaloader, according to Satnam Narang, staff research engineer at Tenable.

“To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack,” he explained via email. “Once exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim’s account has administrative privileges on the system.”

If patching isn’t an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.

Other Publicly Known Microsoft Vulnerabilities

It’s worth noting that Microsoft also patched CVE-2021-43883, a privilege-escalation vulnerability in Windows Installer, for which there’s been an exploit circulating, and, reportedly, active targeting by attackers – even though Microsoft said it has seen no exploitation.

“This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation-of-privilege vulnerability in Windows Installer that was reportedly fixed in November,” Narang said. “However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.”

Breen noted that this kind of vulnerability is highly sought after by attackers looking to move laterally across a network.

“After gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz,” he said. “Almost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware.”

Four other bugs were listed as “publicly known” but not exploited, all rated important and allowing privilege escalation:

The update does not address CVE-2021-24084, an unpatched Windows security vulnerability disclosed in late November, which could allow information disclosure and local privilege escalation (LPE).

Critical-Rated Microsoft Security Bugs for December

  1. CVE-2021-43215 in iSNS Server

The first critical bug (CVE-2021-43215) to cover allows remote code-execution (RCE) on the Internet Storage Name Service (iSNS) server, which enables automated discovery and management of iSCSI devices on a TCP/IP storage network. It rates 9.8 out of 10 on the vulnerability-severity scale.

The bug can be exploited if an attacker sends a specially crafted request to an affected server, according to Microsoft’s advisory.

“In other words, if you’re running a storage-area network (SAN) in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually,” said Trend Micro Zero Day Initiative researcher Dustin Childs, in a Tuesday blog. “If you have a SAN, prioritize testing and deploying this patch.”

Breen concurred that it’s critical to patch quickly if an organization operates iSNS services.

“Remember that this is not a default component, so check this before you bump it up the list,” he said via email. However, “as this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organization’s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective – which is another reason attackers would choose this kind of target.”

  1. CVE-2021-43907 in Visual Studio Code WSL Extension

Another 9.8-out-of-10-rated bug is CVE-2021-43907, an RCE issue in Visual Studio Code WSL Extension that Microsoft said can be exploited by an unauthenticated attacker, with no user interaction. It didn’t provide further details.

“This impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code,” Childs explained. “It allows you to develop in a Linux-based environment, use Linux-specific tool chains and utilities, and run and debug Linux-based applications all from within Windows. This sort of cross-platform functionality is used by many in the DevOps community.”

  1. CVE-2021-43899 – Microsoft 4K Wireless Display Adapter

The third and final 9.8 CVSS-rate bug is CVE-2021-43899, which also allows RCE on an affected device, if the attacker has a foothold on the same network as the Microsoft 4K Display Adapter. Exploitation is a matter of sending specially crafted packets to the affected device, according to Microsoft.

“Patching this won’t be an easy chore,” Childs said. “To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can [they] use the ‘Update & Security’ section of the app to download the latest firmware to mitigate this bug.”

  1. CVE-2021-43905 in Microsoft Office

Another critical RCE bug (CVE-2021-43905) exists in the Microsoft Office app; it rates 9.6 on the CVSS vulnerability-severity scale, and Microsoft marked it as “exploitation more likely.”

“Very little is given away in the advisory to identify what the immediate risk is – it simply states the affected product as ‘Office App,'” Breen noted. “This can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available – especially when security teams are already tied down with other critical patching.”

However, Aleks Haugom, researcher at Automox, said it should be a priority for patching.

“As a low-complexity vulnerability, an attacker can expect repeated results,” he said in a Tuesday analysis. “Although Microsoft has not disclosed exactly what user interaction is required for the attacker to succeed they have confirmed that the Preview Pane is not an attacker vector. Given that this threat can impact resources beyond the security scope managed by the security authority immediate remediation actions are advised.”

  1. CVE-2021-42310 in Microsoft Defender for IoT

One of 10 issues found in Defender for IoT, this bug (CVE-2021-42310) allows RCE and rates 8.1 on the CVSS scale.

“A password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate,” explained Childs. “The intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else’s password. Patching these bugs requires a sysadmin to take action on the device itself.”

The other nine bugs in the platform include seven other RCE vulnerabilities, one elevation of privilege vulnerability and one data disclosure vulnerability, all rated “important.”

  1. CVE-2021-43217 in the Windows Encrypting File System (EFS)

This bug (CVE-2021-43217) allows RCE and rates 8.1 on the CVSS scale.

“An attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn’t running at the time,” Childs explained. “EFS interfaces can trigger a start of the EFS service if it is not running.”

Jay Goodman, in the Automox posting, noted that it can be chained with the publicly disclosed elevation of privilege vulnerability in EFS and thus presents a special threat.

“While either of these vulnerabilities constitute impactful disclosures that need to be handled quickly, the combination of the two in a near universal service critical to securing and protecting data creates a unique situation,” he said. “Attacks could use the combination of RCE with privilege elevation to quickly deploy, elevate and execute code on a target system with full system rights. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread laterally.”

In other words: This is a critical pair of vulnerabilities to address as soon as possible to minimize organizational risk.

  1. CVE-2021-43233 in Remote Desktop Client

The flaw (CVE-2021-43233) allows RCE and rates 7 on the CVSS scale. It’s listed as “exploitation more likely.”

“This one…would likely require a social engineering or phishing component to be successful,” Breen explained. “A similar vulnerability, CVE-2021-38666, was reported and patched in November. While it was also marked as ‘exploitation more likely,’ thankfully there have been no reports of proof-of-concept code or of it being exploited in the wild, which goes to show how important it is to make your own risk-based approach to prioritizing patches.”

Automox researcher Gina Geisel emphasized the bug’s high complexity for exploitation.

“To exploit this vulnerability, an attacker requires control of a server and then must convince users to connect to it, through social engineering, DNS poisoning or using a man-in-the-middle (MITM) technique, as examples,” she said. “An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.”

Other Microsoft Bugs of Note for December

Childs also flagged CVE-2021-42309, an RCE issue in Microsoft SharePoint Server, as a vulnerability to prioritize. It allows an attacker to bypass the restriction against running arbitrary server-side web controls.

“The vulnerability allows a user to elevate and execute code in the context of the service account,” he explained. “An attacker would need ‘Manage Lists’ permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions.”

He said the issue is similar to the previously patched CVE-2021-28474, except that the unsafe control “is ‘smuggled’ in a property of an allowed control.”

Operating system bugs should be prioritized, researchers added.

“The disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month,” Chris Goettl, vice president of product management at Ivanti, told Threatpost.

Suggested articles