Report Name: Microsoft Patch Tuesday, October 2022
Generated: 2022-10-28 01:36:04

Product Name	Prevalence	U	C	H	M	L	Comment
Active Directory	0.9			1	2		Active Directory is a directory service developed by Microsoft for Windows domain networks
Windows Kernel	0.9				9		Windows Kernel
Windows NTLM	0.9				1		A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity
Windows TCP/IP Driver	0.9			1			A kernel mode driver
Windows Win32k	0.9				2		Windows kernel-mode driver
Connected User Experiences and Telemetry	0.8				1		Windows component
Microsoft DWM Core Library	0.8				1		Windows component
Microsoft Edge	0.8			2	14	2	Web browser
Microsoft Exchange	0.8	2					Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft
Microsoft Local Security Authority Server	0.8				1		LSASS, the Windows Local Security Authority Server process, handles Windows security mechanisms
Microsoft Windows	0.8				1		Windows component
Windows ALPC	0.8				1		Windows component
Windows CD-ROM File System Driver	0.8			1			Windows component
Windows COM+ Event System Service	0.8		1				Windows component
Windows Client Server Run-time Subsystem (CSRSS)	0.8				2		Windows component
Windows CryptoAPI	0.8				1		Windows component
Windows DHCP Client	0.8				2		Windows component
Windows DWM Core Library	0.8				1		Windows component
Windows Distributed File System (DFS)	0.8				1		Windows component
Windows Event Logging Service	0.8				1		Windows component
Windows GDI	0.8			1			Windows component
Windows Graphics Component	0.8			1	2		Windows component
Windows Group Policy	0.8				1		Windows component
Windows Group Policy Preference Client	0.8				3		Windows component
Windows Kernel Memory	0.8				1		Windows component
Windows Local Security Authority (LSA)	0.8				1		Windows component
Windows Local Session Manager (LSM)	0.8			2			Windows component
Windows Mixed Reality Developer Tools	0.8				1		Windows component
Windows Point-to-Point Tunneling Protocol	0.8			7	1		Windows component
Windows Portable Device Enumerator Service	0.8			1			Windows component
Windows Print Spooler	0.8				1		Windows component
Windows Secure Channel	0.8			1			Windows component
Windows Security Support Provider Interface	0.8				1		Windows component
Windows Server Remotely Accessible Registry Keys	0.8			1			Windows component
Windows Server Service	0.8				1		Windows component
Windows Storage	0.8				1		Windows component
Windows USB Serial Driver	0.8				1		Windows component
Windows WLAN Service	0.8				1		Windows component
Windows Workstation Service	0.8				1		Windows component
Microsoft SharePoint	0.7			4			Microsoft SharePoint
Microsoft Office	0.6			1	2		Microsoft Office
Microsoft Office Graphics	0.6			1			Microsoft Office Graphics
Microsoft Word	0.6			1			MS Office product
Windows Hyper-V	0.6				1		Hardware virtualization component of the client editions of Windows NT
Azure Arc-enabled Kubernetes cluster Connect	0.5				1		Azure Arc-enabled Kubernetes cluster Connect
Internet Key Exchange (IKE) Protocol	0.5				1		Internet Key Exchange (IKE) Protocol
Microsoft Endpoint Configuration Manager	0.5				1		Microsoft Endpoint Configuration Manager
Microsoft ODBC Driver	0.5			1			Microsoft ODBC Driver
Microsoft WDAC OLE DB provider for SQL Server	0.5			2			Microsoft WDAC OLE DB provider for SQL Server
NuGet Client	0.5				1		NuGet Client
Service Fabric Explorer	0.5				1		Service Fabric Explorer
StorSimple 8000 Series	0.5				1		StorSimple 8000 Series
Web Account Manager	0.5				1		Web Account Manager
Visual Studio Code	0.3				3		Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0	1		20	2		Remote Code Execution
Security Feature Bypass	0.9			2	4		Security Feature Bypass
Denial of Service	0.7			4	4		Denial of Service
Memory Corruption	0.6				9		Memory Corruption
Elevation of Privilege	0.5	1	1	1	37		Elevation of Privilege
Information Disclosure	0.4			1	10		Information Disclosure
Spoofing	0.4			1	5		Spoofing
Unknown Vulnerability Type	0					2	Unknown Vulnerability Type

Urgent (2)

1. Remote Code Execution - Microsoft Exchange (CVE-2022-41082) - Urgent [948]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability.

MS PT Extended: CVE-2022-41082 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

qualys: Microsoft Exchange “ProxyNotShell” Zero-Days Not Yet Addressed (QID 50122) Unfortunately, Microsoft has not released security updates to address ProxyNotShell which includes two actively exploited zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082. Released: October 2022 Exchange Server Security Updates provides the following update: NOTE   The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready. Ankit Malhotra, Manager, Signature Engineering suggests, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.”

qualys: Qualys Threat Protection High-Rated Advisories Published between September 14 – October 12, 2022, Most Recent First Microsoft Patch Tuesday, October 2022 Edition: 84 Vulnerabilities patched including 12 Microsoft Edge (Chromium-Based), 2 Zero-days, and 13 Rated as CriticalZimbra Collaboration Suite Remote Code Execution Vulnerability (CVE-2022-41352)FortiGate and FortiProxy Authentication Bypass Vulnerability on Administrative Interface (HTTP/HTTPS) (CVE-2022-40684)Microsoft Exchange Server Zero-day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) (ProxyNotShell)Sophos Firewall Remote Code Execution Vulnerability (CVE-2022-3236)Zoho ManageEngine PAM360, Access Manager Plus, and Password Manager Pro Remote Code Execution Vulnerability (CVE-2022-35405)Trend Micro Patches Multiple Vulnerabilities in Apex One (On-Premise) Including One Zero-day (CVE-2022-40139)Cisco Patched Multiple Vulnerabilities in Multiple Products including NVIDIA Data Plane Development KitApple Patches Multiple Vulnerabilities in macOS Big Sur and macOS Monterey including One Zero-day (CVE-2022-32894)Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday, September 2022 Edition

qualys: Hans-Juergen Kreutzer says: October 13, 2022 at 12:29 AM What is the QID for October 2022 “Exchange Server Security Updates “ Reply to Hans-Juergen 1 Debra M. Fezza Reed says: October 17, 2022 at 1:27 PM ProxyNotShell which includes two actively exploited zero-day vulnerabilities is being tracked in Qualys as QID 50122 (CVE-2022-41040 and CVE-2022-41082). Reply to Debra 1

tenable: Note: Microsoft has not included patches for the two zero-day vulnerabilities in Microsoft Exchange, CVE-2022-41040 and CVE-2022-41082, that were disclosed on September 28 in this release.

rapid7: Top of mind for many this month is whether Microsoft would patch the two Exchange Server zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. This whack-a-mole approach seems likely to continue until a proper patch addressing the root causes is available; unfortunately, it doesn’t look like that will be happening today. Thankfully, the impact should be more limited than 2021’s ProxyShell and ProxyLogon vulnerabilities due to attackers needing to be authenticated to the server for successful exploitation. Reports are also surfacing about an additional zero-day distinct from these being used in ransomware attacks; however, these have not yet been substantiated.

