Report Name: Microsoft Patch Tuesday, November 2022
Generated: 2022-11-24 15:18:33

Product Name	Prevalence	U	C	H	M	L	Comment
Kerberos	1			1	2		Kerberos
AMD Processor	0.9				1		Processor
Windows Win32k	0.9				2		Windows kernel-mode driver
.NET Framework	0.8				1		.NET Framework
BitLocker	0.8			1			A full volume encryption feature included with Microsoft Windows versions starting with Windows Vista
Microsoft DWM Core Library	0.8				1		Windows component
Microsoft Edge	0.8		1	2	12		Web browser
Microsoft Exchange	0.8				4		Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft
Microsoft Windows Sysmon	0.8				1		Windows component
OpenSSL	0.8		1	1			A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
RPC	0.8				1		Remote Procedure Call Runtime
Windows Advanced Local Procedure Call (ALPC)	0.8				3		Windows component
Windows Bind Filter Driver	0.8				1		Windows component
Windows CNG Key Isolation Service	0.8		1				Windows component
Windows Digital Media Receiver	0.8				1		Windows component
Windows Extensible File Allocation Table	0.8				1		Windows component
Windows GDI	0.8				1		Windows component
Windows Graphics Component	0.8			1			Windows component
Windows Group Policy	0.8				2		Windows component
Windows HTTP.sys	0.8				1		Windows component
Windows Human Interface Device	0.8				1		Windows component
Windows Mark of the Web	0.8		2				Windows component
Windows Network Address Translation (NAT)	0.8			1			Windows component
Windows Overlay Filter	0.8				2		Windows component
Windows Point-to-Point Tunneling Protocol	0.8			3	2		Windows component
Windows Print Spooler	0.8		1				Windows component
Windows Resilient File System (ReFS)	0.8				1		Windows component
Windows Scripting Languages	0.8	1		1			Windows component
Windows Subsystem for Linux (WSL2) Kernel	0.8				1		Windows component
Windows Win32 Kernel Subsystem	0.8				1		Windows component
Microsoft SharePoint	0.7			1	1		Microsoft SharePoint
Microsoft Excel	0.6			2	2		MS Office product
Microsoft Office Graphics	0.6			1			Microsoft Office Graphics
Microsoft Word	0.6			1	2		MS Office product
Windows Hyper-V	0.6				1		Hardware virtualization component of the client editions of Windows NT
Azure CycleCloud	0.5				1		Azure CycleCloud
Microsoft Business Central	0.5				1		Microsoft Business Central
Microsoft ODBC Driver	0.5			2			Microsoft ODBC Driver
Network Policy Server (NPS) RADIUS Protocol	0.5				2		Network Policy Server (NPS) RADIUS Protocol
Azure	0.4			1			Azure
Git	0.4				1		Git
Azure RTOS	0.3				1		Azure RTOS is a small, fast, reliable, and easy-to-use real-time operating system (RTOS) for connecting deeply embedded IoT devices
Visual Studio	0.3				1		Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0	1	1	12	2		Remote Code Execution
Code Injection	0.97			1			Code Injection
Security Feature Bypass	0.9		2	3	1		Security Feature Bypass
Denial of Service	0.7			3	4		Denial of Service
Memory Corruption	0.6		1		10		Memory Corruption
Elevation of Privilege	0.5		2		24		Elevation of Privilege
Information Disclosure	0.4				10		Information Disclosure
Spoofing	0.4				3		Spoofing
Unknown Vulnerability Type	0				2		Unknown Vulnerability Type

Urgent (1)

1. Remote Code Execution - Windows Scripting Languages (CVE-2022-41128) - Urgent [856]

Description: Windows Scripting Languages Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41118.

qualys: CVE-2022-41128 | Windows Scripting Languages Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8 / 10. This vulnerability affects the JScript9 scripting language, which is part of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41118 and CVE-2022-41128 are RCE vulnerabilities affecting the JScript9 and Chakra scripting languages. CVE-2022-41128 has a CVSSv3 score of 8.8 and only impacts the JScript9 scripting language. It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker controlled server. CVE-2022-41118 on the other hand, has a CVSSv3 score of 7.5 and has not been observed to be exploited. In the case of CVE-2022-41118, an attacker would need to convince a user to connect to a malicious server hosting a specially crafted website as well as win a race condition. Despite these barriers for exploitation, Microsoft still rated CVE-2022-41118 as “Exploitation More Likely.”

rapid7: CVE-2022-41128, a Critical RCE affecting the JScript9 scripting language (Microsoft’s legacy JavaScript dialect, used by their Internet Explorer browser).

zdi: CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability. This bug in JScript is also listed as being exploited in the wild. An attack would need to lure a user to either a specially crafted website or server share. In doing so, they would get their code to execute on an affected system at the level of the logged-on user. Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits.

Critical (6)

2. Security Feature Bypass - Windows Mark of the Web (CVE-2022-41049) - Critical [782]

Description: Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41091.

tenable: CVE-2022-41049 and CVE-2022-41091 are security feature bypass vulnerabilities affecting Windows Mark of the Web (MoTW). MoTW is a security feature used to tag files downloaded from the internet and prevent them from performing certain actions. Files flagged with MoTW would be opened in Protected View in Microsoft Office — prompting users with a security warning banner asking them to confirm the document is trusted by selecting Enable content. A malicious actor could craft a file that could bypass MoTW “resulting in a limited loss of integrity and availability of security features such as Protected View.”

tenable: CVE-2022-41049 on the other hand has not been exploited in the wild, but is rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Both CVEs were given CVSSv3 scores of 5.4 and require user interaction — an attacker would need to entice a victim into opening the crafted file.

