Exclusive December Patch Tuesday Commentary from Ivanti
December 2021’s Patch Tuesday comes on the heels of the Apache Log4j zero-day vulnerability (CVE-2021-44228), so expect a lot of attention to be focused on vendors scrambling to resolve Log4j-related issues.
That said, don’t lose sight of additional Patch updates from Microsoft. There are a total of 67 unique vulnerabilities resolved by Microsoft so far in December, plus four re-releases. Of the 71 total CVEs resolved this month, seven are rated as Critical, six have been identified as publicly disclosed and there is an additional zero day to note (CVE-2021-43890).
Efforts to identify, mitigate, or remediate the Apache Log4j vulnerability continue. In this case it is leaving a lot of teams frustrated, not knowing exactly what they need to do. Apache Log4j is a development library, so you cannot just patch a specific Jar file and call it a day. It falls to your development team or the vendors whose products you may be using.
The library is a popular messaging component used by many e-commerce sites and applications which is very easy to exploit, giving the attacker total control of the server. From there the attacker may install a cryptominer, make the system part of a botnet, and use it as a foothold to gain access to sensitive data and exfiltrate.
As far as how organizations should be looking to resolve this vulnerability, that is a bit more tricky. Normally an organization would rely on code scanners to identify the vulnerable code component or library. In this case, code scanners are still racing to catch up and properly detect the vulnerable library. For products already released to the market an organization would rely on its network vulnerability scanning to identify vulnerable software, but those scanners are having trouble consistently detecting the vulnerability as they have to try and send a properly formed message and monitor the logs for results, which may not consistently show up. The best guidance is to continue to rely on your DevSecOps processes and vulnerability scanning, and supplement this with more direct action as there will likely be gaps for some time in detection. There are a few sources gathering lists of KB articles, security advisories, and mitigation guidance by vendors. Your organization should be assessing the vendors in your environment and determining if they have provided guidance and take those actions immediately. This could be more immediate mitigation by finding the vulnerable jar file and removing the code class, changing configuration to disable the vulnerable logging capabilities, or by applying an update from that vendor that updates the Log4j version to 2.15. If you do not find guidance from your vendors, either that they have mitigation or updates available, you should reach out to them to ensure you are not exposed as it may take some time before normal methods of detection are able to provide visibility once again.
Now, on to the December Patch Tuesday release! Microsoft released updates for the Windows OS, Microsoft Office, Edge (Chromium), and a variety of developer tools this month. The most critical item to worry about is App Installer. This is a utility for side loading Windows 10 apps and is available on the App Store. Windows AppX Installer currently contains a spoofing vulnerability (CVE-2021-43890) that can allow the attacker to execute code. It has been publicly disclosed and also detected in exploits using specially crafted packages that include malware from the Emotet/Trickbot/Bazaloader family.
There are five additional CVEs that have been publicly disclosed this month all of which are Elevation of Privilege vulnerabilities and all included in the operating system updates for this month. Those vulnerable components are Encrypting File System (EFS) (CVE-2021-43893), Windows Installer (CVE-2021-43883), Windows Mobile Device Management (CVE-2021-43880), Windows Print Spooler (CVE-2021-41333), and NTFS Set Short Name (CVE-2021-43240). The disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month.