This Tuesday, Microsoft released patches to 64 vulnerabilities, including the two zero-day NotProxyShell vulnerabilities discovered early in October that were not patched in the October patch cycle. Of the 64 vulnerabilities fixed, six were zero-day ones, 11 were rated critical, and 53 as important.
Microsoft’s November Patch Tuesday was highly anticipated because of the risk from the two zero-day NotProxyShell vulnerabilities (CVE-2022-41040Opens a new window and CVE-2022-41082Opens a new window ) that the security community expected to be patched in the October patch cycle.
The November Patch Tuesday is also important because of a higher-than-usual number of zero-day bugs being addressed. The Windows maker has fixed six zero-day vulnerabilities. Overall, the patchload is as expected for November though the total number of vulnerabilities addressed in 2022 crossed that of 2021 (1,200), making the year Microsoft’s “second busiest ever for patches,†Dustin Childs of Trend Micro’s Zero Day Initiative noted.
The breakdown of the November patch load is as follows:
- 26 Elevation of Privilege Vulnerabilities (EoP)
- 15 Remote Code Execution (RCE)
- 8 Information Disclosure
- 6 Denial of Service (DoS)
- 4 Security Feature Bypass (SFB)
- 3 Spoofing
Bharat Jogi, director of vulnerability and threat research at Qualys, told Spiceworks, “As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.). It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched.â€
Let us take a look at the six zero-day vulnerabilities, i.e., those which are being actively exploited in the wild:
CVE-2022-41040 and CVE-2022-41082 | NotProxyShell
Speaking with Spiceworks, Mike Walters, VP of Vulnerability and Threat Research at Action1, referred to the two NotProxyShell flaws residing in Exchange Server as “heavily exploited.â€
CVE-2022-41040 (CVSS: 8.8) is a server-side request forgery issue that enables privilege escalation, while CVE-2022-41082 (CVSS: 6.3) is an RCE bug. “At long last, Microsoft released patches for the ‘ProxyNotShell’ vulnerabilities that are being actively exploited by Chinese threat actors,†Spurti Preetham Gurram, Senior Product Manager at AutomoxOpens a new window , told Spiceworks.
“The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid exchange servers where temporary mitigation has not been applied.â€
After the NotProxyShell came to light last month, Walters told Spiceworks that attackers are exploiting the zero-day combination to deploy web shells on compromised servers to exfiltrate data and move laterally to other systems on the compromised network.
Walters added, “It took Microsoft more than two months to provide the patch, even though the company admitted that ProxyNotShell actively exploited the vulnerabilities in targeted attacks against at least 10 large organizations.â€
For more information, refer to our detailed story onOpens a new window NotProxyShell vulnerabilities.
See More: Hackers Are Aggressively Targeting These Industries—But That Doesn’t Mean Yours Is Safe
CVE-2022-41091
CVE-2022-41091Opens a new window is an SFB bug that bypasses the Windows Mark of the Web (MotW) security feature. Although its CVSS score is just 5.4, it is a zero-day vulnerability existing in most versions of Windows (10, 11, and Server 2016-2022) since July 2022 that is actively being exploited.
“MotW is an important security feature that provides some protection and warning to end users downloading files from untrusted sources. Windows adds MotW flags to documents and executables that are downloaded from an untrusted source. This flag alerts Windows, Office, web browsers, and other applications that the file is not trusted and displays warnings to end users trying to open the files,†explained Peter Pflaster, technical product marketing manager at Automox.
“Attackers exploiting the zero-day could coerce users to open files from malicious websites, phishing emails, etc., and host specially crafted files that can bypass the security feature that alerts users to potentially malicious files. Multiple outlets have reported that the vulnerability was discovered and reported in July 2022 but has remained unpatched until now. Since the vulnerability is being actively exploited, we recommend patching within 24 hoursâ€
CVE-2022-41073
CVE-2022-41073Opens a new window scored 7.8 on the CVSS scale and has a low attack complexity but remains important to patch. It is a zero-day RCE bug, and is included in the list of the infamous PrintNightmare vulnerabilities since it resides in the Windows Print Spooler service.
“Microsoft continues to patch minions of the PrintNightmare vulnerability. This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop,†Walters said.
