Background
On Tuesday, November 9, 2021, Microsoft released patches for two actively exploited vulnerabilities, CVE-2021-42321 in Microsoft Exchange, and CVE-2021-42292 in Microsoft Excel.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-42292 |
7.8 |
High |
Bypass & Incorrect Authorization |
Microsoft Excel Security Feature Bypass Vulnerability |
CVE-2021-42321 |
8.8 |
High |
Remote Code Execution |
Microsoft Exchange Server Remote Code Execution |
Analysis
CVE-2021- 42292
CVE-2021-42292 is a security bypass vulnerability in Microsoft Excel that could lead to local code execution via a specially crafted Excel file. Updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are currently not available.
CVE-2021- 42321
CVE-2021-42321 is a post-authentication remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019. This specifically affects on-premises Microsoft Exchange Server and Exchange servers deployed in a hybrid model. Exchange online customers are not vulnerable.
Solutions and Recommendations
Microsoft has reported limited exploitation of these two vulnerabilities and has not released technical details regarding how these vulnerabilities work or which threat actors or campaigns are exploiting them.
Microsoft has provided a PowerShell query in their blog here that can be run directly on Exchange 2016 and 2019 Servers to identify potential prior exploitation activity associated with CVE-2021-42321.
Microsoft has indicated in their advisory on the CVE-2021-42321 here and on the CVE-2021-42292 here that specific versions are affected by this vulnerability.
Arctic Wolf recommends reviewing both advisories to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.
References
- Microsoft CVE-2021-42321 Advisory
- Microsoft CVE-2021-42292 Advisory
- November 9, 2021, Security Updates for Microsoft Exchange
- Microsoft Blog on Exchange Security Updates
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.