Forum Discussion
Microsoft Issues Out-of-Band Informational Advisory for Zero-
Microsoft Issues Out-of-Band Informational Advisory for Zero-Day in MSHTML (CVE-2021-40444)
UPDATE 09-14: Microsoft have published patches for this vulnerability as part of Patch Tuesday. For more information, please visit our blog.
On September 7, Microsoft published an out-of-band informational advisory for a critical zero-day vulnerability in its MSHTML rendering engine, also known as Trident. Identified as CVE-2021-40444, the flaw has reportedly been exploited in-the-wild in limited, targeted attacks.
Microsoft says that attackers are exploiting this vulnerability using Microsoft Office documents that contain a malicious ActiveX control. Therefore, an attacker would need to use social engineering tactics to convince their target to open the malicious document file. Successful exploitation would grant an attacker remote code execution. Microsoft notes that this would primarily impact those Windows users that have more user rights, such as administrators.
At this time, there are no patches available, hence the advisory is informational in nature. However, Microsoft has provided some mitigation instructions, which require disabling ActiveX controls on individual systems. To help aid customers, Tenable has released an audit script to help verify whether or not these mitigations have been applied.
When patches become available, we will update this post with more information.
13 Replies
Any idea when a plugin will be available from Tenable?
- CyberustyConnect Contributor
Running a search by the CVE (CVE-2021-40444) filter for this vulnerability does not yet yield a detection plugin is published to date.
- snarangProduct Team
Hi @Kieran McAuliffe and @Russel Vorce,
As I mentioned in the post, there are no patches available yet for this zero-day vulnerability. Microsoft provided this advisory as an informational one, which included mitigation guidance. We've created the audit script to help identify assets that have not applied the mitigations. Once patches are available and plugins have been developed, we'll provide an update in this post.
- snarangProduct Team
Hello again @Kieran McAuliffe and @Russel Vorce,
I just wanted to let you know that Microsoft have released patches as of this morning. Our teams are hard at work to produce plugins, so they should be available within the next 24 hours. For more information on today's Patch Tuesday release, check out our blog.
- Anonymous
How do I use the audit script in Tenable.sc ? I can't add that format, it gives me an error. thanks!
I needed to copy and paste the text from the Github into notepad++ and re-save it.
- Anonymous
To use any audit out of the public GitHub repo, there are two options:
1) Clone the repo (https://github.com/tenable/audit_files) locally, and update whenever any new files are posted
2) Go to the specific audit file (https://github.com/tenable/audit_files/blob/master/cve-2021-40444/cve-2021-40444.audit), click the 'Raw' button, and copy that text into an editor, and save the file with a .audit extension.
My systems are showing this (#153124) plugin. However on the MSRC link from the plugin page (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444), it says that patches are available. Specifically for Server 2016, KB5005573. We have that installed on applicable systems and the finding is still showing after the patch is installed (remediation scans are not removing it). Does the plugin need to be updated? Plugins last downloaded this morning (9/23).
- bperez2Connect Contributor
I am having the same issue with servers and workstations.
I made a test with a workstation that did not have September patch installed, I performed a scan and Nessus results came with:
153214 (Security Updates for Microsoft Internet Explorer OOB (Sept 2021)
153381 KB5005565: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (September 2021)
I installed KB5005665 and performed the scan and results still show 153214.
The funny thing is that I performed the scan to another workstation that has installed September patch (KB5005665) and with that device does not show, I do not understand.
Plugins updated 9/23/2021 10:10 am.
- snarangProduct Team
Hi @Henry Belk @Bernardo Perez,
Thanks for commenting and letting us know about these issues you've encountered. I've flagged this with some members of my team to investigate. Once I have something more to share with you, I'll post another comment on this thread. Thanks for your patience.
- snarangProduct Team
Hi @Henry Belk and @Bernardo Perez,
Plugin 153214 has since been deprecated so this should hopefully no longer be an issue for you. Please let us know if you're still encountering any issues with the Security Updates.
Regards,
Satnam
We ran a scan on our systems in September when this happened, and this vulnerability showed (CVE-2021-40444). Coincidentally, at the same time we had submitted the vulnerability scan to a client as proof of us scanning our assets. They recently asked if we've remedied this. Upon digging in, I see the plugin has been deprecated and we no longer see the Internet Explorer OOB vulnerability in the scan results (since beginning of October). I am unsure how to respond to the client on how it was remedied. Because the plugin was deprecated, does that mean there's no longer a threat? I found the link https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 and looked at the "Security Updates" table. The servers that were reporting to have this vulnerability already have the patches installed as of Sept 16th 2021: KB5005573 (Win 2016) and KB5005568 (Win 2019). Does this mean Nessus was just late in the game in finding out the severity (if any) of a vulnerability and/or whether or not if you had such and such patch installed, you're OK?
- snarangProduct Team
Hi @Dan B,
Thanks for reaching out to us about this. Regarding the deprecated plugin, it was originally released out-of-band after the initial advisory and was designed to check for the presence of the suggested workaround until patches became available. Once the patches became available and our plugins were released, we deprecated the plugin to prevent false positives on systems that already contained the patches but not the workaround. Therefore, as long as the KBs you identified have been installed, those systems are not considered to be vulnerable to CVE-2021-40444. I hope this clarifies the confusion. Please let me know if you have any other questions.
Thanks,
Satnam