Microsoft released its monthly security update Tuesday 14th September 2021, disclosing 66 vulnerabilities across its suite of products.
This Patch Tuesday, the breakdown of vulnerabilities includes 3 “critical” ratings, 1 “moderate”, with the remaining labelled as “important”. Also in this month’s Patch Tuesday, 1 zero-day was mentioned:
CVE-2021-40444 – Microsoft MSHTML Remote Code Execution (RCE) Vulnerability
One notable vulnerability with a “critical” rating relates to the Open Management Infrastructure (OMI) Remote Code Execution vulnerability and is the most severe CVE on the September list.
According to Lansweeper.com, the vulnerability poses a risk to Azure products like Configuration Management. The products expose a HTTP/s port for interacting with OMI and this exposure allows malicious actors to perform RCE attacks without authentication by specially crafting malicious messages via HTTPS to port 5986.
As reported by zdnet.com, the products affected by these vulnerabilities are Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software.
A full list of Microsoft’s September 2021 Patches, their CVE’s severities, scores, exploits, and disclosure can be found here: SANS Internet Storm Centre