2. Elevation of Privilege - Microsoft Exchange (CVE-2022-41040) - Urgent [847]

Description: Microsoft Exchange Server Elevation of Privilege Vulnerability.

MS PT Extended: CVE-2022-41040 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

qualys: Microsoft Exchange “ProxyNotShell” Zero-Days Not Yet Addressed (QID 50122) Unfortunately, Microsoft has not released security updates to address ProxyNotShell which includes two actively exploited zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082. Released: October 2022 Exchange Server Security Updates provides the following update: NOTE   The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready. Ankit Malhotra, Manager, Signature Engineering suggests, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.”

qualys: Qualys Threat Protection High-Rated Advisories Published between September 14 – October 12, 2022, Most Recent First Microsoft Patch Tuesday, October 2022 Edition: 84 Vulnerabilities patched including 12 Microsoft Edge (Chromium-Based), 2 Zero-days, and 13 Rated as CriticalZimbra Collaboration Suite Remote Code Execution Vulnerability (CVE-2022-41352)FortiGate and FortiProxy Authentication Bypass Vulnerability on Administrative Interface (HTTP/HTTPS) (CVE-2022-40684)Microsoft Exchange Server Zero-day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) (ProxyNotShell)Sophos Firewall Remote Code Execution Vulnerability (CVE-2022-3236)Zoho ManageEngine PAM360, Access Manager Plus, and Password Manager Pro Remote Code Execution Vulnerability (CVE-2022-35405)Trend Micro Patches Multiple Vulnerabilities in Apex One (On-Premise) Including One Zero-day (CVE-2022-40139)Cisco Patched Multiple Vulnerabilities in Multiple Products including NVIDIA Data Plane Development KitApple Patches Multiple Vulnerabilities in macOS Big Sur and macOS Monterey including One Zero-day (CVE-2022-32894)Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday, September 2022 Edition

qualys: Try It for Free! Sign up now for a no-cost trial of Qualys Custom Assessment and Remediation Customers can perform the provided mitigation steps by creating a PowerShell script and executing the script on vulnerable assets. IMPORTANT: Scripts tend to change over time. Referring back to a portion of our quote from Ankit Malhotra at the top of this blog, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times.” Please refer to the Qualys GitHub Tuesday Patch link to ensure the most current version of a given Patch Tuesday script is in use.

qualys: Hans-Juergen Kreutzer says: October 13, 2022 at 12:29 AM What is the QID for October 2022 “Exchange Server Security Updates “ Reply to Hans-Juergen 1 Debra M. Fezza Reed says: October 17, 2022 at 1:27 PM ProxyNotShell which includes two actively exploited zero-day vulnerabilities is being tracked in Qualys as QID 50122 (CVE-2022-41040 and CVE-2022-41082). Reply to Debra 1

tenable: Note: Microsoft has not included patches for the two zero-day vulnerabilities in Microsoft Exchange, CVE-2022-41040 and CVE-2022-41082, that were disclosed on September 28 in this release.

rapid7: Top of mind for many this month is whether Microsoft would patch the two Exchange Server zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. This whack-a-mole approach seems likely to continue until a proper patch addressing the root causes is available; unfortunately, it doesn’t look like that will be happening today. Thankfully, the impact should be more limited than 2021’s ProxyShell and ProxyLogon vulnerabilities due to attackers needing to be authenticated to the server for successful exploitation. Reports are also surfacing about an additional zero-day distinct from these being used in ransomware attacks; however, these have not yet been substantiated.

Critical (1)

3. Elevation of Privilege - Windows COM+ Event System Service (CVE-2022-41033) - Critical [604]

Description: Windows COM+ Event System Service Elevation of Privilege Vulnerability.

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

qualys: CVE-2022-41033 | Windows COM+ Event System Service Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. Classified as Critical, this issue affects an unknown function of the component COM+ Event System Service. The impact of exploitation is loss of confidentiality, integrity, and availability. Microsoft has not disclosed how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Patch Installation should be considered Critical. Saeed Abbasi, Manager, Vulnerability Signatures adds, “This patch fixes a security vulnerability that Microsoft stated is under active attack. However, it is not clear how severe these attacks are. Due to the nature of this vulnerability, a privilege escalation that often engages some social engineering (e.g. requiring the user to open a malicious attachment), history shows that it potentially needs to be chained with a code execution bug to exploit.” Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41033 is an EoP vulnerability in the Windows COM+ Event System Service, which enables system event notifications for COM+ component services. It received a CVSSv3 score of 7.8. An authenticated attacker could exploit this vulnerability to elevate privileges on a vulnerable system and gain SYSTEM privileges.

rapid7: Microsoft did address two other zero-day vulnerabilities with today’s patches. CVE-2022-41033, an Elevation of Privilege vulnerability affecting the COM+ Event System Service in all supported versions of Windows, has been seen exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability affecting Office for Mac that was publicly disclosed but not (yet) seen exploited in the wild.

zdi: CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability. This patch fixes a bug that Microsoft lists as being used in active attacks, although they specify how broad these attacks may be. Since this is a privilege escalation bug, it is likely paired with other code execution exploits designed to take over a system. These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during “Cyber Security Awareness Month”, people tend to click everything, so test and deploy this fix quickly.

High (29)

4. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-38000) - High [554]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38047, CVE-2022-41081.

5. Remote Code Execution - Microsoft Edge (CVE-2022-3195) - High [475]

Description: Chromium: CVE-2022-3195 Out of bounds write in Storage. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3195 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

6. Remote Code Execution - Windows CD-ROM File System Driver (CVE-2022-38044) - High [462]

Description: Windows CD-ROM File System Driver Remote Code Execution Vulnerability.

7. Remote Code Execution - Windows GDI (CVE-2022-33635) - High [462]

Description: Windows GDI+ Remote Code Execution Vulnerability.

8. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-22035) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081.

9. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-24504) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22035, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081.

10. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-30198) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22035, CVE-2022-24504, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081.

11. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-33634) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081.

12. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-38047) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-41081.

13. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-41081) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047.

14. Security Feature Bypass - Active Directory (CVE-2022-37978) - High [460]

Description: Windows Active Directory Certificate Services Security Feature Bypass.

