Microsoft patches actively exploited MSHTML zero-day RCE (CVE-2021-40444)

On September 2021 Patch Tuesday, Microsoft has fixed 66 CVE-numbered vulnerabilities in a wide variety of its solutions. Of these, the most crucial to address is CVE-2021-40444, the remote code execution MSHTML vulnerability actively exploited by attackers via malicious MS Office documents.

CVE-2021-40444 fix

“After this bug was discovered and became public knowledge on September 7, security researchers and analysts began swapping proof-of-concept examples of how an attacker might leverage the exploit,” noted SophosLabs Principal Researcher Andrew Brandt.

“Several people have not only crafted functional proof-of-concept (PoC) exploits, but a few have created and published ‘builder’ tools that anyone can use to weaponize an Office document. The original version of the exploit used Microsoft Word .docx documents, but we’ve already spotted some versions that use .rtf file extensions.”

Satnam Narang, staff research engineer at Tenable, says that there have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware, but that there are no indications that this has happened yet.

Nevertheless, implementing the offered updates should be a priority.

Other vulnerabilities of note

Dustin Childs, with Trend Micro’s Zero Day Initiative, singled out CVE-2021-36965 and CVE-2021-38647 as worthy of note.

CVE-2021-36965 is an RCE in the Windows WLAN AutoConfig Service that could be exploited by network-adjacent attackers.

“This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly,” he noted.

CVE-2021-38647 is an RCE bug in the Open Management Infrastructure (OMI), and could be triggered by an attacker by sending a specially crafted message to an affected system.

There is also CVE-2021-36968, a Windows DNS Elevation of Privilege vulnerability that is publicly known, though not actively exploited (and exploitation is, according to Microsoft, less likely).

“Microsoft also patched three elevation of privilege vulnerabilities in Windows Print Spooler (CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447),” Narang told Help Net Security.

“Researchers continue to discover ways to exploit Print Spooler, and we expect continued research in this area. Only one (CVE-2021-38671) of the three vulnerabilities is rated as exploitation more likely. Organizations should also prioritize patching these flaws as they are extremely valuable to attackers in post-exploitation scenarios.”

Three EOP flaws in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) should also be patched as soon as possible.

“As this driver exists on all currently supported versions of Windows, it’s a particular area of concern,” noted Brandt. “The company considers these bugs to be more easily exploitable, on average, though they haven’t seen evidence of such activity yet.”

UPDATE (September 16, 2021, 04:10 a.m. PT):

Researchers with cloud security have shared more details about CVE-2021-38647, the RCE bug in the Open Management Infrastructure (OMI) – a software agent embedded in many popular Azure services – as well as three more EoP vulnerabilities in OMI (CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649) patched by Microsoft on Tuesday.

Collectively dubbed “OMIGOD,” it is estimated that the vulnerabilities affect thousands of Azure customers (using Linux VMs) and millions of endpoints.

Azure users should manually patch OMI in their environment, the researchers advised, and also warned that Microsoft has yet to provide patched OMI versions when Azure customers are enabling new services (and spinning up new Linux VMs).

UPDATE (September 17, 2021, 02:52 a.m. PT):

Microsoft has published additional guidance for fixing OMI vulnerabilities within Azure VM management extensions.

Don't miss