3. Remote Code Execution - OpenSSL (CVE-2022-3602) - Critical [691]

Description: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

MS PT Extended: CVE-2022-3602 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 65 new vulnerabilities (aka flaws) in the November 2022 update, including ten (10) vulnerabilities classified as Critical as they allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). This month’s Patch Tuesday included a Microsoft Defense in Depth Update (ADV220003) and addressed six (6) known exploited zero-day vulnerabilities. Earlier this month, on November 2, 2022, Microsoft also released two (2) advisories for OpenSSL 3.x for Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service (CVE-2022-3602, CVE-2022-3786). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.

qualys: CVE-2022-3602, CVE-2022-3786 | OpenSSL: X.509 Certificate Verification Buffer Overrun The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. For more information and guidance see Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602).Products Affected: Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service

qualys: Qualys Threat Protection High-Rated Advisories Published between October 13, - November 9, 2022, Most Recent First Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)Google Chrome Releases New Version to Address Multiple VulnerabilitiesOracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch TuesdayApache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)

4. Security Feature Bypass - Windows Mark of the Web (CVE-2022-41091) - Critical [644]

Description: Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.

qualys: CVE-2022-41091 | Windows Mark of the Web Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 score of 5.4 / 10. This vulnerability affects the JScript9 scripting language, which is part of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact LOW for Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41049 and CVE-2022-41091 are security feature bypass vulnerabilities affecting Windows Mark of the Web (MoTW). MoTW is a security feature used to tag files downloaded from the internet and prevent them from performing certain actions. Files flagged with MoTW would be opened in Protected View in Microsoft Office — prompting users with a security warning banner asking them to confirm the document is trusted by selecting Enable content. A malicious actor could craft a file that could bypass MoTW “resulting in a limited loss of integrity and availability of security features such as Protected View.”

tenable: CVE-2022-41091 has been exploited in the wild and for which exploit code is publicly available. Though it was not credited to any researcher in particular, researchers at HP observed the Magniber ransomware group exploiting this vulnerability in the wild.

rapid7: The fourth zero-day, CVE-2022-41091, was previously disclosed and widely reported on in October. It is a Security Feature Bypass of “Windows Mark of the Web” – a mechanism meant to flag files that have come from an untrusted source.

zdi: CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability. If you follow Will Dormann on Twitter, you probably have already read quite a bit about these types of bugs. Mark of the Web (MoW) is meant to be applied to files downloaded from the Internet. These files should be treated differently and receive security warning dialogs when accessing them. This vulnerability is also listed as being under active attack, but again, Microsoft provides no information on how widespread these attacks may be.

5. Memory Corruption - Microsoft Edge (CVE-2022-3723) - Critical [637]

Description: Chromium: CVE-2022-3723 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild.

MS PT Extended: CVE-2022-3723 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

qualys: Qualys Threat Protection High-Rated Advisories Published between October 13, - November 9, 2022, Most Recent First Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)Google Chrome Releases New Version to Address Multiple VulnerabilitiesOracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch TuesdayApache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)

6. Elevation of Privilege - Windows CNG Key Isolation Service (CVE-2022-41125) - Critical [604]

Description: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability.

qualys: CVE-2022-41125 | Windows CNG Key Isolation Service Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8 / 10. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Windows Next-generation Cryptography (CNG)Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41125 is an EoP vulnerability in the Windows Cryptography Next Generation (CNG) Key Isolation Service used for Windows cryptographic support and operations. With a CVSSv3 score of 7.8, successful exploitation would allow an attacker to gain SYSTEM privileges. While no additional details were provided in the advisory, this vulnerability has reportedly been exploited in the wild and is one of four CVEs in this month's Patch Tuesday release to have been flagged as “exploitation detected” according to Microsoft.

rapid7: CVE-2022-41125 is also an Important privilege escalation vulnerability, affecting the Windows Next-generation Cryptography (CNG) Key Isolation service.

zdi: CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability. The final bug listed under active attack for November is this privilege escalation in the “Cryptography Application Programming Interface - Next Generation” (CNG) Key Isolation Service. An attacker can abuse this bug to run their code at SYSTEM. They would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit. As with all the other in-the-wild exploits, there’s no indication of how widely this is being used, but it’s likely somewhat targeted at this point. Still, test and deploy the updates quickly.

7. Elevation of Privilege - Windows Print Spooler (CVE-2022-41073) - Critical [604]

Description: Windows Print Spooler Elevation of Privilege Vulnerability.

qualys: CVE-2022-41073 | Windows Print Spooler Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8 / 10. This vulnerability affects the JScript9 scripting language, which is part of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41073 is an EoP vulnerability affecting the Windows Print Spooler service. The vulnerability carries a CVSSv3 score of 7.8 and discovery was credited to Microsoft Threat Intelligence Center. This flaw has been exploited in the wild, according to Microsoft, and could allow a low privileged user to gain SYSTEM level privileges.

rapid7: CVE-2022-41073 is the latest in a storied history of vulnerabilities affecting the Windows Print Spooler, allowing privilege escalation and considered Important.

zdi: CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability. The legacy of PrintNightmare continues as threat actors continue to mine the vast attack surface that is the Windows Print Spooler. While we’ve seen plenty of other patches since PrintNightmare, this one is listed as being in the wild. While not specifically called out, disabling the print spooler should be an effective workaround. Of course, that breaks printing, but if you’re in a situation where patching isn’t feasible, it is an option.

High (19)

8. Remote Code Execution - Windows Graphics Component (CVE-2022-41052) - High [462]

Description: Windows Graphics Component Remote Code Execution Vulnerability.

9. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-41039) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41044, CVE-2022-41088.

10. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-41044) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41039, CVE-2022-41088.

qualys: CVE-2022-41044 | Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Less Likely

11. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-41088) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41039, CVE-2022-41044.

qualys: CVE-2022-41088 | Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Successful exploitation of this vulnerability requires an attacker to win a race condition. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Less Likely

12. Remote Code Execution - Windows Scripting Languages (CVE-2022-41118) - High [462]

Description: Windows Scripting Languages Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41128.

qualys: CVE-2022-41118 | Windows Scripting Languages Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5 / 10. This vulnerability impacts both the JScript9 and Chakra scripting languages, which are both parts of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-41118 and CVE-2022-41128 are RCE vulnerabilities affecting the JScript9 and Chakra scripting languages. CVE-2022-41128 has a CVSSv3 score of 8.8 and only impacts the JScript9 scripting language. It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker controlled server. CVE-2022-41118 on the other hand, has a CVSSv3 score of 7.5 and has not been observed to be exploited. In the case of CVE-2022-41118, an attacker would need to convince a user to connect to a malicious server hosting a specially crafted website as well as win a race condition. Despite these barriers for exploitation, Microsoft still rated CVE-2022-41118 as “Exploitation More Likely.”

13. Remote Code Execution - Microsoft SharePoint (CVE-2022-41062) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability.

rapid7: Exchange Server admins are not the only ones on the hook this month: SharePoint Server is affected by CVE-2022-41062, an Important RCE that could allow an attacker who has Site Member privileges to execute code remotely on the server. CVE-2022-41122, a Spoofing vulnerability that Microsoft rates as “Exploitation more likely” than not, was actually addressed in September’s SharePoint patches but not included in their Security Update Guide at the time.

14. Security Feature Bypass - Microsoft Edge (CVE-2022-3656) - High [455]

Description: Chromium: CVE-2022-3656 Insufficient data validation in File System. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3656 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

15. Denial of Service - Kerberos (CVE-2022-41053) - High [439]

Description: Windows Kerberos Denial of Service Vulnerability.

16. Security Feature Bypass - Microsoft Edge (CVE-2022-3661) - High [428]

Description: Chromium: CVE-2022-3661 Insufficient data validation in Extensions. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3661 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

17. Remote Code Execution - Microsoft Excel (CVE-2022-41063) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41106.

18. Remote Code Execution - Microsoft Excel (CVE-2022-41106) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41063.

19. Remote Code Execution - Microsoft Office Graphics (CVE-2022-41107) - High [424]

Description: Microsoft Office Graphics Remote Code Execution Vulnerability.

20. Remote Code Execution - Microsoft Word (CVE-2022-41061) - High [424]

Description: Microsoft Word Remote Code Execution Vulnerability.

21. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-41047) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41048.

22. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-41048) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41047.

23. Code Injection - Azure (CVE-2022-39327) - High [407]

Description: Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.

24. Denial of Service - OpenSSL (CVE-2022-3786) - High [401]

Description: {'ms_cve_data_all': 'OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3786 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 65 new vulnerabilities (aka flaws) in the November 2022 update, including ten (10) vulnerabilities classified as Critical as they allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). This month’s Patch Tuesday included a Microsoft Defense in Depth Update (ADV220003) and addressed six (6) known exploited zero-day vulnerabilities. Earlier this month, on November 2, 2022, Microsoft also released two (2) advisories for OpenSSL 3.x for Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service (CVE-2022-3602, CVE-2022-3786). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.

qualys: CVE-2022-3602, CVE-2022-3786 | OpenSSL: X.509 Certificate Verification Buffer Overrun The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. For more information and guidance see Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602).Products Affected: Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service

qualys: Qualys Threat Protection High-Rated Advisories Published between October 13, - November 9, 2022, Most Recent First Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)Google Chrome Releases New Version to Address Multiple VulnerabilitiesOracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch TuesdayApache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)

25. Denial of Service - Windows Network Address Translation (NAT) (CVE-2022-41058) - High [401]

Description: Windows Network Address Translation (NAT) Denial of Service Vulnerability.

26. Security Feature Bypass - BitLocker (CVE-2022-41099) - High [401]

Description: BitLocker Security Feature Bypass Vulnerability.

Medium (56)

27. Elevation of Privilege - Kerberos (CVE-2022-37966) - Medium [398]

Description: Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.

qualys: CVE-2022-37966 | Windows Kerberos RC4-HMAC Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. For more information, please see How to manage the Kerberos Protocol changes related to CVE-2022-37966.Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation More Likely

28. Memory Corruption - Microsoft Edge (CVE-2022-3445) - Medium [394]

Description: Chromium: CVE-2022-3445 Use after free in Skia. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3445 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

29. Memory Corruption - Microsoft Edge (CVE-2022-3446) - Medium [394]

Description: Chromium: CVE-2022-3446 Heap buffer overflow in WebSQL. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3446 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

30. Memory Corruption - Microsoft Edge (CVE-2022-3448) - Medium [394]

Description: Chromium: CVE-2022-3448 Use after free in Permissions API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3448 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

31. Memory Corruption - Microsoft Edge (CVE-2022-3449) - Medium [394]

Description: Chromium: CVE-2022-3449 Use after free in Safe Browsing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3449 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

32. Memory Corruption - Microsoft Edge (CVE-2022-3450) - Medium [394]

Description: Chromium: CVE-2022-3450 Use after free in Peer Connection. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3450 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

33. Memory Corruption - Microsoft Edge (CVE-2022-3652) - Medium [394]

Description: Chromium: CVE-2022-3652 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3652 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

34. Memory Corruption - Microsoft Edge (CVE-2022-3653) - Medium [394]

Description: Chromium: CVE-2022-3653 Heap buffer overflow in Vulkan. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3653 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

35. Memory Corruption - Microsoft Edge (CVE-2022-3654) - Medium [394]

Description: Chromium: CVE-2022-3654 Use after free in Layout. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3654 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