15. Remote Code Execution - Microsoft SharePoint (CVE-2022-38053) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41036, CVE-2022-41037, CVE-2022-41038.

tenable: CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated “Exploitation More Likely,” and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

16. Remote Code Execution - Microsoft SharePoint (CVE-2022-41036) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41037, CVE-2022-41038.

tenable: CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated “Exploitation More Likely,” and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

17. Remote Code Execution - Microsoft SharePoint (CVE-2022-41037) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41036, CVE-2022-41038.

tenable: CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated “Exploitation More Likely,” and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

18. Remote Code Execution - Microsoft SharePoint (CVE-2022-41038) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41036, CVE-2022-41037.

qualys: CVE-2022-41038 | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. The attacker must be authenticated to the target site, with permission to use Manage Lists within SharePoint. NOTE: Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013. Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated “Exploitation More Likely,” and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

rapid7: Nine CVEs categorized as Remote Code Execution (RCE) with Critical severity were also patched today – seven of them affect the Point-to-Point Tunneling Protocol, and like those fixed last month, require an attacker to win a race condition to exploit them. CVE-2022-38048 affects all supported versions of Office, and CVE-2022-41038 could allow an attacker authenticated to SharePoint to execute arbitrary code on the server, provided the account has “Manage List” permissions.

19. Elevation of Privilege - Windows Graphics Component (CVE-2022-38051) - High [452]

Description: Windows Graphics Component Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37997.

20. Spoofing - Microsoft Edge (CVE-2022-41035) - High [432]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability.

MS PT Extended: CVE-2022-41035 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

qualys: Microsoft Edge | Last But Not Least Earlier in October 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including CVE-2022-41035. The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see Security Update Guide Supports CVEs Assigned by Industry Partners.

qualys: CVE-2022-41035 | Microsoft Edge (Chromium-based) Spoofing Vulnerability This vulnerability has a CVSSv3.1 score of 8.3/10. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. Per Microsoft severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn’t allow for this type of nuance. Severity: Moderate Exploitability Assessment: Exploitation Less Likely

21. Remote Code Execution - Microsoft Office (CVE-2022-38048) - High [424]

Description: Microsoft Office Remote Code Execution Vulnerability.

qualys: CVE-2022-38048 | Microsoft Office Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. When a particular vulnerability allows an attacker to execute “arbitrary code”, it typically means that the bad guy can run any command on the target system the attacker chooses. Source For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. The impact of exploitation is loss of confidentiality, integrity, and availability. NOTE: Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Exploitability Assessment: Exploitation More Likely

rapid7: Nine CVEs categorized as Remote Code Execution (RCE) with Critical severity were also patched today – seven of them affect the Point-to-Point Tunneling Protocol, and like those fixed last month, require an attacker to win a race condition to exploit them. CVE-2022-38048 affects all supported versions of Office, and CVE-2022-41038 could allow an attacker authenticated to SharePoint to execute arbitrary code on the server, provided the account has “Manage List” permissions.

zdi: CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability. This bug was reported to the ZDI by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.

22. Remote Code Execution - Microsoft Office Graphics (CVE-2022-38049) - High [424]

Description: Microsoft Office Graphics Remote Code Execution Vulnerability.

23. Remote Code Execution - Microsoft Word (CVE-2022-41031) - High [424]

Description: Microsoft Word Remote Code Execution Vulnerability.

24. Denial of Service - Windows TCP/IP Driver (CVE-2022-33645) - High [420]

Description: Windows TCP/IP Driver Denial of Service Vulnerability.

qualys: CVE-2022-33645 | Windows TCP/IP Driver Denial of Service (DoS) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Exploitability Assessment: Exploitation Less Likely GitHub Link for CVE-2022-33645 Script

qualys: Write-Host "IPV6 has been disabled as part of workaround implementation. CVE-2022-33645 is now mitigated,"

qualys: CVE-2022-33645 | Windows TCP/IP Driver Denial of Service (DoS) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Policy Compliance Control IDs (CIDs): 4842 Status of the ‘Internet Protocol version 6 (IPv6) components’ setting Exploitability Assessment: Exploitation Less Likely

25. Information Disclosure - Windows Server Remotely Accessible Registry Keys (CVE-2022-38033) - High [418]

Description: Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability.

26. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-38040) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability.

27. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2022-37982) - High [418]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38031.

28. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2022-38031) - High [418]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-37982.

29. Security Feature Bypass - Windows Portable Device Enumerator Service (CVE-2022-38032) - High [414]

Description: Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability.

30. Denial of Service - Windows Local Session Manager (LSM) (CVE-2022-37973) - High [401]

Description: Windows Local Session Manager (LSM) Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-37998.

31. Denial of Service - Windows Local Session Manager (LSM) (CVE-2022-37998) - High [401]

Description: Windows Local Session Manager (LSM) Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-37973.

32. Denial of Service - Windows Secure Channel (CVE-2022-38041) - High [401]

Description: Windows Secure Channel Denial of Service Vulnerability.

Medium (71)

33. Memory Corruption - Microsoft Edge (CVE-2022-3196) - Medium [394]

Description: Chromium: CVE-2022-3196 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3196 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

34. Memory Corruption - Microsoft Edge (CVE-2022-3197) - Medium [394]

Description: Chromium: CVE-2022-3197 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3197 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

35. Memory Corruption - Microsoft Edge (CVE-2022-3198) - Medium [394]

Description: Chromium: CVE-2022-3198 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3198 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

36. Memory Corruption - Microsoft Edge (CVE-2022-3199) - Medium [394]

Description: Chromium: CVE-2022-3199 Use after free in Frames. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3199 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

37. Memory Corruption - Microsoft Edge (CVE-2022-3200) - Medium [394]

Description: Chromium: CVE-2022-3200 Heap buffer overflow in Internals. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3200 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

38. Elevation of Privilege - Active Directory (CVE-2022-37976) - Medium [393]

Description: Active Directory Certificate Services Elevation of Privilege Vulnerability.

qualys: CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. A malicious DCOM client could coerce a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack. An attacker who successfully exploited this vulnerability could gain domain administrator privileges. Exploitability Assessment: Exploitation Less Likely

qualys: CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. Exploitability Assessment: Exploitation Less Likely GitHub Link for CVE-2022-37976 Script

qualys: Write-Host "ADCS found running. LegacyAuthenticationLevel is set to 5. Mitigation for CVE-2022-37976 has been applied as per MSRC guidelines. "

qualys: CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. Policy Compliance Control IDs (CIDs): 4079 Status of the ‘Active Directory Certificate Service’  14916 Status of Windows Services  24842 Status of the ‘LegacyAuthenticationLevel’ setting Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-37976 is an EoP vulnerability affecting Active Directory Certificate Services. According to the advisory, a malicious Distributed Component Object Model (DCOM) client could be used to entice a DCOM server to authenticate to the client, allowing an attacker to perform a cross-protocol attack and gain domain administrator privileges. While Microsoft rates this as “Exploitation Less Likely,” ransomware groups often seek out vulnerabilities and misconfigurations in Active Directory to leverage for spreading malicious payloads across an organization's network. As highlighted in Tenable’s Ransomware Ecosystem report, Active Directory plays a pivotal role in ransomware attacks.

