Microsoft patches spoofing vulnerability exploited by Emotet (CVE-2021-43890)

It’s the final Patch Tuesday of 2021 and Microsoft has delivered fixes for 67 vulnerabilities, including a spoofing vulnerability (CVE-2021-43890) actively exploited to deliver Emotet/Trickbot/Bazaloader malware family.


Vulnerabilities of note in this patch batch

Of the 67 CVE-numbered flaws, CVE-2021-43890 – a Windows AppX Installer spoofing vulnerability – will, understandably, be a patching priority.

“CVE-2021-43890 allows an attacker to create a malicious package file and then modify it to look like a legitimate application, and has been used to deliver Emotet malware, which made a comeback this year. The patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files,” noted Kevin Breen, Director of Cyber Threat Research, Immersive Labs.

He also considers CVE-2021-43905, an unauthenticated RCE vulnerability in the Microsoft Office app, important to patch quickly, as it has a high CVSS score of 9.6 and Microsoft considers its exploitation to be “more likely”.

“Very little is given away in the advisory to identify what the immediate risk is – it simply states the affected product as ‘Office App’. This can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available – especially when security teams are already tied down with other critical patching,” he added.

Dustin Childs, with Trend Micro’s Zero Day Initiative, advises users who have disabled automatic Microsoft Store updates to update the app manually.

He also singled out CVE-2021-43215, an iSNS Server RCE vulnerability, as worthy of note.

This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server.

“If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. If you have a SAN, prioritize testing and deploying this patch,” he advised.

To exploit this vulnerability, an attacker must simply send a specially crafted request to the target server.

“As this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organization’s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective – which is another reason attackers would choose this kind of target,” Breen noted.

“This one is critical to patch quickly if you operate iSNS services – but remember that this is not a default component, so check this before you bump it up the list.”

Then we have CVE-2021-43883, an elevation of privilege vulnerability in Windows Installer.

“This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November. However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month,” Satnam Narang, Staff Research Engineer at Tenable, told Help Net Security.

“CVE-2021-43883 affects both server and desktop versions of Windows and allows a local user to escalate their privileges, and this kind of vulnerability is highly sought after by attackers looking to move laterally across a network. After gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz. Almost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware,” Breen added.

Don't miss