Multiple vulnerabilities in Microsoft Excel

Published: 2021-10-12 | Updated: 2021-10-13

Risk	High
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2021-40485 CVE-2021-40472 CVE-2021-40471 CVE-2021-40473 CVE-2021-40474 CVE-2021-40479
CWE-ID	CWE-94 CWE-200 CWE-416
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #5 is available.
Vulnerable software Subscribe	Microsoft SharePoint Server Server applications / Application servers Microsoft Office Web Apps Server Server applications / Application servers Microsoft Office Client/Desktop applications / Office applications Microsoft Excel Client/Desktop applications / Office applications Office Online Server Server applications / Other server solutions
Vendor	Microsoft

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Code Injection

EUVDB-ID: #VU57262

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-40485

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft SharePoint Server: 2013

Microsoft Office: 2019 - 2019 for Mac

Office Online Server : 2016

Microsoft Excel: 2013 - 2016

Fixed software versions

CPE2.3

cpe:2.3:a:microsoft:microsoft_sharepoint_server:2013:*:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40485

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Information disclosure

EUVDB-ID: #VU57267

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-40472

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Microsoft Excel. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2013 - 2019

Office Online Server : 2016

Microsoft Excel: 2013 - 2016

Microsoft Office Web Apps Server: 2013 Service Pack 1

Fixed software versions

CPE2.3

cpe:2.3:a:microsoft:microsoft_office:2019:*:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40472

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Code Injection

EUVDB-ID: #VU57266

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-40471

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2013 - 2019

Fixed software versions

CPE2.3

cpe:2.3:a:microsoft:microsoft_office:2019:*:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40471

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Code Injection

EUVDB-ID: #VU57265

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-40473

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2013 - 2019

Fixed software versions

CPE2.3

cpe:2.3:a:microsoft:microsoft_office:2019:*:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40473

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU57264

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-40474

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when parsing Microsoft Excel files. A remote attacker can create a specially crafted Microsoft Excel file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2019 - 2019 for Mac

Office Online Server : 2016

Microsoft Excel: 2013 - 2016

Microsoft Office Web Apps Server: 2013 Service Pack 1

Fixed software versions

CPE2.3

cpe:2.3:a:microsoft:microsoft_office:2019:*:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40474

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Code Injection

EUVDB-ID: #VU57263

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-40479

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2013 - 2019

Fixed software versions

CPE2.3

cpe:2.3:a:microsoft:microsoft_office:2019:*:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40479

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?