IT teams knocked for six by a newly disclosed Log4j bug were forced to tackle a new patch load from Microsoft released yesterday, containing 67 new flaws including six zero-days.
The monthly Patch Tuesday release from the computing giant couldn’t have come at a worse time for sysadmins already struggling to find and patch the Apache logging utility instances across their environments.
“Efforts to identify, mitigate, or remediate the Apache Log4j vulnerability continue. In this case it is leaving a lot of teams frustrated, not knowing exactly what they need to do,” argued Ivanti VP of product management, Chris Goettl.
“Apache Log4j is a development library, so you cannot just patch a specific JAR file and call it a day. It falls to your development team or the vendors whose products you may be using.”
He singled out zero-day bug CVE-2021-43890, a spoofing vulnerability in Windows AppX Installer, as the most important for organizations to fix this month. The flaw has apparently been exploited in the wild alongside malware from the Emotet/Trickbot/BazarLoader family.
The five other zero-days have yet to be exploited, but as they’ve been made public, the clock will be ticking.
They can be found in the Encrypting File System (CVE-2021-43893), Windows Installer (CVE-2021-43883), Windows Mobile Device Management (CVE-2021-43880), Windows Print Spooler (CVE-2021-41333) and NTFS Set Short Name (CVE-2021-43240).
“The disclosures include a functional example in the case of the Print Spooler, proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is some cause to put urgency on the OS updates this month,” said Goettl.
Kev Breen, director of cyber threat research at Immersive Labs, called out CVE-2021-43215, an iSNS Server Memory Corruption vulnerability which can lead to remote code execution and has a CVSS score of 9.8.
However, the good news is that not all organizations run iSNS by default.
“It is a client-server protocol that allows clients to query an iSNS database. To exploit this vulnerability, an attacker only needs to be able to send a specially crafted request to the target server to gain code execution,” said Breen.
“As this protocol is used to facilitate data storage over the network, it would be a high priority target for attackers looking to damage an organization’s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective – which is another reason attackers would choose this kind of target.