On Tuesday, November 9, 2021, Microsoft released patches for two actively exploited vulnerabilities, CVE-2021-42321 in Microsoft Exchange, and CVE-2021-42292 in Microsoft Excel.

CVE-2021-42321 is a post-authentication remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019. This specifically affects on-premises Microsoft Exchange Server and Exchange servers deployed in a hybrid model. Exchange online customers are not vulnerable.

CVE-2021-42292 is a security bypass vulnerability in Microsoft Excel that could lead to local code execution via a specially crafted Excel file. Updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are currently not available.

Microsoft has reported limited exploitation of these two vulnerabilities and have not released technical details regarding how these vulnerabilities work or which threat actors or campaigns are exploiting them. Public proof of concept exploit code for both vulnerabilities is not available at this time.

We strongly recommend that customers running vulnerable versions of Microsoft Excel and Microsoft Exchange Server review the recommendations below and apply the latest security patches immediately.

Recommendations

This section details recommendations that we suggests to remediate CVE-2021-42321 and CVE-2021-42292 and provide increased visibility into potential attack activity on Windows systems running Microsoft Exchange Server.

Recommendation #1: Patch Vulnerable Versions of Microsoft Exchange Server to Remediate CVE-2021-42321

Our primary recommendation for remediating CVE-2021-42321 is to patch vulnerable versions of Microsoft Exchange Server.

Microsoft has indicated in their advisory here that specific versions are affected by this vulnerability. We recommend reviewing the table below to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.

Product	Microsoft Security Update Page
Microsoft Exchange Server 2019	Cumulative Update 11: Security Update For Exchange Server 2019 CU11 (KB5007409) Cumulative Update 10: Security Update For Exchange Server 2019 CU10 (KB5007409)
Microsoft Exchange Server 2016	Cumulative Update 22: Security Update For Exchange Server 2016 CU22 (KB5007409) Cumulative Update 21: Security Update For Exchange Server 2016 CU21 (KB5007409)

NOTE: Microsoft has not indicated that CVE-2021-42321 impacts Microsoft Exchange Server 2013.

Recommendation #2: Patch Vulnerable Versions of Microsoft Excel to Remediate CVE-2021-42292

Our primary recommendation for remediating CVE-2021-42292 is to patch vulnerable versions of Microsoft Excel.

Microsoft has indicated in their advisory here that specific versions are affected by this vulnerability. We recommend reviewing the table below to determine if you are running any outdated versions of this software in your environment and apply patches as soon as possible.

Product	Microsoft Security Update Page
Microsoft Office 2013 Service Pack 1 (32-bit & 64-bit)	https://support.microsoft.com/help/5002035
Microsoft Excel 2013 RT Service Pack 1	https://support.microsoft.com/help/5002035
Microsoft Excel 2013 Service Pack 1 (64-bit editions)	https://support.microsoft.com/help/5002035 https://support.microsoft.com/help/5002072
Microsoft Office 2016 (32-bit & 64-bit)	https://support.microsoft.com/help/4486670
Microsoft Excel 2016 (64-bit & 32-bit)	https://support.microsoft.com/help/5002056 https://support.microsoft.com/help/4486670
Microsoft Office LTSC 2021 for 32-bit & 64-bit	https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
Microsoft 365 Apps for Enterprise for 32-bit & 64-bit	https://docs.microsoft.com/en-us/officeupdates/office365-proplus-security-updates
Microsoft Office 2019 for 32-bit & 64-bit	https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
Microsoft Office LTSC for Mac 2021	Not Available from Microsoft at this time
Microsoft Office 2019 for Mac	Not Available from Microsoft at this time

Recommendation #3: Run Microsoft Supplied PowerShell Command on All Exchange 2016 and 2019 Servers

Microsoft has provided a PowerShell query in their blog here that can be run directly on Exchange 2016 and 2019 Servers to identify potential prior exploitation activity associated with CVE-2021-42321.

To run this check, perform the following PowerShell query:

Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

If matches are found, you know further investigation is required. 

References

1. November 9, 2021 Security Updates for Microsoft Exchange: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7
2. Microsoft Blog on Exchange Security Updates: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169
3. Microsoft CVE-2021-42321 Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
4. Microsoft CVE-2021-42292 Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292

If you have any additional questions, please reach out to you