36. Memory Corruption - Microsoft Edge (CVE-2022-3655) - Medium [394]

Description: Chromium: CVE-2022-3655 Heap buffer overflow in Media Galleries. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3655 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

37. Memory Corruption - Microsoft Edge (CVE-2022-3657) - Medium [394]

Description: Chromium: CVE-2022-3657 Use after free in Extensions. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3657 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

38. Elevation of Privilege - Kerberos (CVE-2022-37967) - Medium [385]

Description: Windows Kerberos Elevation of Privilege Vulnerability.

qualys: CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 7.2 / 10. Exploitability Assessment: Exploitation More Likely

qualys: Take Action > KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 To help protect your environment and prevent outages, we recommend that you take the following steps:  UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.MONITOR events filed during Audit mode to secure your environment.ENABLE Enforcement mode to address CVE-2022-37967 in your environment. NOTE: Step 1 of installing updates released on or after November 8, 2022, will not address the security issues in CVE-2022-37967 for Windows devices by default. To fully mitigate the security issue for all devices, you must move to Audit mode (described in Step 2) followed by Enforcement Mode (described in Step 4) as soon as possible on all Windows domain controllers. 

qualys: Leverage Custom Assessment and Remediation for CVE-2022-37967 Kerberos EOP Vuln to Execute Step #2: Enable Audit Mode:

qualys: Write-Output "Audit mode has been enabled for CVE-2022-37967 mitigation. Value '2' has been configured for KrbtgtFullPacSignature"

qualys: Leverage Custom Assessment and Remediation for CVE-2022-37967 Kerberos EOP Vuln to Execute Step #4: Enable Enforcement Mode:

qualys: Write-Output "Enforcement mode has been enabled for CVE-2022-37967 mitigation. Value '3' has been configured for KrbtgtFullPacSignature"

qualys: CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 7.2 / 10. Policy Compliance Control IDs (CIDs): 25167 Status of the 'KrbtgtFullPacSignature' setting for the Kerberos As per KB5020805, this mitigation should be applied after the patch  NOTE: To help protect your environment and prevent outages, we have outlined the Qualys recommended remediation steps above and provided Qualys Custom Assessment and Remediation (CAR) supporting scripts. Exploitability Assessment: Exploitation More Likely

39. Elevation of Privilege - Windows Win32k (CVE-2022-41092) - Medium [379]

Description: Windows Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41109.

40. Elevation of Privilege - Windows Win32k (CVE-2022-41109) - Medium [379]

Description: Windows Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41092.

41. Security Feature Bypass - Microsoft Excel (CVE-2022-41104) - Medium [377]

Description: Microsoft Excel Security Feature Bypass Vulnerability.

42. Denial of Service - Windows Point-to-Point Tunneling Protocol (CVE-2022-41090) - Medium [374]

Description: Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-41116.

43. Denial of Service - Windows Point-to-Point Tunneling Protocol (CVE-2022-41116) - Medium [374]

Description: Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-41090.

44. Elevation of Privilege - Microsoft Exchange (CVE-2022-41080) - Medium [374]

Description: Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.

qualys: CVE-2022-41080 | Microsoft Exchange Server Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8 / 10. The technical details are unknown, and an exploit is not publicly available. Applying a patch is able to eliminate this problem. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Exploitability Assessment: Exploitation More Likely

rapid7: The big news is that two older zero-day CVEs affecting Exchange Server, made public at the end of September, have finally been fixed. CVE-2022-41040 is a “Critical” elevation of privilege vulnerability, and CVE-2022-41082 is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Both vulnerabilities have been exploited in the wild. Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and CVE-2022-41080 is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.

45. Remote Code Execution - Azure RTOS (CVE-2022-41051) - Medium [367]

Description: Azure RTOS GUIX Studio Remote Code Execution Vulnerability.

46. Remote Code Execution - Visual Studio (CVE-2022-41119) - Medium [367]

Description: Visual Studio Remote Code Execution Vulnerability.

47. Elevation of Privilege - Microsoft DWM Core Library (CVE-2022-41096) - Medium [360]

Description: Microsoft DWM Core Library Elevation of Privilege Vulnerability.

48. Elevation of Privilege - Microsoft Exchange (CVE-2022-41123) - Medium [360]

Description: Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41080.

49. Elevation of Privilege - Microsoft Windows Sysmon (CVE-2022-41120) - Medium [360]

Description: Microsoft Windows Sysmon Elevation of Privilege Vulnerability.

50. Elevation of Privilege - RPC (CVE-2022-38023) - Medium [360]

Description: Netlogon RPC Elevation of Privilege Vulnerability.

qualys: CVE-2022-38023 | Netlogon RPC Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Exploitability Assessment: Exploitation More Likely Note: This update protects Windows devices from CVE-2022-38023 by default.  For third-party clients and third-party domain controllers, the update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.

qualys: Leverage Custom Assessment and Remediation for CVE-2022-38023 - Netlogon RPC EOP Vuln to Enable Enforcement Mode:

qualys: Write-Output "Enforcement mode has been enabled for CVE-2022-38023 mitigation for third-party clients and third-party domain controllers. Value '2' has been configured for RequireSeal"

qualys: CVE-2022-38023 | Netlogon RPC Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Policy Compliance Control IDs (CIDs): 25168 Status of the 'RequireSeal' setting for the Netlogon Remote Protocol As per KB5021130, this mitigation should be applied after the patch  NOTE: To help protect your environment and prevent outages, we have outlined the Qualys recommended remediation steps above and provided Qualys Custom Assessment and Remediation (CAR) supporting scripts. Exploitability Assessment: Exploitation More Likely

51. Elevation of Privilege - Windows Advanced Local Procedure Call (ALPC) (CVE-2022-41045) - Medium [360]

Description: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41093, CVE-2022-41100.

52. Elevation of Privilege - Windows Advanced Local Procedure Call (ALPC) (CVE-2022-41093) - Medium [360]

Description: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41045, CVE-2022-41100.

53. Elevation of Privilege - Windows Advanced Local Procedure Call (ALPC) (CVE-2022-41100) - Medium [360]

Description: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41045, CVE-2022-41093.

54. Elevation of Privilege - Windows Digital Media Receiver (CVE-2022-41095) - Medium [360]

Description: Windows Digital Media Receiver Elevation of Privilege Vulnerability.

55. Elevation of Privilege - Windows Extensible File Allocation Table (CVE-2022-41050) - Medium [360]

Description: Windows Extensible File Allocation Table Elevation of Privilege Vulnerability.

56. Elevation of Privilege - Windows Group Policy (CVE-2022-37992) - Medium [360]

Description: Windows Group Policy Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41086.

57. Elevation of Privilege - Windows HTTP.sys (CVE-2022-41057) - Medium [360]

Description: Windows HTTP.sys Elevation of Privilege Vulnerability.

58. Elevation of Privilege - Windows Overlay Filter (CVE-2022-41101) - Medium [360]

Description: Windows Overlay Filter Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41102.

59. Elevation of Privilege - Windows Overlay Filter (CVE-2022-41102) - Medium [360]

Description: Windows Overlay Filter Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41101.

60. Elevation of Privilege - Windows Resilient File System (ReFS) (CVE-2022-41054) - Medium [360]

Description: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability.

61. Elevation of Privilege - Windows Win32 Kernel Subsystem (CVE-2022-41113) - Medium [360]

Description: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability.

62. Denial of Service - Windows Hyper-V (CVE-2022-38015) - Medium [350]

Description: Windows Hyper-V Denial of Service Vulnerability.

63. Elevation of Privilege - Windows Bind Filter Driver (CVE-2022-41114) - Medium [347]

Description: Windows Bind Filter Driver Elevation of Privilege Vulnerability.

64. Elevation of Privilege - Windows Subsystem for Linux (WSL2) Kernel (CVE-2022-38014) - Medium [347]

Description: Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability.

65. Denial of Service - Network Policy Server (NPS) RADIUS Protocol (CVE-2022-41056) - Medium [344]

Description: Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability.

66. Spoofing - Microsoft Exchange (CVE-2022-41078) - Medium [340]

Description: Microsoft Exchange Server Spoofing Vulnerability. This CVE ID is unique from CVE-2022-41079.

67. Spoofing - Microsoft Exchange (CVE-2022-41079) - Medium [340]

Description: Microsoft Exchange Server Spoofing Vulnerability. This CVE ID is unique from CVE-2022-41078.

68. Elevation of Privilege - Windows Group Policy (CVE-2022-41086) - Medium [333]

Description: Windows Group Policy Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37992.

69. Information Disclosure - AMD Processor (CVE-2022-23824) - Medium [332]

Description: {'ms_cve_data_all': 'AMD: CVE-2022-23824 IBPB and Return Address Predictor Interactions', 'nvd_cve_data_all': 'IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.', 'combined_cve_data_all': ''}

70. Information Disclosure - .NET Framework (CVE-2022-41064) - Medium [313]

Description: .NET Framework Information Disclosure Vulnerability.

71. Information Disclosure - Windows GDI (CVE-2022-41098) - Medium [313]

Description: Windows GDI+ Information Disclosure Vulnerability.

72. Information Disclosure - Windows Human Interface Device (CVE-2022-41055) - Medium [313]

Description: Windows Human Interface Device Information Disclosure Vulnerability.

73. Spoofing - Microsoft SharePoint (CVE-2022-41122) - Medium [308]

Description: Microsoft SharePoint Server Spoofing Vulnerability.

rapid7: Exchange Server admins are not the only ones on the hook this month: SharePoint Server is affected by CVE-2022-41062, an Important RCE that could allow an attacker who has Site Member privileges to execute code remotely on the server. CVE-2022-41122, a Spoofing vulnerability that Microsoft rates as “Exploitation more likely” than not, was actually addressed in September’s SharePoint patches but not included in their Security Update Guide at the time.

74. Elevation of Privilege - Azure CycleCloud (CVE-2022-41085) - Medium [304]

Description: Azure CycleCloud Elevation of Privilege Vulnerability.

75. Information Disclosure - Microsoft Excel (CVE-2022-41105) - Medium [275]

Description: Microsoft Excel Information Disclosure Vulnerability.

76. Information Disclosure - Microsoft Word (CVE-2022-41060) - Medium [275]

Description: Microsoft Word Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-41103.

77. Information Disclosure - Microsoft Word (CVE-2022-41103) - Medium [275]

Description: Microsoft Word Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-41060.

78. Information Disclosure - Network Policy Server (NPS) RADIUS Protocol (CVE-2022-41097) - Medium [270]

Description: Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability.

79. Information Disclosure - Git (CVE-2022-39253) - Medium [237]

Description: Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

80. Information Disclosure - Microsoft Business Central (CVE-2022-41066) - Medium [229]

Description: Microsoft Business Central Information Disclosure Vulnerability.

81. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3447) - Medium [205]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3447 Inappropriate implementation in Custom Tabs. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': 'Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 106.0.5249.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 106.0.5249.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3447 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

82. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3660) - Medium [205]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3660 Inappropriate implementation in Full screen mode. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Full screen mode in Google Chrome on Android prior to 107.0.5304.62 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3660 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

Low (0)

Exploitation in the wild detected (6)

Remote Code Execution (1)

• Windows Scripting Languages (CVE-2022-41128)

qualys: CVE-2022-41128 | Windows Scripting Languages Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8 / 10. This vulnerability affects the JScript9 scripting language, which is part of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41118 and CVE-2022-41128 are RCE vulnerabilities affecting the JScript9 and Chakra scripting languages. CVE-2022-41128 has a CVSSv3 score of 8.8 and only impacts the JScript9 scripting language. It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker controlled server. CVE-2022-41118 on the other hand, has a CVSSv3 score of 7.5 and has not been observed to be exploited. In the case of CVE-2022-41118, an attacker would need to convince a user to connect to a malicious server hosting a specially crafted website as well as win a race condition. Despite these barriers for exploitation, Microsoft still rated CVE-2022-41118 as “Exploitation More Likely.”

rapid7: CVE-2022-41128, a Critical RCE affecting the JScript9 scripting language (Microsoft’s legacy JavaScript dialect, used by their Internet Explorer browser).

zdi: CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability. This bug in JScript is also listed as being exploited in the wild. An attack would need to lure a user to either a specially crafted website or server share. In doing so, they would get their code to execute on an affected system at the level of the logged-on user. Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits.

Security Feature Bypass (2)

• Windows Mark of the Web (CVE-2022-41049, CVE-2022-41091)

qualys: CVE-2022-41091 | Windows Mark of the Web Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 score of 5.4 / 10. This vulnerability affects the JScript9 scripting language, which is part of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact LOW for Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41049 and CVE-2022-41091 are security feature bypass vulnerabilities affecting Windows Mark of the Web (MoTW). MoTW is a security feature used to tag files downloaded from the internet and prevent them from performing certain actions. Files flagged with MoTW would be opened in Protected View in Microsoft Office — prompting users with a security warning banner asking them to confirm the document is trusted by selecting Enable content. A malicious actor could craft a file that could bypass MoTW “resulting in a limited loss of integrity and availability of security features such as Protected View.”

tenable: CVE-2022-41091 has been exploited in the wild and for which exploit code is publicly available. Though it was not credited to any researcher in particular, researchers at HP observed the Magniber ransomware group exploiting this vulnerability in the wild.

tenable: CVE-2022-41049 on the other hand has not been exploited in the wild, but is rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Both CVEs were given CVSSv3 scores of 5.4 and require user interaction — an attacker would need to entice a victim into opening the crafted file.

rapid7: The fourth zero-day, CVE-2022-41091, was previously disclosed and widely reported on in October. It is a Security Feature Bypass of “Windows Mark of the Web” – a mechanism meant to flag files that have come from an untrusted source.

zdi: CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability. If you follow Will Dormann on Twitter, you probably have already read quite a bit about these types of bugs. Mark of the Web (MoW) is meant to be applied to files downloaded from the Internet. These files should be treated differently and receive security warning dialogs when accessing them. This vulnerability is also listed as being under active attack, but again, Microsoft provides no information on how widespread these attacks may be.

Memory Corruption (1)

• Microsoft Edge (CVE-2022-3723)

MS PT Extended: CVE-2022-3723 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

qualys: Qualys Threat Protection High-Rated Advisories Published between October 13, - November 9, 2022, Most Recent First Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)Google Chrome Releases New Version to Address Multiple VulnerabilitiesOracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch TuesdayApache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)

Elevation of Privilege (2)

• Windows CNG Key Isolation Service (CVE-2022-41125)

qualys: CVE-2022-41125 | Windows CNG Key Isolation Service Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8 / 10. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Windows Next-generation Cryptography (CNG)Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41125 is an EoP vulnerability in the Windows Cryptography Next Generation (CNG) Key Isolation Service used for Windows cryptographic support and operations. With a CVSSv3 score of 7.8, successful exploitation would allow an attacker to gain SYSTEM privileges. While no additional details were provided in the advisory, this vulnerability has reportedly been exploited in the wild and is one of four CVEs in this month's Patch Tuesday release to have been flagged as “exploitation detected” according to Microsoft.

rapid7: CVE-2022-41125 is also an Important privilege escalation vulnerability, affecting the Windows Next-generation Cryptography (CNG) Key Isolation service.

zdi: CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability. The final bug listed under active attack for November is this privilege escalation in the “Cryptography Application Programming Interface - Next Generation” (CNG) Key Isolation Service. An attacker can abuse this bug to run their code at SYSTEM. They would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit. As with all the other in-the-wild exploits, there’s no indication of how widely this is being used, but it’s likely somewhat targeted at this point. Still, test and deploy the updates quickly.

• Windows Print Spooler (CVE-2022-41073)

qualys: CVE-2022-41073 | Windows Print Spooler Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8 / 10. This vulnerability affects the JScript9 scripting language, which is part of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41073 is an EoP vulnerability affecting the Windows Print Spooler service. The vulnerability carries a CVSSv3 score of 7.8 and discovery was credited to Microsoft Threat Intelligence Center. This flaw has been exploited in the wild, according to Microsoft, and could allow a low privileged user to gain SYSTEM level privileges.

rapid7: CVE-2022-41073 is the latest in a storied history of vulnerabilities affecting the Windows Print Spooler, allowing privilege escalation and considered Important.

zdi: CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability. The legacy of PrintNightmare continues as threat actors continue to mine the vast attack surface that is the Windows Print Spooler. While we’ve seen plenty of other patches since PrintNightmare, this one is listed as being in the wild. While not specifically called out, disabling the print spooler should be an effective workaround. Of course, that breaks printing, but if you’re in a situation where patching isn’t feasible, it is an option.

Public exploit exists, but exploitation in the wild is NOT detected (1)

Remote Code Execution (1)

• OpenSSL (CVE-2022-3602)

MS PT Extended: CVE-2022-3602 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 65 new vulnerabilities (aka flaws) in the November 2022 update, including ten (10) vulnerabilities classified as Critical as they allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). This month’s Patch Tuesday included a Microsoft Defense in Depth Update (ADV220003) and addressed six (6) known exploited zero-day vulnerabilities. Earlier this month, on November 2, 2022, Microsoft also released two (2) advisories for OpenSSL 3.x for Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service (CVE-2022-3602, CVE-2022-3786). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.

qualys: CVE-2022-3602, CVE-2022-3786 | OpenSSL: X.509 Certificate Verification Buffer Overrun The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. For more information and guidance see Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602).Products Affected: Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service

qualys: Qualys Threat Protection High-Rated Advisories Published between October 13, - November 9, 2022, Most Recent First Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)Google Chrome Releases New Version to Address Multiple VulnerabilitiesOracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch TuesdayApache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)

Other Vulnerabilities (75)

Remote Code Execution (14)

• Windows Graphics Component (CVE-2022-41052)
• Windows Point-to-Point Tunneling Protocol (CVE-2022-41039, CVE-2022-41044, CVE-2022-41088)

qualys: CVE-2022-41044 | Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Less Likely

qualys: CVE-2022-41088 | Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Successful exploitation of this vulnerability requires an attacker to win a race condition. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation Less Likely

• Windows Scripting Languages (CVE-2022-41118)

qualys: CVE-2022-41118 | Windows Scripting Languages Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5 / 10. This vulnerability impacts both the JScript9 and Chakra scripting languages, which are both parts of the component Scripting Language. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-41118 and CVE-2022-41128 are RCE vulnerabilities affecting the JScript9 and Chakra scripting languages. CVE-2022-41128 has a CVSSv3 score of 8.8 and only impacts the JScript9 scripting language. It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker controlled server. CVE-2022-41118 on the other hand, has a CVSSv3 score of 7.5 and has not been observed to be exploited. In the case of CVE-2022-41118, an attacker would need to convince a user to connect to a malicious server hosting a specially crafted website as well as win a race condition. Despite these barriers for exploitation, Microsoft still rated CVE-2022-41118 as “Exploitation More Likely.”

• Microsoft SharePoint (CVE-2022-41062)

rapid7: Exchange Server admins are not the only ones on the hook this month: SharePoint Server is affected by CVE-2022-41062, an Important RCE that could allow an attacker who has Site Member privileges to execute code remotely on the server. CVE-2022-41122, a Spoofing vulnerability that Microsoft rates as “Exploitation more likely” than not, was actually addressed in September’s SharePoint patches but not included in their Security Update Guide at the time.

• Microsoft Excel (CVE-2022-41063, CVE-2022-41106)
• Microsoft Office Graphics (CVE-2022-41107)
• Microsoft Word (CVE-2022-41061)
• Microsoft ODBC Driver (CVE-2022-41047, CVE-2022-41048)
• Azure RTOS (CVE-2022-41051)
• Visual Studio (CVE-2022-41119)

Security Feature Bypass (4)

• Microsoft Edge (CVE-2022-3656, CVE-2022-3661)

MS PT Extended: CVE-2022-3661 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3656 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

• BitLocker (CVE-2022-41099)
• Microsoft Excel (CVE-2022-41104)

Denial of Service (7)

• Kerberos (CVE-2022-41053)
• OpenSSL (CVE-2022-3786)

MS PT Extended: CVE-2022-3786 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 65 new vulnerabilities (aka flaws) in the November 2022 update, including ten (10) vulnerabilities classified as Critical as they allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). This month’s Patch Tuesday included a Microsoft Defense in Depth Update (ADV220003) and addressed six (6) known exploited zero-day vulnerabilities. Earlier this month, on November 2, 2022, Microsoft also released two (2) advisories for OpenSSL 3.x for Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service (CVE-2022-3602, CVE-2022-3786). Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.

qualys: CVE-2022-3602, CVE-2022-3786 | OpenSSL: X.509 Certificate Verification Buffer Overrun The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. For more information and guidance see Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602).Products Affected: Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service

qualys: Qualys Threat Protection High-Rated Advisories Published between October 13, - November 9, 2022, Most Recent First Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)Google Chrome Releases New Version to Address Multiple VulnerabilitiesOracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch TuesdayApache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)

• Windows Network Address Translation (NAT) (CVE-2022-41058)
• Windows Point-to-Point Tunneling Protocol (CVE-2022-41090, CVE-2022-41116)
• Windows Hyper-V (CVE-2022-38015)
• Network Policy Server (NPS) RADIUS Protocol (CVE-2022-41056)

Code Injection (1)

• Azure (CVE-2022-39327)

Elevation of Privilege (24)

• Kerberos (CVE-2022-37966, CVE-2022-37967)

qualys: CVE-2022-37966 | Windows Kerberos RC4-HMAC Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. For more information, please see How to manage the Kerberos Protocol changes related to CVE-2022-37966.Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.Extended Security Updates (ESU) Vulnerability Exploitability Assessment: Exploitation More Likely

qualys: CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 7.2 / 10. Exploitability Assessment: Exploitation More Likely

qualys: Take Action > KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 To help protect your environment and prevent outages, we recommend that you take the following steps:  UPDATE your Windows domain controllers with a Windows update released on or after November 8, 2022.MOVE your Windows domain controllers to Audit mode by using the Registry Key setting section.MONITOR events filed during Audit mode to secure your environment.ENABLE Enforcement mode to address CVE-2022-37967 in your environment. NOTE: Step 1 of installing updates released on or after November 8, 2022, will not address the security issues in CVE-2022-37967 for Windows devices by default. To fully mitigate the security issue for all devices, you must move to Audit mode (described in Step 2) followed by Enforcement Mode (described in Step 4) as soon as possible on all Windows domain controllers. 