Pflaster explained to Spiceworks that “Attackers with local access to a vulnerable device, typically gained through social engineering, credential stuffing, or other password-related attacks, can execute a simple attack to elevate to SYSTEM privileges. Once attackers obtain SYSTEM privileges, they have essentially free reign to establish persistence, move laterally to other more valuable targets, or view and exfiltrate valuable or sensitive data.â€
CVE-2022-41073 affects the Windows Print Spooler service in all Windows versions starting from Windows 7 and Windows Server 2008 R2. Walters added that, like other PrintNightmare bugs, CVE-2022041073 could also be mitigated by disabling the print spooler service.
“But then you will not be able to print anything from your system. Accordingly, it is better to install the latest patch from Microsoft, and then wait for next month and yet another new fix for PrintNightmare!†Walters said, poking at the prevalence of PrintNightmare over the years.
Automox recommended admins patch CVE-2022-41128 within 24 hours since it is being actively exploited.
See More: Mitigating Security Risks As a Hybrid Organization
CVE-2022-41125
CVE-2022-41125Opens a new window has a relatively low CVSS score of 7.8 with a low attack complexity. But the EoP flaw, which resides in Windows Cryptography Next Generation (CNG), is under active exploitation, thus making the application of the patch imperative to securing systems.
Gina Geisel, product marketing manager at Automox, told Spiceworks, “With a long list of Windows 10 and 11 impacted (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability [CVE-2022-41125] exposes industry-leading versions of Windows and could have wide-ranging impacts.â€
“With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability.â€
CVE-2022-41128
Found in the JScript9 scripting language, CVE-2022-41128Opens a new window scored 8.8 on the CVSS severity index. The issue affects all versions of Windows, including older versions of Windows.
Walters explained that CVE-2022-41128 “has low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website.â€
Other zero-day and critical vulnerabilities from November Patch Tuesday
All zero-day (first six) and critical vulnerabilities from the November Patch Tuesday are listed below by their CVSS score.
Vulnerability |
Exists In | CVSS Score | Type |
Exploitation |
Microsoft Exchange Server | 8.8 | EoP | Exploitation Detected | |
CVE-2022-41082Opens a new window | Microsoft Exchange Server | 8.8 | RCE |
Exploitation Detected |
Windows Scripting Languages | 8.8 | RCE | Exploitation Detected | |
CVE-2022-41125Opens a new window | Windows CNG Key Isolation Service | 7.8 | EoP |
Exploitation Detected |
Windows Print Spooler | 7.8 | EoP | Exploitation Detected | |
CVE-2022-41091Opens a new window | Windows Mark of the Web | 5.4 | SFB |
Exploitation Detected |
Microsoft Exchange Server | 8.8 | EoP | More Likely | |
CVE-2022-37966Opens a new window | Windows Kerberos RC4-HMAC | 8.1 | EoP |
More Likely |
Windows Point-to-Point Tunneling Protocol | 8.1 | RCE | Less Likely | |
CVE-2022-41088Opens a new window | Windows Point-to-Point Tunneling Protocol | 8.1 | RCE |
Less Likely |
Windows Point-to-Point Tunneling Protocol | 8.1 | RCE | Less Likely | |
CVE-2022-41118Opens a new window | Windows Scripting Languages | 7.8 | RCE |
More Likely |
Windows Kerberos | 7.2 | EoP | More Likely | |
CVE-2022-38015Opens a new window | Windows Hyper-V | 6.5 | DoS |
Less Likely |
“Six actively exploited zero days in one cycle is an unusually high number – 12 critical in all [including a previously disclosed one in Azure CLI by GitHub],†Gareth Lindahl-Wise, chief security advisor at Tiberium told Spiceworks.
“Initial compromise, remote code execution and privilege execution are all unlikely to be on a CISOs Christmas list. From a prevention perspective – identify, prioritise, and patch. You should also ensure that your Detection and Response capabilities are geared towards these specific CVEs and general tactics.â€
The November Patch Tuesday also follows Microsoft’s advisory for the two high-rated OpenSSL vulnerabilities patched earlier in November through the release of OpenSSL version 3.0.7 and patches for three other previously disclosed bugs discovered by GitHubOpens a new window and AMDOpens a new window .
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock