Microsoft Patch Tuesday – October 2022

This month, Microsoft has fixed 85 vulnerabilities, including 15 criticals (1 with the highest CVSS = 10.0) and 1 zero-day. Let’s briefly review them.

CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability

This patch fixes a bug that Microsoft lists as being used in active attacks, but they didn’t provide any further details. As this is a privilege escalation bug, it might be most likely paired with other code execution exploits to take over a system. I would expect the involvement of some form of social engineering (open malicious attachment/website). Test and deploy ASAP.

CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability

This vulnerability could allow an attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster to exploit this vulnerability from the internet, elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. The vulnerability is in Azure Arc but could also impact the Kubernetes cluster and Azure Stack Edge that is connected to the vulnerable Azure Arc. This bug got the rare CVSS 10 rating – the highest severity rating. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.

CVE-2022-37976 – Active Directory Certificate Services Elevation of Privilege Vulnerability

A malicious DCOM client could coerce a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack. An attacker who successfully exploited this vulnerability could gain domain administrator privileges. A system is vulnerable only if Active Directory Certificate Services is running on the domain, which is a quite common configuration.

Mitigation for this vulnerability is to change the Legacy Authentication Level from default value “2” (Connect) to “5” (Packet integrity), but my recommendation is still to install the patch. You can set it up by following:

dcomcnfg.exe -> Computer -> My Computer (Properties) -> Default Properties -> Default Authentication Level

CVE-2022-41038, CVE-2022-41036, CVE-2022-41037, CVE-2022-38053 – Microsoft SharePoint Server Remote Code Execution Vulnerability

Here we have a combo of 4 vulnerabilities in SharePoint. All of them with CVSS 8.8, but only the first one is marked as Critical. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. This bug has been discovered in all supported SharePoint versions.

CVE-2022-30198, CVE-2022-24504, CVE-2022-33634, CVE-2022-22035, CVE-2022-38047, CVE-2022-38000, CVE-2022-41081 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

Then we have an even bigger combo – 7 bugs in the PPT protocol. A similar situation we observed in past months, so if you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon.

CVE-2022-38049, CVE-2022-38048, CVE-2022-41031 – Microsoft Office Graphics, Microsoft Office, Microsoft Word Remote Code Execution Vulnerability

There we come to 3 Office vulnerabilities rarely rated as Critical (7.8). Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.

CVE-2022-37979 – Windows Hyper-V Elevation of Privilege Vulnerability

This bug could allow a Hyper-V guest to affect the functionality of the Hyper-V host. An attacker on a Nested Hyper-V environment would gain Level 1 Hyper-V Windows Root OS privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition. The complexity of the attack is high, but still, this one is rated as critical.

CVE-2022-34689 – Windows CryptoAPI Spoofing Vulnerability

An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate.

Summary

Below you can see the most important CVEs released by Microsoft for October 2022 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in e.g. ODBC driver, WDAC OLE DB provider for SQL, Server service, LSA, and CSRSS. The last one might be quite interesting because might be similar to CVE-2022-22047 (July 2022), an earlier bug that we saw some in-the-wild exploitation.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2022-41033Windows COM+ Event System Service Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 7+
Server 2008 R2+
CVE-2022-37968Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege VulnerabilityCritical (10.0)NetworkLowNoneNoneUnprovenAzure Arc
CVE-2022-37976Active Directory Certificate Services Elevation of Privilege VulnerabilityCritical (8.8)NetworkLowLowNoneUnprovenServer 2008+
CVE-2022-41038Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical (8.8)NetworkLowLowNoneUnprovenSharePoint Foundation 2013 SP1
SharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2022-30198Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008 R2+
CVE-2022-24504Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-33634Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-22035Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008 R2+
CVE-2022-38047Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008 +
CVE-2022-38000Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNonePoCWindows 7+
Server 2008 R2+
CVE-2022-41081Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-38049Microsoft Office Graphics Remote Code Execution VulnerabilityCritical (7.8)LocalLowNoneRequiredUnprovenOffice 2019, Office LTSC 2021, Office 365
CVE-2022-38048Microsoft Office Remote Code Execution VulnerabilityCritical (7.8)LocalLowNoneRequiredUnprovenOffice 2013+, Office LTSC 2021, Office 365
Office 2019 (Mac), Office LTSC 2021 (Mac)
CVE-2022-41031Microsoft Word Remote Code Execution VulnerabilityCritical (7.8)LocalLowNoneRequiredUnprovenOffice LTSC 2021, Office 365
Office 2019 (Mac), Office LTSC 2021 (Mac)
CVE-2022-37979Windows Hyper-V Elevation of Privilege VulnerabilityCritical (7.8)LocalHighLowNoneUnprovenWindows 10+
Server 2016+
CVE-2022-34689Windows CryptoAPI Spoofing VulnerabilityCritical (7.5)NetworkLowNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-38040Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-41036Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Foundation 2013 SP1
SharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2022-41037Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Foundation 2013 SP1
SharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2022-38053Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Foundation 2013 SP1
SharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2022-37982Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-38031Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-38045Server Service Remote Protocol Elevation of Privilege VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 8.1+
Server 2012+
CVE-2022-38016Windows Local Security Authority (LSA) Elevation of Privilege VulnerabilityImportant (8.8)LocalLowLowNoneUnprovenWindows 10+
Server 2019+
CVE-2022-37989Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-37987Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneUnprovenWindows 7+
Server 2008+

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top