On Tuesday, Microsoft rolled out security patches for 85 vulnerabilities, a number not unusual for the company’s October Patch Tuesday. What is unusual, however, is that the company has failed to develop a patch for the two Exchange Server vulnerabilities that came to light earlier this month.
Microsoft is all set to cross last year’s total vulnerability patch count of 1,200 in 2022, with the total number of CVEs addressed until October Patch Tuesday hovering around the 1,100 mark. “If that happens, 2022 would be the second busiest year for Microsoft CVEs,†noted Dustin Childs of Trend Micro’s Zero Day Initiative.
15 of the 85 vulnerabilities addressed in the October Patch Tuesday are rated Critical in severity, 69 as Important and one as moderately severe. For the two unpatched Exchange Server vulnerabilities, dubbed NotProxyShell, Microsoft recommended admins apply mitigation while they work on a fix. The company didn’t mention a timeline for the patches to NotProxyShell, both of which are being actively exploited in the wild.
Ankit Malhotra, manager of Signature Engineering at Qualys, noted in a blog post, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.â€
However, the October patchload takes care of plenty of other serious bugs in Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure/Azure Arc/Azure DevOps, Windows Resilient File System (ReFS), Active Directory Domain Services and Active Directory Certificate Services, Hyper-V, Visual Studio Code, and Nu Get Client.
See More: September Patch Tuesday: Microsoft Patches 64 Vulnerabilities Including Two Zero-Day Flaws
Critical Severity Vulnerability Patches from October Patch Tuesday
CVE-2022-41033
First up is CVE-2022-41033Opens a new window , an elevation of privilege (EoP) vulnerability residing in Windows COM+ Event System Service. With a CVSS score of 7.8, CVE-2022-41033 is not exactly critically severe, although it is a zero-day vulnerability, meaning it is being actively targeted through a publicly available exploit.
“One of the most serious vulnerabilities fixed this month is the Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033), even though its CVSS rating is just 7.8,†Mike Walters, VP of Vulnerability and Threat Research at Action1, told Spiceworks.
“The reason is simple: There has been an exploit for this vulnerability for a long time now, and it can be easily combined with an RCE exploit. It is an excellent tool in a hacker’s arsenal for elevating privileges on a Windows system because it enables an attacker who has local access to a machine to gain SYSTEM privileges and do anything they like with that target system.â€
“The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs,†Walters added. A successful exploit would require a user on the target machine to open an attachment or visit a malicious website. This explains the low CVSS score.
Besides being a zero-day vulnerability, prioritization is important for CVE-2022-41033 because it impacts all versions of Windows starting with Windows 7 and Windows Server 2008. “This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server.â€
Walters recommended, “Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it.â€
See More: Déjà vu: Microsoft Exchange Server Found With Two Zero-day Bugs Similar to ProxyShell
CVE-2022-37968
A Connect EoP flaw, CVE-2022-37968Opens a new window has the highest possible CVSS score of 10 among the 85 vulnerabilities fixed on October Patch Tuesday. “It could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. It affects the cluster connect feature of these clusters,†Walters said.
CVE-2022-37968 has a low attack complexity and requires fewer privileges and no user interaction for exploitation. Walters explained, “An adversary who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet.â€
“Successful exploitation of this vulnerability allows an unauthenticated user to elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster. If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18 and 1.8.11 and they are available from the internet, upgrade immediately.â€
Debra M. Fezza Reed, principal business analyst for vulnerability and threat research engineering at Qualys, pointed out that Azure Stack Edge devices are also vulnerable to CVE-2022-37968 because its users can deploy Kubernetes workloads on their devices via Azure Arc.
CVE-2022-37987/CVE-2022-37989
Also EoP vulnerabilities, CVE-2022-37987Opens a new window /CVE-2022-37989Opens a new window have a CVSS score of 7.8. Both have a low attack complexity, and require low privileges and no user interaction to exploit. “Both attacks enable elevation of privileges to SYSTEM,†Walters explained.
“Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability (CVE-2022-37987 and CVE-2022-37989) are both related to the behavior of the CSRSS process when searching for dependencies.â€
Microsoft noted that their exploitation is more likely, possibly because the latter failed to patch a previously reported vulnerability.
“CVS-2022-37989 is a failed fix for an earlier bug, CVE-2022-22047, which has been seen in the wild; this vulnerability occurs because CSRSS can accept input from untrusted processes,†Walters explained. “The CVE-2022-37987 vulnerability is a new attack that works by tricking CSRSS into downloading dependency information from an unprotected location.â€
CVE-2022-41038
CVE-2022-41038Opens a new window is a remote code execution vulnerability existing in SharePoint Server whose exploitability assessment by Microsoft revealed it is more likely to be exploited, provided the threat actor has Manage List permissions.
“In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions,†Walters further added.
“Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet. Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet.â€
Users/admins can download and apply the cumulative update or the security update to patch CVE-2022-41038, which impacts all versions of SharePoint since SharePoint 2013 Service Pack 1.
Other vulnerability patches that should be prioritized
Besides CVE-2022-41033, Microsoft also patched another zero-day bug tracked as CVE-2022-41043Opens a new window . It is an information disclosure vulnerability residing in Microsoft Office. The technical details for CVE-2022-41043 are publicly available though the vulnerability is not actively exploited.
The table below lists all 15 critical vulnerabilities and the two zero-day ones.
|
Vulnerability |
Exists In | CVSS Score | Type | Exploitation |
| CVE-2022-37968Opens a new window | Azure Arc-enabled Kubernetes cluster | 10 | Connect EoP |
Less Likely |
| Active Directory Certificate Services | 8.8 | EoP | Less Likely | |
| CVE-2022-41038Opens a new window | Microsoft SharePoint Server | 8.8 | RCE |
More Likely |
| Windows Point-to-Point Tunneling Protocol | 8.1 | RCE | Less Likely | |
| CVE-2022-24504Opens a new window | Windows Point-to-Point Tunneling Protocol | 8.1 | RCE |
Less Likely |
| Windows Point-to-Point Tunneling Protocol | 8.1 | RCE | Less Likely | |
| CVE-2022-22035Opens a new window | Windows Point-to-Point Tunneling Protocol | 8.1 | RCE |
Less Likely |
| Windows Point-to-Point Tunneling Protocol | 8.1 | RCE | Less Likely | |
| CVE-2022-38000Opens a new window | Windows Point-to-Point Tunneling Protocol | 8.1 | RCE |
Less Likely |
| Windows Point-to-Point Tunneling Protocol | 8.1 | RCE | Less Likely | |
| CVE-2022-38049Opens a new window | Microsoft Office Graphics | 7.8 | RCE |
Less Likely |
| Microsoft Office | 7.8 | RCE | Less Likely | |
| CVE-2022-41031Opens a new window | Microsoft Word | 7.8 | RCE |
Less Likely |
| Windows Hyper-V | 7.8 | EoP | Less Likely | |
| CVE-2022-34689Opens a new window | Windows CryptoAPI | 7.5 | Spoofing |
More Likely |
| Windows COM+ Event System Service | 7.8 | EoP | Detected | |
| CVE-2022-41043Opens a new window | Microsoft Office | 4 | Information Disclosure |
Less Likely |
Of the 85 vulnerabilities fixed, 39 were EoP bugs, 20 RCE, 11 information disclosure, eight denial of service, five spoofing, and two security feature bypass vulnerabilities.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock
MORE ON VULNERABILITY MANAGEMENT
- 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects
- 66% of Organizations Have Vulnerability Backlogs of Over 100,000, Rezilion FindsÂ
- Google Chrome and Microsoft Edge Are Vulnerable to Spell-Jacking: otto-js
- HP Business Devices Vulnerable to the Exploitation of Six High-risk Firmware Flaws