39. Denial of Service - Microsoft Local Security Authority Server (CVE-2022-37977) - Medium [387]

Description: Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability.

40. Elevation of Privilege - Windows Kernel (CVE-2022-37988) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

41. Elevation of Privilege - Windows Kernel (CVE-2022-37990) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

42. Elevation of Privilege - Windows Kernel (CVE-2022-37991) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

43. Elevation of Privilege - Windows Kernel (CVE-2022-37995) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

44. Elevation of Privilege - Windows Kernel (CVE-2022-38003) - Medium [379]

Description: Windows Resilient File System Elevation of Privilege.

45. Elevation of Privilege - Windows Kernel (CVE-2022-38037) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38038, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

46. Elevation of Privilege - Windows Kernel (CVE-2022-38038) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

47. Elevation of Privilege - Windows Kernel (CVE-2022-38039) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

48. Elevation of Privilege - Windows Win32k (CVE-2022-37986) - Medium [379]

Description: Windows Win32k Elevation of Privilege Vulnerability.

49. Elevation of Privilege - Windows Win32k (CVE-2022-38050) - Medium [379]

Description: Win32k Elevation of Privilege Vulnerability.

50. Spoofing - Microsoft Endpoint Configuration Manager (CVE-2022-37972) - Medium [375]

Description: Microsoft Endpoint Configuration Manager Spoofing Vulnerability.

MS PT Extended: CVE-2022-37972 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

51. Denial of Service - Windows Point-to-Point Tunneling Protocol (CVE-2022-37965) - Medium [374]

Description: Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability.

52. Elevation of Privilege - Windows Local Security Authority (LSA) (CVE-2022-38016) - Medium [374]

Description: Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability.

53. Elevation of Privilege - Windows Server Service (CVE-2022-38045) - Medium [374]

Description: Windows Server Service Elevation of Privilege Vulnerability

54. Remote Code Execution - Visual Studio Code (CVE-2022-41034) - Medium [367]

Description: Visual Studio Code Remote Code Execution Vulnerability.

55. Elevation of Privilege - Active Directory (CVE-2022-38042) - Medium [366]

Description: Active Directory Domain Services Elevation of Privilege Vulnerability.

56. Elevation of Privilege - Microsoft DWM Core Library (CVE-2022-37983) - Medium [360]

Description: Microsoft DWM Core Library Elevation of Privilege Vulnerability.

57. Elevation of Privilege - Windows Client Server Run-time Subsystem (CSRSS) (CVE-2022-37987) - Medium [360]

Description: Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37989.

zdi: CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability. These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.

58. Elevation of Privilege - Windows Client Server Run-time Subsystem (CSRSS) (CVE-2022-37989) - Medium [360]

Description: Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37987.

zdi: CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability. These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.

59. Elevation of Privilege - Windows DHCP Client (CVE-2022-37980) - Medium [360]

Description: Windows DHCP Client Elevation of Privilege Vulnerability.

60. Elevation of Privilege - Windows DWM Core Library (CVE-2022-37970) - Medium [360]

Description: Windows DWM Core Library Elevation of Privilege Vulnerability.

61. Elevation of Privilege - Windows Graphics Component (CVE-2022-37997) - Medium [360]

Description: Windows Graphics Component Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-38051.

62. Elevation of Privilege - Windows Group Policy (CVE-2022-37975) - Medium [360]

Description: Windows Group Policy Elevation of Privilege Vulnerability.

63. Elevation of Privilege - Windows Group Policy Preference Client (CVE-2022-37993) - Medium [360]

Description: Windows Group Policy Preference Client Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37994, CVE-2022-37999.

64. Elevation of Privilege - Windows Group Policy Preference Client (CVE-2022-37994) - Medium [360]

Description: Windows Group Policy Preference Client Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37993, CVE-2022-37999.

65. Elevation of Privilege - Windows Group Policy Preference Client (CVE-2022-37999) - Medium [360]

Description: Windows Group Policy Preference Client Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37993, CVE-2022-37994.

66. Elevation of Privilege - Windows Print Spooler (CVE-2022-38028) - Medium [360]

Description: Windows Print Spooler Elevation of Privilege Vulnerability.

tenable: CVE-2022-38028 is an EoP vulnerability in Windows Print Spooler components that received a CVSSv3 score of 7.8 and was rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Exploitation would allow an attacker to gain SYSTEM privileges. The flaw was disclosed to Microsoft by the National Security Agency. This marks the third EoP vulnerability in Windows Print Spooler credited to the NSA this year, following CVE-2022-29104 and CVE-2022-30138 in May.

67. Elevation of Privilege - Windows WLAN Service (CVE-2022-37984) - Medium [360]

Description: Windows WLAN Service Elevation of Privilege Vulnerability.

68. Remote Code Execution - Microsoft Edge (CVE-2022-3373) - Medium [354]

Description: Chromium: CVE-2022-3373 Out of bounds write in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3373 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

69. Denial of Service - Windows Event Logging Service (CVE-2022-37981) - Medium [347]

Description: Windows Event Logging Service Denial of Service Vulnerability.

70. Elevation of Privilege - Connected User Experiences and Telemetry (CVE-2022-38021) - Medium [347]

Description: Connected User Experiences and Telemetry Elevation of Privilege Vulnerability.

71. Elevation of Privilege - Microsoft Windows (CVE-2022-37971) - Medium [347]

Description: Microsoft Windows Defender Elevation of Privilege Vulnerability.

72. Elevation of Privilege - Windows ALPC (CVE-2022-38029) - Medium [347]

Description: Windows ALPC Elevation of Privilege Vulnerability.

73. Elevation of Privilege - Windows Storage (CVE-2022-38027) - Medium [347]

Description: Windows Storage Elevation of Privilege Vulnerability.

74. Spoofing - Windows NTLM (CVE-2022-35770) - Medium [345]

Description: Windows NTLM Spoofing Vulnerability.

75. Denial of Service - Internet Key Exchange (IKE) Protocol (CVE-2022-38036) - Medium [344]

Description: Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability.

76. Spoofing - Windows CryptoAPI (CVE-2022-34689) - Medium [340]

Description: Windows CryptoAPI Spoofing Vulnerability.

qualys: CVE-2022-34689 | Windows CryptoAPI Spoofing Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. An attacker could manipulate an existing public x.509 certificate to spoof their identify and perform actions such as authentication or code signing as the targeted certificate. The technical details are unknown, and an exploit is not publicly available. The impact is known to affect integrity. Exploitability Assessment: Exploitation More Likely

77. Security Feature Bypass - Microsoft Edge (CVE-2022-3308) - Medium [333]

Description: Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3308 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

78. Security Feature Bypass - Microsoft Edge (CVE-2022-3310) - Medium [333]

Description: Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3310 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

79. Security Feature Bypass - Microsoft Edge (CVE-2022-3316) - Medium [333]

Description: Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3316 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

80. Security Feature Bypass - Microsoft Edge (CVE-2022-3317) - Medium [333]

Description: Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3317 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

81. Elevation of Privilege - Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968) - Medium [331]

Description: Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability.

qualys: CVE-2022-37968 | Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 10/10. Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability. Customers using Azure Stack Edge must update to the 2209 release (software version 2.2.2088.5593). Release notes for the 2209 release of Azure Stack Edge can be found here: Azure Stack Edge 2209 release notes. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-37968 is an EoP vulnerability in Microsoft’s Azure Arc, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. With a CVSSv3 score of 10, the highest possible rating, an unauthenticated attacker could exploit this vulnerability in order to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must take action to manually upgrade Azure Arc-enabled Kubernetes clusters. Microsoft’s security advisory provides additional information and steps to upgrade and how to check your current version. In July, Tenable disclosed a vulnerability in Azure Arc wherein passwords were being logged in plaintext. You can read more about the disclosure on the Tenable Techblog.

rapid7: Maxing out the CVSS base score with a 10.0 this month is CVE-2022-37968, an Elevation of Privilege vulnerability in the Azure Arc-enabled Kubernetes cluster Connect component. It’s unclear why Microsoft has assigned such a high score, given that an attacker would need to know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster (arguably making the Attack Complexity “High”). That said, if this condition is met then an unauthenticated user could become a cluster admin and potentially gain control over the Kubernetes cluster. Users of Azure Arc and Azure Stack Edge should check whether auto-updates are turned on, and if not, upgrade manually as soon as possible.

zdi: CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability. This vulnerability could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. Still, this bug receives the rare CVSS 10 rating – the highest severity rating the system allows. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.

82. Information Disclosure - Windows Mixed Reality Developer Tools (CVE-2022-37974) - Medium [327]

Description: Windows Mixed Reality Developer Tools Information Disclosure Vulnerability.

83. Elevation of Privilege - Windows Hyper-V (CVE-2022-37979) - Medium [322]

Description: Windows Hyper-V Elevation of Privilege Vulnerability.

84. Information Disclosure - Windows DHCP Client (CVE-2022-38026) - Medium [313]

Description: Windows DHCP Client Information Disclosure Vulnerability.

85. Information Disclosure - Windows Distributed File System (DFS) (CVE-2022-38025) - Medium [313]

Description: Windows Distributed File System (DFS) Information Disclosure Vulnerability.

86. Information Disclosure - Windows Graphics Component (CVE-2022-37985) - Medium [313]

Description: Windows Graphics Component Information Disclosure Vulnerability.

87. Information Disclosure - Windows Kernel Memory (CVE-2022-37996) - Medium [313]

Description: Windows Kernel Memory Information Disclosure Vulnerability.

88. Information Disclosure - Windows Security Support Provider Interface (CVE-2022-38043) - Medium [313]

Description: Windows Security Support Provider Interface Information Disclosure Vulnerability.

89. Elevation of Privilege - Windows Kernel (CVE-2022-38022) - Medium [312]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039.

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

90. Elevation of Privilege - Windows Workstation Service (CVE-2022-38034) - Medium [306]

Description: Windows Workstation Service Elevation of Privilege Vulnerability.

91. Elevation of Privilege - NuGet Client (CVE-2022-41032) - Medium [304]

Description: NuGet Client Elevation of Privilege Vulnerability.

92. Elevation of Privilege - StorSimple 8000 Series (CVE-2022-38017) - Medium [290]

Description: StorSimple 8000 Series Elevation of Privilege Vulnerability.

93. Spoofing - Microsoft Office (CVE-2022-38001) - Medium [289]

Description: Microsoft Office Spoofing Vulnerability.

94. Information Disclosure - Windows USB Serial Driver (CVE-2022-38030) - Medium [286]

Description: Windows USB Serial Driver Information Disclosure Vulnerability.

95. Memory Corruption - Microsoft Edge (CVE-2022-3304) - Medium [272]

Description: Chromium: CVE-2022-3304 Use after free in CSS. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3304 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

96. Memory Corruption - Microsoft Edge (CVE-2022-3307) - Medium [272]

Description: Chromium: CVE-2022-3307 Use after free in Media. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3307 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

97. Memory Corruption - Microsoft Edge (CVE-2022-3311) - Medium [272]

Description: Chromium: CVE-2022-3311 Use after free in Import. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3311 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

98. Memory Corruption - Microsoft Edge (CVE-2022-3370) - Medium [272]

Description: Chromium: CVE-2022-3370 Use after free in Custom Elements. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3370 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

99. Elevation of Privilege - Visual Studio Code (CVE-2022-41083) - Medium [266]

Description: Visual Studio Code Elevation of Privilege Vulnerability.

100. Information Disclosure - Web Account Manager (CVE-2022-38046) - Medium [256]

Description: Web Account Manager Information Disclosure Vulnerability.

101. Spoofing - Service Fabric Explorer (CVE-2022-35829) - Medium [256]

Description: Service Fabric Explorer Spoofing Vulnerability.

102. Information Disclosure - Microsoft Office (CVE-2022-41043) - Medium [235]

Description: Microsoft Office Information Disclosure Vulnerability.

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

qualys: CVE-2022-41043| Microsoft Office Information Disclosure Vulnerability This vulnerability has a CVSSv3.1 score of 3.3/10. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is user tokens and other potentially sensitive information. The impact of exploitation is loss of confidentiality. This vulnerability demands that the victim is doing some kind of user interaction. As of the time of publishing, neither technical details nor an exploit is publicly available. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-41043 is an information disclosure vulnerability affecting Microsoft Office for Mac. While exploitation requires local access to the host, this was the only publicly disclosed vulnerability patched this month. It is credited to Cody Thomas with SpecterOps.

rapid7: Microsoft did address two other zero-day vulnerabilities with today’s patches. CVE-2022-41033, an Elevation of Privilege vulnerability affecting the COM+ Event System Service in all supported versions of Windows, has been seen exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability affecting Office for Mac that was publicly disclosed but not (yet) seen exploited in the wild.

103. Information Disclosure - Visual Studio Code (CVE-2022-41042) - Medium [232]

Description: Visual Studio Code Information Disclosure Vulnerability.

