Microsoft Patch Tuesday November 2022: Exchange ProxyNotShell RCE, JScript9, MoTW, OpenSSL, Edge, CNG, Print Spooler. Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report.
Alternative video link (for Russia): https://vk.com/video-149273431_456239107
The most important news of this Patch Tuesday was a release of patches for ProxyNotShell Remote Code Execution – Microsoft Exchange (CVE-2022-41040, CVE-2022-41082) mentioned in the previous episode. These vulnerabilities became public on September 28, and updates for this vulnerability did not appear until November 8. Microsoft could have acted more quickly. But it’s good that the problem with these actively exploited vulnerabilities is finally solved.
But besides ProxyNotShell, this November Patch Tuesday had a lot of interesting vulnerabilities. Let’s take a look.
$ cat comments_links.txt
Qualys|November 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday
ZDI|THE NOVEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/11/8/the-november-2022-security-update-review
$ python3.8 process_classify_ms_products.py # Automated classifier for Microsoft products
$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "November" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2022
MS PT Month: November
MS PT Date: 2022-11-08
MS PT CVEs found: 66
Ext MS PT Date from: 2022-10-12
Ext MS PT Date to: 2022-11-07
Ext MS PT CVEs found: 17
ALL MS PT CVEs: 83
...
All vulnerabilities: 82
Urgent: 1
Critical: 6
High: 19
Medium: 56
Low: 0
Let’s start with vulnerabilities for which there is an exploit or signs of exploitation in the wild.
- Remote Code Execution – Windows Scripting Languages (CVE-2022-41128). Critical RCE affecting the JScript9 scripting language (Microsoft’s legacy JavaScript dialect, used by their Internet Explorer browser). It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker controlled server. In doing so, the attackers would get their code to execute on an affected system at the level of the logged-on user. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit).
- Security Feature Bypass – Windows Mark of the Web (CVE-2022-41049, CVE-2022-41091). MoTW is a security feature used to tag files downloaded from the internet and prevent them from performing certain actions. Files flagged with MoTW would be opened in Protected View in Microsoft Office — prompting users with a security warning banner asking them to confirm the document is trusted by selecting Enable content. A malicious actor could craft a file that could bypass MoTW “resulting in a limited loss of integrity and availability of security features such as Protected View.” The existence of a public exploit for CVE-2022-41049 is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB and Microsoft websites.
- Remote Code Execution – OpenSSL (CVE-2022-3602). The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected: Azure SDK for C++,
vcpkg, Microsoft Azure Kubernetes Service. The existence of a public exploit is mentioned on Vulners website. - Memory Corruption – Microsoft Edge (CVE-2022-3723). This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Exploitation in the wild is mentioned on Vulners (cisa_kev object) and AttackerKB websites.
- Elevation of Privilege – Windows CNG Key Isolation Service (CVE-2022-41125). An attacker can abuse this bug to run their code with SYSTEM privileges. They would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB and Microsoft websites
- Elevation of Privilege – Windows Print Spooler (CVE-2022-41073). The legacy of PrintNightmare continues as threat actors continue to mine the vast attack surface that is the Windows Print Spooler. While we’ve seen plenty of other patches since PrintNightmare, this one is listed as being in the wild. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites.
Now let’s look at vulnerabilities for which there are no public exploits or signs of exploitation in the wild, but the descriptions of which are interesting enough to pay attention to.
- Elevation of Privilege – Kerberos (CVE-2022-37966). Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. Vulnerability Exploitability Assessment: Exploitation More Likely. Also pay attention to Elevation of Privilege – Kerberos (CVE-2022-37967).
- Elevation of Privilege – Microsoft Exchange (CVE-2022-41080). The technical details are unknown, and an exploit is not publicly available. Applying a patch is able to eliminate this problem.
- Elevation of Privilege – Netlogon RPC (CVE-2022-38023). Exploitability Assessment: Exploitation More Likely.
Full Vulristics report: ms_patch_tuesday_november2022
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Microsoft Patch Tuesday January 2023: ALPC EoP, Win Backup EoP, LocalPotato, Exchange, Remote RCEs | Alexander V. Leonov