Microsoft Patch Tuesday – November 2022

This month, Microsoft has published fixes for 69 vulnerabilities, and 5 of them come from third parties integrated into Microsoft products. We have patches for 6 zero-days (!), 9 criticals, and 2 highs. Let’s briefly review them.

CVE-2022-41040 / CVE-2022-41082 – Microsoft Exchange Server Elevation of Privilege Vulnerability / Remote Code Execution Vulnerability

These patches address the recent Exchange bugs that are currently being used in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy as soon as possible. Besides these 2 zero-days, Microsoft released patches for 4 other vulnerabilities (2 EoP + 2 Spoofing) – CVE-2022-41080, CVE-2022-41123, CVE-2022-41078, CVE-2022-41079

CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability

This bug in JScript is also exploited in the wild. A user needs to open a specially crafted website or server share, and then the remote code execution is possible using logged-on user privileges. It might be quite popular in different phishing campaigns, so consider patching ASAP. It’s worth to mention there is also another similar CVE-2022-41118 rated as Critical.

CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

An attacker can use this bug to elevate privileges to the SYSTEM. It requires to be authenticated, so most probably this bug will be paired with some form of remote code execution exploit. As this is another zero-day, test and deploy the update quickly.

CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability

PrintNightmare is back! From that time we saw a lot of fixes for Print Spooler, but this one is actively used in the wild. Disabling the Print Spooler should be enough workaround, but of course, you should still patch that ASAP.

CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability

There was quite a lot of noise recently about this vulnerability on Twitter (Will Dormann). Mark of the Web is used for files downloaded from the Internet, which allows to treat them in a special way, by showing a security warning while accessing them. This one is also under active attack, so you know what is best to do. There is also another similar CVE-2022-41049, but this one is not exploited, yet.

CVE-2022-37966 – Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. An attacker who successfully exploited this vulnerability could gain administrator privileges. After the installation of this update, the new registry key will be available for the Kerberos protocol: HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc\DefaultDomainSupportedEncTypes with the default value 0x27. If you notice an error with event ID 42 in the System log from Kdcsvc you might need to reset your KRBTGT password – more info in KB5021131

CVE-2022-41039, CVE-2022-41044, CVE-2022-41088 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

As in last months – multiple bugs in the PPT protocol. If you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon.

CVE-2022-37967 – Windows Kerberos Elevation of Privilege Vulnerability

An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control of the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges. An attacker who successfully exploited this vulnerability could gain administrator privileges. The installation of the patch is not enough! To fully mitigate the security issue for all devices, you must move to Audit mode, by changing the registry entry HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc\KrbtgtFullPacSignature to 2. After that identify areas that either are missing PAC signatures or have PAC Signatures that fail validation through the Event Logs triggered during Audit mode. Once all audit events have been resolved and no longer appear, move your domains to Enforcement mode by updating the KrbtgtFullPacSignature registry value to 3 – more info in KB5020805

CVE-2022-38015 – Windows Hyper-V Denial of Service Vulnerability

This bug could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Although the score is only 6.5 it’s rated as Critical.

CVE-2022-39327 – GitHub: CVE-2022-39327 Improper Control of Generation of Code (‘Code Injection’) in Azure CLI

This bug is present in Azure CLI older than 2.42.0. If you want to check if you have azure-cli installed in your system, just run “az version” in PowerShell.

CVE-2022-38023 – Netlogon RPC Elevation of Privilege Vulnerability

This one is marked as Important but also requires some actions. An authenticated attacker could leverage cryptographic protocol vulnerabilities in the Windows Netlogon protocol when RPC Signing is used instead of RPC Sealing. Where RPC Signing is used instead of RPC Sealing the attacker could gain control of the service and then might be able to modify Netlogon protocol traffic to elevate their privileges. An attacker who successfully exploited this vulnerability could gain administrator privileges. This update protects Windows devices from this bug by default.  For third-party clients and third-party domain controllers, the update is in Compatibility mode by default and allows vulnerable connections from such clients. To enable enforcement mode the registry entry needs to be changed HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal – more info in KB5021130

Summary

Below you can see the most important CVEs released by Microsoft for November 2022 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in e.g. ODBC driver, SharePoint, and OpenSSL.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2022-41040Microsoft Exchange Server Elevation of Privilege VulnerabilityCritical (8.8)NetworkLowLowNoneExploitedExchange Server 2013+
CVE-2022-41082Microsoft Exchange Server Remote Code Execution VulnerabilityCritical (8.8)NetworkLowLowNoneExploitedExchange Server 2013+
CVE-2022-41128Windows Scripting Languages Remote Code Execution VulnerabilityCritical (8.8)NetworkLowNoneRequiredExploitedWindows 7+
Server 2008 R2+
CVE-2022-41125Windows CNG Key Isolation Service Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 8.1+
Server 2012+
CVE-2022-41073Windows Print Spooler Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 7+
Server 2008 +
CVE-2022-41091Windows Mark of the Web Security Feature Bypass VulnerabilityImportant (5.4)NetworkLowNoneRequiredExploitedWindows 10+
Server 2016+
CVE-2022-41080Microsoft Exchange Server Elevation of Privilege VulnerabilityCritical (8.8)NetworkLowLowNoneUnprovenExchange Server 2013+
CVE-2022-37966Windows Kerberos RC4-HMAC Elevation of Privilege VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenServer 2008+
CVE-2022-41039Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008 R2+
CVE-2022-41088Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 8.1+
Server 2012+
CVE-2022-41044Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008, Server 2008 R2
CVE-2022-41118Windows Scripting Languages Remote Code Execution VulnerabilityCritical (7.8)NetworkHighNoneRequiredUnprovenWindows 7+
Server 2008 R2+
CVE-2022-37967Windows Kerberos Elevation of Privilege VulnerabilityCritical (7.2)NetworkLowHighNoneUnprovenServer 2008+
CVE-2022-38015Windows Hyper-V Denial of Service VulnerabilityCritical (6.5)LocalLowLowNoneUnprovenWindows 10+
Server 2016+
CVE-2022-3602OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrunHigh (7.5)UnprovenAzure SDK for C++,
vcpkg,
Microsoft Azure Kubernetes Service
CVE-2022-3786OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrunHigh (7.5)UnprovenAzure SDK for C++,
vcpkg,
Microsoft Azure Kubernetes Service
CVE-2022-39327GitHub: CVE-2022-39327 Improper Control of Generation of Code
(‘Code Injection’) in Azure CLI
CriticalUnprovenAzure CLI before 2.42.0
CVE-2022-41047Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-41048Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-41062Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Foundation 2013 SP1
SharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2022-38023Netlogon RPC Elevation of Privilege VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenServer 2008+
CVE-2022-41078Microsoft Exchange Server Spoofing VulnerabilityImportant (8.0)AdjacentLowLowNoneUnprovenExchange Server 2013+
CVE-2022-41079Microsoft Exchange Server Spoofing VulnerabilityImportant (8.0)AdjacentLowLowNoneUnprovenExchange Server 2013+

1 thought on “Microsoft Patch Tuesday – November 2022”

  1. Pingback: Microsoft Patch Tuesday – December 2022 - IT Constructors

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top