Low (2)

104. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3313) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3313 Incorrect security UI in Full Screen. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3313 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

105. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3315) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3315 Type confusion in Blink. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3315 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

Exploitation in the wild detected (3)

Remote Code Execution (1)

• Microsoft Exchange (CVE-2022-41082)

MS PT Extended: CVE-2022-41082 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

qualys: Microsoft Exchange “ProxyNotShell” Zero-Days Not Yet Addressed (QID 50122) Unfortunately, Microsoft has not released security updates to address ProxyNotShell which includes two actively exploited zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082. Released: October 2022 Exchange Server Security Updates provides the following update: NOTE   The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready. Ankit Malhotra, Manager, Signature Engineering suggests, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.”

qualys: Qualys Threat Protection High-Rated Advisories Published between September 14 – October 12, 2022, Most Recent First Microsoft Patch Tuesday, October 2022 Edition: 84 Vulnerabilities patched including 12 Microsoft Edge (Chromium-Based), 2 Zero-days, and 13 Rated as CriticalZimbra Collaboration Suite Remote Code Execution Vulnerability (CVE-2022-41352)FortiGate and FortiProxy Authentication Bypass Vulnerability on Administrative Interface (HTTP/HTTPS) (CVE-2022-40684)Microsoft Exchange Server Zero-day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) (ProxyNotShell)Sophos Firewall Remote Code Execution Vulnerability (CVE-2022-3236)Zoho ManageEngine PAM360, Access Manager Plus, and Password Manager Pro Remote Code Execution Vulnerability (CVE-2022-35405)Trend Micro Patches Multiple Vulnerabilities in Apex One (On-Premise) Including One Zero-day (CVE-2022-40139)Cisco Patched Multiple Vulnerabilities in Multiple Products including NVIDIA Data Plane Development KitApple Patches Multiple Vulnerabilities in macOS Big Sur and macOS Monterey including One Zero-day (CVE-2022-32894)Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday, September 2022 Edition

qualys: Hans-Juergen Kreutzer says: October 13, 2022 at 12:29 AM What is the QID for October 2022 “Exchange Server Security Updates “ Reply to Hans-Juergen 1 Debra M. Fezza Reed says: October 17, 2022 at 1:27 PM ProxyNotShell which includes two actively exploited zero-day vulnerabilities is being tracked in Qualys as QID 50122 (CVE-2022-41040 and CVE-2022-41082). Reply to Debra 1

tenable: Note: Microsoft has not included patches for the two zero-day vulnerabilities in Microsoft Exchange, CVE-2022-41040 and CVE-2022-41082, that were disclosed on September 28 in this release.

rapid7: Top of mind for many this month is whether Microsoft would patch the two Exchange Server zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. This whack-a-mole approach seems likely to continue until a proper patch addressing the root causes is available; unfortunately, it doesn’t look like that will be happening today. Thankfully, the impact should be more limited than 2021’s ProxyShell and ProxyLogon vulnerabilities due to attackers needing to be authenticated to the server for successful exploitation. Reports are also surfacing about an additional zero-day distinct from these being used in ransomware attacks; however, these have not yet been substantiated.

Elevation of Privilege (2)

• Microsoft Exchange (CVE-2022-41040)

MS PT Extended: CVE-2022-41040 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

qualys: Microsoft Exchange “ProxyNotShell” Zero-Days Not Yet Addressed (QID 50122) Unfortunately, Microsoft has not released security updates to address ProxyNotShell which includes two actively exploited zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082. Released: October 2022 Exchange Server Security Updates provides the following update: NOTE   The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready. Ankit Malhotra, Manager, Signature Engineering suggests, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.”

qualys: Qualys Threat Protection High-Rated Advisories Published between September 14 – October 12, 2022, Most Recent First Microsoft Patch Tuesday, October 2022 Edition: 84 Vulnerabilities patched including 12 Microsoft Edge (Chromium-Based), 2 Zero-days, and 13 Rated as CriticalZimbra Collaboration Suite Remote Code Execution Vulnerability (CVE-2022-41352)FortiGate and FortiProxy Authentication Bypass Vulnerability on Administrative Interface (HTTP/HTTPS) (CVE-2022-40684)Microsoft Exchange Server Zero-day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) (ProxyNotShell)Sophos Firewall Remote Code Execution Vulnerability (CVE-2022-3236)Zoho ManageEngine PAM360, Access Manager Plus, and Password Manager Pro Remote Code Execution Vulnerability (CVE-2022-35405)Trend Micro Patches Multiple Vulnerabilities in Apex One (On-Premise) Including One Zero-day (CVE-2022-40139)Cisco Patched Multiple Vulnerabilities in Multiple Products including NVIDIA Data Plane Development KitApple Patches Multiple Vulnerabilities in macOS Big Sur and macOS Monterey including One Zero-day (CVE-2022-32894)Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday, September 2022 Edition

qualys: Try It for Free! Sign up now for a no-cost trial of Qualys Custom Assessment and Remediation Customers can perform the provided mitigation steps by creating a PowerShell script and executing the script on vulnerable assets. IMPORTANT: Scripts tend to change over time. Referring back to a portion of our quote from Ankit Malhotra at the top of this blog, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times.” Please refer to the Qualys GitHub Tuesday Patch link to ensure the most current version of a given Patch Tuesday script is in use.

qualys: Hans-Juergen Kreutzer says: October 13, 2022 at 12:29 AM What is the QID for October 2022 “Exchange Server Security Updates “ Reply to Hans-Juergen 1 Debra M. Fezza Reed says: October 17, 2022 at 1:27 PM ProxyNotShell which includes two actively exploited zero-day vulnerabilities is being tracked in Qualys as QID 50122 (CVE-2022-41040 and CVE-2022-41082). Reply to Debra 1

tenable: Note: Microsoft has not included patches for the two zero-day vulnerabilities in Microsoft Exchange, CVE-2022-41040 and CVE-2022-41082, that were disclosed on September 28 in this release.

rapid7: Top of mind for many this month is whether Microsoft would patch the two Exchange Server zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. This whack-a-mole approach seems likely to continue until a proper patch addressing the root causes is available; unfortunately, it doesn’t look like that will be happening today. Thankfully, the impact should be more limited than 2021’s ProxyShell and ProxyLogon vulnerabilities due to attackers needing to be authenticated to the server for successful exploitation. Reports are also surfacing about an additional zero-day distinct from these being used in ransomware attacks; however, these have not yet been substantiated.

