Web sources

November Patch Tuesday: Microsoft finally fixes two NotProxyShell and four other Zero-day flaws

On Tuesday, Microsoft released patches for 64 vulnerabilities, including the two zero-day NotProxyShell vulnerabilities discovered in early October that were not fixed during the October patch cycle. Of the 64 patched vulnerabilities, six were zero-day, 11 were rated critical, and 53 were rated as important.

Microsoft’s Tuesday November patch was highly anticipated due to the risk of two zero-day NotProxyShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) that the security community expected to be fixed in the October patch cycle.

November’s Patch Tuesday is also significant due to a higher than usual number of Day Zero bugs being addressed. The Windows maker has patched six zero-day vulnerabilities. Overall, the patchload is as expected for November, although the total number of vulnerabilities patched in 2022 exceeded that of 2021 (1,200), making Microsoft the “second busiest year for patches,” a noted Dustin Childs of Trend Micro’s Zero Day initiative.

The November patch load distribution is as follows:

  • 26 Elevation of Privilege (EoP) Vulnerabilities
  • 15 Remote Code Execution (RCE)
  • 8 Disclosure of information
  • 6 Denial of Service (DoS)
  • 4 Safety Function Bypass (SFB)
  • 3 Usurpation

Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, told Spiceworks, “As the holiday season approaches, security teams need to be on high alert and increasingly more vigilant, as attackers usually increase their activity during this period (e.g. Log4j, SolarWinds, etc.). It is likely that we will see bad actors attempt to take advantage of leaked vulnerabilities and vulnerabilities that organizations have not patched.

Let’s take a look at the six zero-day vulnerabilities, i.e. those that are actively exploited in the wild:

CVE-2022-41040 and CVE-2022-41082 | NoProxyShell

Speaking to Spiceworks, Mike Walters, vice president of vulnerability and threat research at Action1, called the two NotProxyShell flaws residing in Exchange Server “heavily exploited”.

CVE-2022-41040 (CVSS: 8.8) is a server-side request forgery issue that allows elevation of privilege, while CVE-2022-41082 (CVSS: 6.3) is an RCE bug. “Finally, Microsoft has released patches for ‘ProxyNotShell’ vulnerabilities that are being actively exploited by Chinese threat actors,” Spurti Preetham Gurram, senior product manager at Automox, told Spiceworks.

“Elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend patching within 24 hours if you have on-premises or hybrid swap servers vulnerable where temporary mitigation has not been applied.”

After NotProxyShell was exposed last month, Walters told Spiceworks that attackers are exploiting the zero-day suit to deploy web shells on compromised servers to exfiltrate data and move laterally to other systems on the compromised network.

Walters added, “It took Microsoft over two months to deliver the patch, even though the company admitted that ProxyNotShell was actively exploiting vulnerabilities in targeted attacks against at least 10 large organizations.

For more information see our detailed story about NotProxyShell vulnerabilities.

Learn more: Hackers are aggressively targeting these industries, but that doesn’t mean yours is safe.

CVE-2022-41091

CVE-2022-41091 is an SFB bug that bypasses the Windows Mark of the Web (MotW) security feature. Although its CVSS score is only 5.4, it is a zero-day vulnerability existing in most versions of Windows (10, 11 and Server 2016-2022) since July 2022 which is actively exploited.

“MotW is an important security feature that provides some protection and warning to end users who download files from untrusted sources. Windows adds MotW flags to documents and executables downloaded from an untrusted source. This indicator alerts Windows, Office, web browsers and other applications that the file is untrustworthy and displays warnings to end users trying to open the files,” explained Peter Pflaster, technical product marketing manager at Automox.

“Attackers exploiting zero-day could coerce users into opening files from malicious websites, phishing emails, etc., and host specially crafted files that can bypass the security feature that alerts users potentially malicious files. Multiple outlets reported that the vulnerability was discovered and reported in July 2022, but has not been patched so far. Since the vulnerability is actively being exploited, we recommend to correct within 24 hours”

CVE-2022-41073

CVE-2022-41073 scored 7.8 on the CVSS scale and has low attack complexity but still important to fix. This is a zero-day RCE bug, and is included in the list of infamous PrintNightmare vulnerabilities since it resides in the Windows Print Spooler service.

“Microsoft continues to patch underlings for the PrintNightmare vulnerability. This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop,” Walters said.

