November 2022 Patch Tuesday
Microsoft has a very important lineup for Patch Tuesday this November. Not only have they responded to the ProxyNotShell pair of zero-day vulnerabilities, but they have resolved four additional zero-day vulnerabilities for a total of six zero-day vulnerabilities to pay attention to this month.
Microsoft has resolved or re-released a total of 81 CVEs this month:
- 65 of the CVEs are newly resolved.
- 16 have been updated this month, but were previously released.
- 10 of 81 CVEs are rated as Critical.
Zero-day Vulnerabilities
Microsoft resolved a pair of zero-day vulnerabilities in Microsoft Exchange Server. Dubbed ProxyNotShell, CVE-2022-41040 (EP) and CVE-2022-41082 (RCE) were first raised to public awareness on Sept 29, 2022.
Microsoft provided mitigations for the vulnerabilities, including disabling remote PowerShell access for non-admins and URL Rewrite rules. The mitigations underwent several iterations initially but stabilized a couple weeks later.
With the November 8, 2022, Patch Tuesday release, Microsoft has updated the customer guidance in the MSRC to recommend customers running on-prem Microsoft Exchange Server update their affected systems immediately.
Microsoft has resolved an Elevation of Privilege vulnerability in Windows CNG Key Isolation Service (CVE-2022-41125) that affects Windows 8.1 and Server 2012 and later editions of the Windows OS. The CVE is rated as Important, but has been detected in attacks in the wild. The privilege escalation could allow an attacker to gain SYSTEM privileges on the affected target.
Microsoft has also resolved an Elevation of Privilege vulnerability in Windows Print Spooler (CVE-2022-41073) that affects all Windows OS versions. The CVE is rated as Important, but has been detected in attacks in the wild. The privilege escalation could allow an attacker to gain SYSTEM privileges on the affected target.
Since PrintNightmare (CVE-2021-1675) was discovered in June 2021, the interactions with Windows Print Spooler have undergone many changes. Many organizations were impacted by the PrintNightmare print spooler updates and have since taken extra efforts to ensure inclusion of business critical applications that have been impacted by print spooler updates in their pilot groups.
As always, keep an eye on testing those applications this month, proactively reach out to those pilot group users and do some quick validation that the OS update this month does not cause any disruptions. Due to multiple zero-day vulnerabilities in the OS updates this month, any delays to rollout will expose organizations to prolonged risk.
Microsoft has resolved a Security Feature Bypass vulnerability in Windows Mark of the Web (CVE-2022-41091) that affects Windows 8.1 and Server 2012 and later editions of the Windows OS. The CVE is rated as Important, but has been detected in attacks in the wild and has been publicly disclosed. If exploited, an attacker could impact integrity and availability of security features, such as Protected View in Microsoft Office.
Several of this month’s exploited vulnerabilities are only rated as Important, but this CVE in particular is a good example of why a risk-based vulnerability management approach is essential to understand real world risks.
CVE-2022-41091 only received a CVSSv3.1 base score of 5.4. By itself, this vulnerability may not seem very threatening, but attackers have found something valuable enough to take the time to build an exploit and use it in the wild. Consider this vulnerability specifically as one step in a process to gain control of a system.
This CVE would allow an attacker to cause a security feature like Microsoft Office Protected View to potentially become unusable. If they can target another CVE that requires a user to open the email to remotely execute code, as an example, then the executed code could exploit a CVE that allows the attacker to gain SYSTEM privileges on the system.
This vulnerability is an example of attack chaining and makes less severe CVEs much more dangerous as they are combined in a three or four CVE combination attack.
Microsoft has resolved a Remote Code Execution vulnerability in Windows Scripting Languages (CVE-2022-41128) that affects all Windows OS versions. The CVE is rated as Critical and has been detected in attacks in the wild. The vulnerability specifically impacts the JScript9 language.
While the attacker needs to host a malicious server and convince users to access that content, social engineering is a well-honed skill amongst effective threat actors, so it is really just a number's game to convince someone to click.
Take this recent example: The US employee base is currently undergoing open enrollment of healthcare benefits for 2023. This seasonal activity means we are all being bombarded with documentation and actions we need to perform. In the past week, my team of product managers have observed three distinctly different health benefits related phishing attempts from DocuSign with links to click on.
I'm happy to report those attempts were foiled by attentive employees, but imagine someone who is more in a panic about their benefits. It could be quite easy to click before asking why the document was from the wrong healthcare provider. “User interaction required” often makes an exploit easier to take advantage of for threat actors, since they can manipulate a person fairly easily.
Microsoft has resolved a spoofing vulnerability in Microsoft Endpoint Configuration Manager (CVE-2022-37972). The vulnerability affects all supported versions of MECM, but the update is only available for supported build versions 2103 to 2207.
Microsoft noted that customers using builds prior to 2103 should upgrade to a supported version. In the CVE article, Microsoft was not clear on exactly what the spoofing vulnerability would allow an attacker to bypass or fake, but if you drill down into KB 15498768, it appears the attacker could bypass an action to disable the “Allow connection fallback to NTLM” in client push installation properties under specific conditions.
The CVE is not actively being exploited, but Proof-of-Concept code has been publicly disclosed – so much of the effort to exploit this vulnerability has already been handed to a general audience. The CVE is rated as Important, but has a CVSS v3.1 base score of 9.8.
Risk-based prioritization recommendations for November 2022 Patch Tuesday:
Risk-based prioritization is essential to effectively prioritize and respond to the numerous threats we face from a cybersecurity perspective on a daily basis. Applying a risk-based approach to this month's CVE lineup, we can prioritize three actions you can take to resolve the majority of the risks to your environment:
- Update on-prem Exchange Server (Resolve known exploited CVEs CVE-2022-41040 and CVE-2022-41082)
- Update all Windows OS versions (Resolve known exploited CVEs CVE-2022-41125, CVE-2022-41073, CVE-2022-41091, and CVE-2022-41128)
- Apply KB 15498768 for Microsoft Endpoint Configuration Manger (Resolve publicly disclosed CVE CVE-2022-37972)