• Windows COM+ Event System Service (CVE-2022-41033)

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

qualys: CVE-2022-41033 | Windows COM+ Event System Service Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. Classified as Critical, this issue affects an unknown function of the component COM+ Event System Service. The impact of exploitation is loss of confidentiality, integrity, and availability. Microsoft has not disclosed how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Patch Installation should be considered Critical. Saeed Abbasi, Manager, Vulnerability Signatures adds, “This patch fixes a security vulnerability that Microsoft stated is under active attack. However, it is not clear how severe these attacks are. Due to the nature of this vulnerability, a privilege escalation that often engages some social engineering (e.g. requiring the user to open a malicious attachment), history shows that it potentially needs to be chained with a code execution bug to exploit.” Exploitability Assessment: Exploitation Detected

tenable: CVE-2022-41033 is an EoP vulnerability in the Windows COM+ Event System Service, which enables system event notifications for COM+ component services. It received a CVSSv3 score of 7.8. An authenticated attacker could exploit this vulnerability to elevate privileges on a vulnerable system and gain SYSTEM privileges.

rapid7: Microsoft did address two other zero-day vulnerabilities with today’s patches. CVE-2022-41033, an Elevation of Privilege vulnerability affecting the COM+ Event System Service in all supported versions of Windows, has been seen exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability affecting Office for Mac that was publicly disclosed but not (yet) seen exploited in the wild.

zdi: CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability. This patch fixes a bug that Microsoft lists as being used in active attacks, although they specify how broad these attacks may be. Since this is a privilege escalation bug, it is likely paired with other code execution exploits designed to take over a system. These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during “Cyber Security Awareness Month”, people tend to click everything, so test and deploy this fix quickly.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (102)

Remote Code Execution (22)

• Windows Point-to-Point Tunneling Protocol (CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081)
• Microsoft Edge (CVE-2022-3195, CVE-2022-3373)

MS PT Extended: CVE-2022-3195 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3373 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

• Windows CD-ROM File System Driver (CVE-2022-38044)
• Windows GDI (CVE-2022-33635)
• Microsoft SharePoint (CVE-2022-38053, CVE-2022-41036, CVE-2022-41037, CVE-2022-41038)

qualys: CVE-2022-41038 | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. The attacker must be authenticated to the target site, with permission to use Manage Lists within SharePoint. NOTE: Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013. Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated “Exploitation More Likely,” and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

rapid7: Nine CVEs categorized as Remote Code Execution (RCE) with Critical severity were also patched today – seven of them affect the Point-to-Point Tunneling Protocol, and like those fixed last month, require an attacker to win a race condition to exploit them. CVE-2022-38048 affects all supported versions of Office, and CVE-2022-41038 could allow an attacker authenticated to SharePoint to execute arbitrary code on the server, provided the account has “Manage List” permissions.

• Microsoft Office (CVE-2022-38048)

qualys: CVE-2022-38048 | Microsoft Office Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. When a particular vulnerability allows an attacker to execute “arbitrary code”, it typically means that the bad guy can run any command on the target system the attacker chooses. Source For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. The impact of exploitation is loss of confidentiality, integrity, and availability. NOTE: Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Exploitability Assessment: Exploitation More Likely

rapid7: Nine CVEs categorized as Remote Code Execution (RCE) with Critical severity were also patched today – seven of them affect the Point-to-Point Tunneling Protocol, and like those fixed last month, require an attacker to win a race condition to exploit them. CVE-2022-38048 affects all supported versions of Office, and CVE-2022-41038 could allow an attacker authenticated to SharePoint to execute arbitrary code on the server, provided the account has “Manage List” permissions.

zdi: CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability. This bug was reported to the ZDI by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.

• Microsoft Office Graphics (CVE-2022-38049)
• Microsoft Word (CVE-2022-41031)
• Microsoft ODBC Driver (CVE-2022-38040)
• Microsoft WDAC OLE DB provider for SQL Server (CVE-2022-37982, CVE-2022-38031)
• Visual Studio Code (CVE-2022-41034)

Security Feature Bypass (6)

• Active Directory (CVE-2022-37978)
• Windows Portable Device Enumerator Service (CVE-2022-38032)
• Microsoft Edge (CVE-2022-3308, CVE-2022-3310, CVE-2022-3316, CVE-2022-3317)

MS PT Extended: CVE-2022-3316 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3310 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3308 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3317 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

Elevation of Privilege (38)

• Windows Graphics Component (CVE-2022-37997, CVE-2022-38051)
• Active Directory (CVE-2022-37976, CVE-2022-38042)

qualys: CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. A malicious DCOM client could coerce a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack. An attacker who successfully exploited this vulnerability could gain domain administrator privileges. Exploitability Assessment: Exploitation Less Likely

qualys: CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. Exploitability Assessment: Exploitation Less Likely GitHub Link for CVE-2022-37976 Script

qualys: Write-Host "ADCS found running. LegacyAuthenticationLevel is set to 5. Mitigation for CVE-2022-37976 has been applied as per MSRC guidelines. "

qualys: CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. Policy Compliance Control IDs (CIDs): 4079 Status of the ‘Active Directory Certificate Service’  14916 Status of Windows Services  24842 Status of the ‘LegacyAuthenticationLevel’ setting Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-37976 is an EoP vulnerability affecting Active Directory Certificate Services. According to the advisory, a malicious Distributed Component Object Model (DCOM) client could be used to entice a DCOM server to authenticate to the client, allowing an attacker to perform a cross-protocol attack and gain domain administrator privileges. While Microsoft rates this as “Exploitation Less Likely,” ransomware groups often seek out vulnerabilities and misconfigurations in Active Directory to leverage for spreading malicious payloads across an organization's network. As highlighted in Tenable’s Ransomware Ecosystem report, Active Directory plays a pivotal role in ransomware attacks.

• Windows Kernel (CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38003, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039)

tenable: CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

• Windows Win32k (CVE-2022-37986, CVE-2022-38050)
• Windows Local Security Authority (LSA) (CVE-2022-38016)
• Windows Server Service (CVE-2022-38045)
• Microsoft DWM Core Library (CVE-2022-37983)
• Windows Client Server Run-time Subsystem (CSRSS) (CVE-2022-37987, CVE-2022-37989)

zdi: CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability. These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.

• Windows DHCP Client (CVE-2022-37980)
• Windows DWM Core Library (CVE-2022-37970)
• Windows Group Policy (CVE-2022-37975)
• Windows Group Policy Preference Client (CVE-2022-37993, CVE-2022-37994, CVE-2022-37999)
• Windows Print Spooler (CVE-2022-38028)

tenable: CVE-2022-38028 is an EoP vulnerability in Windows Print Spooler components that received a CVSSv3 score of 7.8 and was rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Exploitation would allow an attacker to gain SYSTEM privileges. The flaw was disclosed to Microsoft by the National Security Agency. This marks the third EoP vulnerability in Windows Print Spooler credited to the NSA this year, following CVE-2022-29104 and CVE-2022-30138 in May.

