This month, Microsoft has fixed 85 vulnerabilities, including 15 criticals (1 with the highest CVSS = 10.0) and 1 zero-day. Let’s briefly review them.
CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability
This patch fixes a bug that Microsoft lists as being used in active attacks, but they didn’t provide any further details. As this is a privilege escalation bug, it might be most likely paired with other code execution exploits to take over a system. I would expect the involvement of some form of social engineering (open malicious attachment/website). Test and deploy ASAP.
CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
This vulnerability could allow an attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster to exploit this vulnerability from the internet, elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. The vulnerability is in Azure Arc but could also impact the Kubernetes cluster and Azure Stack Edge that is connected to the vulnerable Azure Arc. This bug got the rare CVSS 10 rating – the highest severity rating. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.
CVE-2022-37976 – Active Directory Certificate Services Elevation of Privilege Vulnerability
A malicious DCOM client could coerce a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack. An attacker who successfully exploited this vulnerability could gain domain administrator privileges. A system is vulnerable only if Active Directory Certificate Services is running on the domain, which is a quite common configuration.
Mitigation for this vulnerability is to change the Legacy Authentication Level from default value “2” (Connect) to “5” (Packet integrity), but my recommendation is still to install the patch. You can set it up by following:
dcomcnfg.exe -> Computer -> My Computer (Properties) -> Default Properties -> Default Authentication Level
CVE-2022-41038, CVE-2022-41036, CVE-2022-41037, CVE-2022-38053 – Microsoft SharePoint Server Remote Code Execution Vulnerability
Here we have a combo of 4 vulnerabilities in SharePoint. All of them with CVSS 8.8, but only the first one is marked as Critical. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. This bug has been discovered in all supported SharePoint versions.
CVE-2022-30198, CVE-2022-24504, CVE-2022-33634, CVE-2022-22035, CVE-2022-38047, CVE-2022-38000, CVE-2022-41081 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Then we have an even bigger combo – 7 bugs in the PPT protocol. A similar situation we observed in past months, so if you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon.
CVE-2022-38049, CVE-2022-38048, CVE-2022-41031 – Microsoft Office Graphics, Microsoft Office, Microsoft Word Remote Code Execution Vulnerability
There we come to 3 Office vulnerabilities rarely rated as Critical (7.8). Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.
CVE-2022-37979 – Windows Hyper-V Elevation of Privilege Vulnerability
This bug could allow a Hyper-V guest to affect the functionality of the Hyper-V host. An attacker on a Nested Hyper-V environment would gain Level 1 Hyper-V Windows Root OS privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition. The complexity of the attack is high, but still, this one is rated as critical.
CVE-2022-34689 – Windows CryptoAPI Spoofing Vulnerability
An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate.
Summary
Below you can see the most important CVEs released by Microsoft for October 2022 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in e.g. ODBC driver, WDAC OLE DB provider for SQL, Server service, LSA, and CSRSS. The last one might be quite interesting because might be similar to CVE-2022-22047 (July 2022), an earlier bug that we saw some in-the-wild exploitation.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2022-41033 | Windows COM+ Event System Service Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Exploited | Windows 7+ Server 2008 R2+ |
CVE-2022-37968 | Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability | Critical (10.0) | Network | Low | None | None | Unproven | Azure Arc |
CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege Vulnerability | Critical (8.8) | Network | Low | Low | None | Unproven | Server 2008+ |
CVE-2022-41038 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
CVE-2022-30198 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008 R2+ |
CVE-2022-24504 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-33634 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-22035 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008 R2+ |
CVE-2022-38047 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008 + |
CVE-2022-38000 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | PoC | Windows 7+ Server 2008 R2+ |
CVE-2022-41081 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-38049 | Microsoft Office Graphics Remote Code Execution Vulnerability | Critical (7.8) | Local | Low | None | Required | Unproven | Office 2019, Office LTSC 2021, Office 365 |
CVE-2022-38048 | Microsoft Office Remote Code Execution Vulnerability | Critical (7.8) | Local | Low | None | Required | Unproven | Office 2013+, Office LTSC 2021, Office 365 Office 2019 (Mac), Office LTSC 2021 (Mac) |
CVE-2022-41031 | Microsoft Word Remote Code Execution Vulnerability | Critical (7.8) | Local | Low | None | Required | Unproven | Office LTSC 2021, Office 365 Office 2019 (Mac), Office LTSC 2021 (Mac) |
CVE-2022-37979 | Windows Hyper-V Elevation of Privilege Vulnerability | Critical (7.8) | Local | High | Low | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-34689 | Windows CryptoAPI Spoofing Vulnerability | Critical (7.5) | Network | Low | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-38040 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-41036 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
CVE-2022-41037 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
CVE-2022-38053 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
CVE-2022-37982 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-38031 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-38045 | Server Service Remote Protocol Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 8.1+ Server 2012+ |
CVE-2022-38016 | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | Important (8.8) | Local | Low | Low | None | Unproven | Windows 10+ Server 2019+ |
CVE-2022-37989 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-37987 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023