CVE-2021-27055: Microsoft Visio Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 7)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Mar

Released

2021-03-09

EPSS Score

1.16% (percentile: 78.6%)

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. What is the attack vector for this vulnerability? Initially an Administrator would need to set a Group Policy in a specific way. Then, an attacker would then need to modify a macro-enabled template that ships with Excel. Then the attacker needs to convince a target to run that malicious file on a system affected by that Policy.

Detection & Weaponization (1 sources)

Maturity: Detection

• YARA rules: SIGNATURE_BASE_EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts

Affected Products (10)

Microsoft Office

• Microsoft Visio 2013 Service Pack 1 (32-bit editions)
• Microsoft Visio 2013 Service Pack 1 (64-bit editions)
• Microsoft Visio 2016 (32-bit edition)
• Microsoft Visio 2016 (64-bit edition)
• Microsoft Visio 2010 Service Pack 2 (32-bit editions)
• Microsoft Visio 2010 Service Pack 2 (64-bit editions)
• Microsoft Office 2019 for 32-bit editions
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft Office 2019 for 64-bit editions

Security Updates (6)

• 4486673
• 4486673
• 4493151
• 4493151
• 4484376
• 4484376

Acknowledgments

Luke Papandrea, Microsoft Corporation

Revision History

• 2021-03-09: Information published.