Pflaster explained to Spiceworks that “Attackers with local access to a vulnerable device, typically obtained through social engineering, credential stuffing, or other password-related attacks, can execute a simple attack to elevate SYSTEM privileges. . Once attackers gain SYSTEM privileges, they are essentially free to establish persistence, move laterally to other more valuable targets, or view and exfiltrate valuable or sensitive data.

CVE-2022-41073 affects the Windows Print Spooler service in all versions of Windows starting with Windows 7 and Windows Server 2008 R2. Walters added that like other PrintNightmare bugs, CVE-2022041073 could also be mitigated by disabling the print spooler service.

“But then you won’t be able to print anything from your system.” As a result, it’s best to install Microsoft’s latest patch, then wait until next month and yet another new patch for PrintNightmare! Walters said, pushing for the prevalence of PrintNightmare over the years.

Automox admins recommended patch CVE-2022-41128 within 24 hours as it is actively exploited.

Learn more: Mitigating security risks as a hybrid organization

CVE-2022-41125

CVE-2022-41125 has a relatively low CVSS score of 7.8 with low attack complexity. But the EoP flaw, which resides in Windows Cryptography Next Generation (CNG), is being actively exploited, making application of the patch imperative to secure systems.

Gina Geisel, product marketing manager at Automox, told Spiceworks: “With a long list of impacted Windows 10 and 11 (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022 and 2022 Azure), this vulnerability [CVE-2022-41125] exposes cutting-edge versions of Windows and could have far-reaching impacts.

“With low privilege requirements and a local attack vector, this vulnerability requires no user interaction. Instead, an attacker would need to obtain execute privileges on the victim’s device and run an application specially crafted to elevate privileges to exploit this vulnerability.

CVE-2022-41128

Found in the JScript9 scripting language, CVE-2022-41128 scored 8.8 on the CVSS Severity Index. The problem affects all versions of Windows, including older versions of Windows.

Walters explained that CVE-2022-41128 “has low complexity, uses the network vector, and requires no usage privileges, but it does require user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website.”

Other zero-day vulnerabilities and reviews from November Patch Tuesday

All zero-day (first six) and critical vulnerabilities from the November Patch Tuesday are listed below according to their CVSS score.

Vulnerability

Exists in CVSS Rating Type

Operation

CVE-2022-41040

Microsoft Exchange Server 8.8 EOP Exploit detected
CVE-2022-41082 Microsoft Exchange Server 8.8 CRE

Exploit detected

CVE-2022-41128

Windows scripting languages 8.8 CRE Exploit detected
CVE-2022-41125 Windows CNG Key Isolation Service 7.8 EOP

Exploit detected

CVE-2022-41073

Windows Print Spooler 7.8 EOP Exploit detected
CVE-2022-41091 Windows Brand of the Web 5.4 SFB

Exploit detected

CVE-2022-41080

Microsoft Exchange Server 8.8 EOP More likely
CVE-2022-37966 Windows Kerberos RC4-HMAC 8.1 EOP

More likely

CVE-2022-41039

Windows Point-to-Point Tunneling Protocol 8.1 CRE Less likely
CVE-2022-41088 Windows Point-to-Point Tunneling Protocol 8.1 CRE

Less likely

CVE-2022-41044

Windows Point-to-Point Tunneling Protocol 8.1 CRE Less likely
CVE-2022-41118 Windows scripting languages 7.8 CRE

More likely

CVE-2022-37967

Windows Kerberos 7.2 EOP More likely
CVE-2022-38015 Windows Hyper-V 6.5 Back

Less likely

“Six actively mined zero days in a cycle is an unusually high number – 12 reviews in all [including a previously disclosed one in Azure CLI by GitHub]Tiberium Chief Security Advisor Gareth Lindahl-Wise told Spiceworks.

“Initial compromise, remote code execution, and privilege execution are unlikely to make the RSSI Christmas list. From a prevention perspective – identify, prioritize, and remediate. ensure that your detection and response capabilities are geared towards these specific CVEs and general tactics.

The November Patch Tuesday also follows Microsoft’s advice for the two high-level OpenSSL vulnerabilities fixed earlier in November via the release of OpenSSL version 3.0.7 and fixes for three other previously disclosed bugs discovered by GitHub and AMD.

Let us know if you enjoyed reading this news on LinkedIn, TwitterWhere Facebook. We would like to hear from you!

Image source: Shutterstock

LEARN MORE ABOUT VULNERABILITY MANAGEMENT