November Patch Tuesday has come and luckily it brings a patch for the Microsoft Exchange zero-day “ProxyNotShell.” Additionally, Microsoft fixed a new, critical elevation of privilege vulnerability in the Exchange Server.
November Patch Tuesday means admins have their work cut out
So clearly, this month’s release will keep administrators busy. Microsoft fixed three actively exploited vulnerabilities, the most actively exploited vulnerabilities included in a Patch Tuesday release in over a year. This month includes a total of 66 vulnerabilities patched, ten of which are critical including six actively exploited vulnerabilities.
One of the zero-days patched is an elevation of privilege vulnerability that affects the much-maligned Windows Print Spooler. Most versions of Windows and Server are affected, so we recommend patching within 24 hours.
Windows Cryptography Next Generation (CNG) Key Isolation service also improperly handles memory leading to an actively exploited vulnerability that allows the elevation of privileges.
The final actively-exploited zero-day is an important flaw that allows threat actors to bypass the Windows Mark of the Web security feature, which is meant to protect and warn end users when they download and/or open a file from an untrusted source. This will likely be an attractive target for social engineering campaigns, so we recommend patching within 24 hours.
ProxyNotShell – CVE-2022-41040 and CVE-2022-41080 – CRITICAL
At long last, Microsoft released patches for the “ProxyNotShell” vulnerabilities that are being actively exploited by Chinese threat actors. The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid exchange servers where temporary mitigation has not been applied. – Preetham Gurram
CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability – IMPORTANT
CVE-2022-41125 is an important elevation of privilege vulnerability that exists when Microsoft Windows Cryptography Next Generation (CNG) Key Isolation service improperly handles memory. With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability.
With a long list of Windows 10 and 11 impacted (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts. Also, with a restart required, Automox recommends deploying this update to correct how the Windows CNG Key Isolation Service handles memory, during an appropriate time when reboots do not cause user disruption. – Gina Geisel
CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability – IMPORTANT
CVE-2022-41091 is an important and actively exploited vulnerability in Windows Mark of the Web (MotW) security feature. The vulnerability affects most versions of Windows 10, 11, and Server 2016-2022.
MotW is an important security feature that provides some protection and warning to end users downloading files from untrusted sources. Windows adds MotW flags to documents and executables that are downloaded from an untrusted source. This flag alerts Windows, Office, web browsers, and other applications that the file is not trusted, and displays warnings to end users trying to open the files.
Attackers exploiting the zero-day could coerce users to open files from malicious websites, phishing emails, etc., and host specially crafted files that can bypass the security feature that alerts users to potentially malicious files.
Multiple outlets have reported that the vulnerability was discovered and reported in July 2022, but has remained unpatched until now. Since the vulnerability is being actively exploited, we recommend patching within 24 hours. – Peter Pflaster
CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability – IMPORTANT
CVE-2022-41073 is an important and actively exploited vulnerability in the Windows Print Spooler. Most versions of Windows 7-11 and Server 2008-2022 are affected. Attackers with local access to a vulnerable device, typically gained through social engineering, credential stuffing, or other password-related attacks, can execute a simple attack to elevate to SYSTEM privileges. Once attackers obtain SYSTEM privileges, they have essentially free reign to establish persistence, move laterally to other more valuable targets, or view and exfiltrate valuable or sensitive data.
Since the vulnerability is being actively exploited, and a broad range of operating system versions are affected, we recommend patching within 24 hours. – Peter Pflaster
CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability – CRITICAL
CVE-2022-41128 is a critical and actively exploited vulnerability that affects Microsoft JScript9. The issue affects all versions of Windows, including older versions of Windows.
The attacker needs to influence the user from the affected Windows device to visit a malicious website or service to exploit the vulnerability via Remote code execution methodology. This newest vulnerability scores a CVSS 8.2, making it a critical vulnerability to address. Automox recommends patching this vulnerability within 24 hours since the vulnerability is being actively exploited. – Preetham Gurram
CVE-2022-41080 – Microsoft Exchange Server Elevation of Privilege Vulnerability – CRITICAL
Microsoft released a fix for an elevation of privilege vulnerability in Microsoft Exchange Server. Elevation of privilege, also commonly referred to as ‘privilege escalation,’ is a vulnerability that allows an adversary to gain unauthorized access by elevating the access and execution permissions to carry out attacks on the system.
The vulnerability, CVE-2022-41080, was disclosed by Microsoft and is labeled as “exploitation more likely,” but has not yet been exploited in the wild. This is a particularly dangerous new vulnerability given the pair of zero-day vulnerabilities discovered in Exchange at the end of September. This newest vulnerability scores a CVSS 8.8, making it a critical vulnerability to address. Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risk. – Gina Geisel
CVE-2022-37966 – Windows Kerberos RC4-HMAC Elevation of Privilege – CRITICAL
While elevation of privilege vulnerabilities allow an adversary to gain unauthorized access to carry out attacks on a system, this vulnerability does not allow for remote code execution. And it requires the attacker to have access and the ability to run code on the target system.
Kerberos is an authentication protocol to verify a user or the host's identity. Microsoft Windows Server operating systems use Kerberos authentication protocol for various security services. The most used scenarios for Kerberos are to enable:
Delegated Authentication: Kerberos authentication provides a token that enables the service to act on behalf of its client when connecting to other services.
Single Sign-on: Using Kerberos authentication within a domain allows the user or service access to resources permitted by administrators without multiple requests for user credentials.
The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field. RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts.
This vulnerability affects all Windows Server versions from 2012 to Windows Server 2022. Kerberos is also available on All Windows 8 and above versions. This newest vulnerability scores a CVSS 8.1, making it a critical vulnerability to address. Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risk. – Preetham Gurram