Patches Released for Actively Exploited Vulnerabilities in Microsoft Exchange and Microsoft Excel – CVE-2021-42321 & CVE-2021-42292

Background

On Tuesday, November 9, 2021, Microsoft released patches for two actively exploited vulnerabilities, CVE-2021-42321 in Microsoft Exchange, and CVE-2021-42292 in Microsoft Excel.

Analysis

CVE-2021- 42292

CVE-2021-42292 is a security bypass vulnerability in Microsoft Excel that could lead to local code execution via a specially crafted Excel file. Updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are currently not available.

CVE-2021- 42321

CVE-2021-42321 is a post-authentication remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019. This specifically affects on-premises Microsoft Exchange Server and Exchange servers deployed in a hybrid model. Exchange online customers are not vulnerable.

Solutions and Recommendations

Microsoft has reported limited exploitation of these two vulnerabilities and has not released technical details regarding how these vulnerabilities work or which threat actors or campaigns are exploiting them.

Microsoft has provided a PowerShell query in their blog here that can be run directly on Exchange 2016 and 2019 Servers to identify potential prior exploitation activity associated with CVE-2021-42321.

Microsoft has indicated in their advisory on the CVE-2021-42321 here  and on the CVE-2021-42292 here that specific versions are affected by this vulnerability.

Arctic Wolf recommends reviewing both advisories to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.

References

• Microsoft CVE-2021-42321 Advisory
• Microsoft CVE-2021-42292 Advisory
• November 9, 2021, Security Updates for Microsoft Exchange
• Microsoft Blog on Exchange Security Updates

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.