• Windows WLAN Service (CVE-2022-37984)
• Connected User Experiences and Telemetry (CVE-2022-38021)
• Microsoft Windows (CVE-2022-37971)
• Windows ALPC (CVE-2022-38029)
• Windows Storage (CVE-2022-38027)
• Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968)

qualys: CVE-2022-37968 | Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 10/10. Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability. Customers using Azure Stack Edge must update to the 2209 release (software version 2.2.2088.5593). Release notes for the 2209 release of Azure Stack Edge can be found here: Azure Stack Edge 2209 release notes. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-37968 is an EoP vulnerability in Microsoft’s Azure Arc, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. With a CVSSv3 score of 10, the highest possible rating, an unauthenticated attacker could exploit this vulnerability in order to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must take action to manually upgrade Azure Arc-enabled Kubernetes clusters. Microsoft’s security advisory provides additional information and steps to upgrade and how to check your current version. In July, Tenable disclosed a vulnerability in Azure Arc wherein passwords were being logged in plaintext. You can read more about the disclosure on the Tenable Techblog.

rapid7: Maxing out the CVSS base score with a 10.0 this month is CVE-2022-37968, an Elevation of Privilege vulnerability in the Azure Arc-enabled Kubernetes cluster Connect component. It’s unclear why Microsoft has assigned such a high score, given that an attacker would need to know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster (arguably making the Attack Complexity “High”). That said, if this condition is met then an unauthenticated user could become a cluster admin and potentially gain control over the Kubernetes cluster. Users of Azure Arc and Azure Stack Edge should check whether auto-updates are turned on, and if not, upgrade manually as soon as possible.

zdi: CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability. This vulnerability could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. Still, this bug receives the rare CVSS 10 rating – the highest severity rating the system allows. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.

• Windows Hyper-V (CVE-2022-37979)
• Windows Workstation Service (CVE-2022-38034)
• NuGet Client (CVE-2022-41032)
• StorSimple 8000 Series (CVE-2022-38017)
• Visual Studio Code (CVE-2022-41083)

Spoofing (6)

• Microsoft Edge (CVE-2022-41035)

MS PT Extended: CVE-2022-41035 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

qualys: Microsoft Edge | Last But Not Least Earlier in October 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including CVE-2022-41035. The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see Security Update Guide Supports CVEs Assigned by Industry Partners.

qualys: CVE-2022-41035 | Microsoft Edge (Chromium-based) Spoofing Vulnerability This vulnerability has a CVSSv3.1 score of 8.3/10. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. Per Microsoft severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn’t allow for this type of nuance. Severity: Moderate Exploitability Assessment: Exploitation Less Likely

• Microsoft Endpoint Configuration Manager (CVE-2022-37972)

MS PT Extended: CVE-2022-37972 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

• Windows NTLM (CVE-2022-35770)
• Windows CryptoAPI (CVE-2022-34689)

qualys: CVE-2022-34689 | Windows CryptoAPI Spoofing Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. An attacker could manipulate an existing public x.509 certificate to spoof their identify and perform actions such as authentication or code signing as the targeted certificate. The technical details are unknown, and an exploit is not publicly available. The impact is known to affect integrity. Exploitability Assessment: Exploitation More Likely

• Microsoft Office (CVE-2022-38001)
• Service Fabric Explorer (CVE-2022-35829)

Denial of Service (8)

• Windows TCP/IP Driver (CVE-2022-33645)

qualys: CVE-2022-33645 | Windows TCP/IP Driver Denial of Service (DoS) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Exploitability Assessment: Exploitation Less Likely GitHub Link for CVE-2022-33645 Script

qualys: Write-Host "IPV6 has been disabled as part of workaround implementation. CVE-2022-33645 is now mitigated,"

qualys: CVE-2022-33645 | Windows TCP/IP Driver Denial of Service (DoS) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Policy Compliance Control IDs (CIDs): 4842 Status of the ‘Internet Protocol version 6 (IPv6) components’ setting Exploitability Assessment: Exploitation Less Likely

• Windows Local Session Manager (LSM) (CVE-2022-37973, CVE-2022-37998)
• Windows Secure Channel (CVE-2022-38041)
• Microsoft Local Security Authority Server (CVE-2022-37977)
• Windows Point-to-Point Tunneling Protocol (CVE-2022-37965)
• Windows Event Logging Service (CVE-2022-37981)
• Internet Key Exchange (IKE) Protocol (CVE-2022-38036)

Information Disclosure (11)

• Windows Server Remotely Accessible Registry Keys (CVE-2022-38033)
• Windows Mixed Reality Developer Tools (CVE-2022-37974)
• Windows DHCP Client (CVE-2022-38026)
• Windows Distributed File System (DFS) (CVE-2022-38025)
• Windows Graphics Component (CVE-2022-37985)
• Windows Kernel Memory (CVE-2022-37996)
• Windows Security Support Provider Interface (CVE-2022-38043)
• Windows USB Serial Driver (CVE-2022-38030)
• Web Account Manager (CVE-2022-38046)
• Microsoft Office (CVE-2022-41043)

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

qualys: CVE-2022-41043| Microsoft Office Information Disclosure Vulnerability This vulnerability has a CVSSv3.1 score of 3.3/10. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is user tokens and other potentially sensitive information. The impact of exploitation is loss of confidentiality. This vulnerability demands that the victim is doing some kind of user interaction. As of the time of publishing, neither technical details nor an exploit is publicly available. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-41043 is an information disclosure vulnerability affecting Microsoft Office for Mac. While exploitation requires local access to the host, this was the only publicly disclosed vulnerability patched this month. It is credited to Cody Thomas with SpecterOps.

rapid7: Microsoft did address two other zero-day vulnerabilities with today’s patches. CVE-2022-41033, an Elevation of Privilege vulnerability affecting the COM+ Event System Service in all supported versions of Windows, has been seen exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability affecting Office for Mac that was publicly disclosed but not (yet) seen exploited in the wild.

• Visual Studio Code (CVE-2022-41042)

Memory Corruption (9)

• Microsoft Edge (CVE-2022-3196, CVE-2022-3197, CVE-2022-3198, CVE-2022-3199, CVE-2022-3200, CVE-2022-3304, CVE-2022-3307, CVE-2022-3311, CVE-2022-3370)

MS PT Extended: CVE-2022-3307 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3198 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3196 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3311 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3200 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3199 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3370 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3197 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3304 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

Unknown Vulnerability Type (2)

• Microsoft Edge (CVE-2022-3313, CVE-2022-3315)

MS PT Extended: CVE-2022-3313 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10

MS PT Extended: CVE-2022-3315 was published before October 2022 Patch Tuesday from 2022-09-14 to 2022-10-10