qualys: Leverage Custom Assessment and Remediation for CVE-2022-37967 Kerberos EOP Vuln to Execute Step #2: Enable Audit Mode:

qualys: Write-Output "Audit mode has been enabled for CVE-2022-37967 mitigation. Value '2' has been configured for KrbtgtFullPacSignature"

qualys: Leverage Custom Assessment and Remediation for CVE-2022-37967 Kerberos EOP Vuln to Execute Step #4: Enable Enforcement Mode:

qualys: Write-Output "Enforcement mode has been enabled for CVE-2022-37967 mitigation. Value '3' has been configured for KrbtgtFullPacSignature"

qualys: CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 7.2 / 10. Policy Compliance Control IDs (CIDs): 25167 Status of the 'KrbtgtFullPacSignature' setting for the Kerberos As per KB5020805, this mitigation should be applied after the patch  NOTE: To help protect your environment and prevent outages, we have outlined the Qualys recommended remediation steps above and provided Qualys Custom Assessment and Remediation (CAR) supporting scripts. Exploitability Assessment: Exploitation More Likely

• Windows Win32k (CVE-2022-41092, CVE-2022-41109)
• Microsoft Exchange (CVE-2022-41080, CVE-2022-41123)

qualys: CVE-2022-41080 | Microsoft Exchange Server Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8 / 10. The technical details are unknown, and an exploit is not publicly available. Applying a patch is able to eliminate this problem. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched. Potential Impact HIGH for Confidentiality, Integrity, and Availability. A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Exploitability Assessment: Exploitation More Likely

rapid7: The big news is that two older zero-day CVEs affecting Exchange Server, made public at the end of September, have finally been fixed. CVE-2022-41040 is a “Critical” elevation of privilege vulnerability, and CVE-2022-41082 is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Both vulnerabilities have been exploited in the wild. Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and CVE-2022-41080 is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.

• Microsoft DWM Core Library (CVE-2022-41096)
• Microsoft Windows Sysmon (CVE-2022-41120)
• RPC (CVE-2022-38023)

qualys: CVE-2022-38023 | Netlogon RPC Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Exploitability Assessment: Exploitation More Likely Note: This update protects Windows devices from CVE-2022-38023 by default.  For third-party clients and third-party domain controllers, the update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.

qualys: Leverage Custom Assessment and Remediation for CVE-2022-38023 - Netlogon RPC EOP Vuln to Enable Enforcement Mode:

qualys: Write-Output "Enforcement mode has been enabled for CVE-2022-38023 mitigation for third-party clients and third-party domain controllers. Value '2' has been configured for RequireSeal"

qualys: CVE-2022-38023 | Netlogon RPC Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 8.1 / 10. Policy Compliance Control IDs (CIDs): 25168 Status of the 'RequireSeal' setting for the Netlogon Remote Protocol As per KB5021130, this mitigation should be applied after the patch  NOTE: To help protect your environment and prevent outages, we have outlined the Qualys recommended remediation steps above and provided Qualys Custom Assessment and Remediation (CAR) supporting scripts. Exploitability Assessment: Exploitation More Likely

• Windows Advanced Local Procedure Call (ALPC) (CVE-2022-41045, CVE-2022-41093, CVE-2022-41100)
• Windows Digital Media Receiver (CVE-2022-41095)
• Windows Extensible File Allocation Table (CVE-2022-41050)
• Windows Group Policy (CVE-2022-37992, CVE-2022-41086)
• Windows HTTP.sys (CVE-2022-41057)
• Windows Overlay Filter (CVE-2022-41101, CVE-2022-41102)
• Windows Resilient File System (ReFS) (CVE-2022-41054)
• Windows Win32 Kernel Subsystem (CVE-2022-41113)
• Windows Bind Filter Driver (CVE-2022-41114)
• Windows Subsystem for Linux (WSL2) Kernel (CVE-2022-38014)
• Azure CycleCloud (CVE-2022-41085)

Memory Corruption (10)

• Microsoft Edge (CVE-2022-3445, CVE-2022-3446, CVE-2022-3448, CVE-2022-3449, CVE-2022-3450, CVE-2022-3652, CVE-2022-3653, CVE-2022-3654, CVE-2022-3655, CVE-2022-3657)

MS PT Extended: CVE-2022-3654 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3446 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3655 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3445 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3448 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3449 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3450 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3652 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3657 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3653 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

Spoofing (3)

• Microsoft Exchange (CVE-2022-41078, CVE-2022-41079)
• Microsoft SharePoint (CVE-2022-41122)

rapid7: Exchange Server admins are not the only ones on the hook this month: SharePoint Server is affected by CVE-2022-41062, an Important RCE that could allow an attacker who has Site Member privileges to execute code remotely on the server. CVE-2022-41122, a Spoofing vulnerability that Microsoft rates as “Exploitation more likely” than not, was actually addressed in September’s SharePoint patches but not included in their Security Update Guide at the time.

Information Disclosure (10)

• AMD Processor (CVE-2022-23824)
• .NET Framework (CVE-2022-41064)
• Windows GDI (CVE-2022-41098)
• Windows Human Interface Device (CVE-2022-41055)
• Microsoft Excel (CVE-2022-41105)
• Microsoft Word (CVE-2022-41060, CVE-2022-41103)
• Network Policy Server (NPS) RADIUS Protocol (CVE-2022-41097)
• Git (CVE-2022-39253)
• Microsoft Business Central (CVE-2022-41066)

Unknown Vulnerability Type (2)

• Microsoft Edge (CVE-2022-3447, CVE-2022-3660)

MS PT Extended: CVE-2022-3660 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07

MS PT Extended: CVE-2022-3447 was published before November 2022 Patch Tuesday from 2022-10-12 to 2022-11-07