October Patch Tuesday has come and gone with the recent Microsoft Exchange zero-days “ProxyNotShell” still unpatched, leaving some administrators in a scary situation heading into Halloween. If you’re running an on-prem Exchange Server, even if it’s part of a hybrid deployment – you need to apply Microsoft’s recommended mitigation ASAP.
Outside of Exchange, the world still spins. Microsoft patched 14 critical and one actively exploited vulnerability (out of 81 total this month) across multiple widely-adopted products that you’ll want to patch right away.
Nearly everyone running Windows desktops/laptops and Server needs to patch CVE-2022-41033, an actively exploited vulnerability in the COM+ Event System Service that allows elevation of privileges to SYSTEM with a simple attack when a threat actor has access to vulnerable endpoints.
If you’re using Azure Arc Connect to manage on-prem infrastructure and Azure in tandem, there is a CVSS 10/10 remote code execution (RCE) vulnerability that you’ll want to patch as soon as possible (less than 72 hours) if auto-updates are disabled.
There are also several critical and important vulnerabilities in Microsoft SharePoint that allow an authenticated attacker with access to Manage Lists to execute code remotely within SharePoint. Organizations also using Microsoft Office should prioritize CVE-2022-38048, a critical vulnerability that can be exploited by socially engineering users to open a malicious Office file on vulnerable versions to run code arbitrarily on their system.
Finally, there’s an important vulnerability in Windows Print Spooler that allows attackers to elevate to SYSTEM privileges when exploited, and is more likely to be targeted by threat actors.
CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability – IMPORTANT
CVE-2022-41033 is a CVSSv3.1 7.8/10 vulnerability in Windows COM+ Event System Service present on nearly all builds of Windows 7-11 and Server 2008-2022. This vulnerability allows for an attacker with local access to the machine to elevate to SYSTEM privileges with a relatively simple exploit. Since the vulnerability is being exploited, and the flaw exists on nearly every operating system build, we recommend patching it within 24 hours. – Peter Pflaster
CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability – CRITICAL
CVE-2022-38048 is a critical vulnerability identified in Microsoft Office scoring a CVSS 7.8. This vulnerability is present in most builds of Microsoft Office, including Microsoft 365 Apps installed locally. This vulnerability can lead to remote code execution (RCE). An attacker exploiting this vulnerability could take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights. The vulnerability is less likely to be exploited, according to Microsoft. However, the attack complexity is low and present in a very commonly used Microsoft productivity product, making this a suitable candidate for attackers to target. Patching critical vulnerabilities is an important first step to maintaining a safe and secure infrastructure. – Jay Goodman
CVE-2022-37989 and 37987 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerabilities – IMPORTANT
CVE-2022-37989 and 37987 are two “important” vulnerabilities in Microsoft Client Server Run-Time Subsystem (CSRSS) scoring a CVSS 7.8 each. CSRSS is a component in the Microsoft NT family of operating systems versions 3.1 and later provides the user mode side of the Win32 subsystem. These vulnerabilities allow attackers to elevate their privilege level, giving them the ability to run arbitrary or malicious code at that higher level, increasing the effectiveness or reach of the attack. – Jay Goodman
CVE-2022-38028 – Windows Print Spooler Elevation of Privilege Vulnerability – IMPORTANT
CVE-2022-38028 is much like previous Print Spooler CVEs as a low-privilege and low-complexity vulnerability that requires no user interaction. To exploit the Windows Print Spooler Elevation of Privilege Vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application to gain system privileges. Examples of these attacker privileges include installing programs, modifying, changing and deleting data, creating new accounts with full user rights, and moving laterally around networks.
This vulnerability can be exposed across a wide range of Windows devices:
Windows 10 (32-bit and x64-based Systems) including versions 1607, 1809, 20H2, 21H1, and 21H2
Windows 10 (ARM64-based Systems) including versions 1809, 20H2, 21H1, 21H2
Windows 11 (x64-based and ARM64-based Systems) including versions 22H2
Windows 8.1 (32-bit and x64-based Systems)
Windows RT 8.1
Windows Server 2012, 2012 R2, 2016, 2019, and 2022 (including Server Core installation)
As security flaws in the Windows Print Spooler component are constantly being discovered, we see attackers continuing to focus their time trying to actively exploit this vulnerability in the wild. If you haven’t already done so, your Windows Print Spooler should be patched within the next 72 hours, as this has been an ongoing issue. – Gina Geisel
CVE-2022-37968 – Azure Arc Connect Elevation of Privilege Vulnerability – CRITICAL
Azure Arc Connect is a tool that enables Azure, Microsoft’s cloud offering, to manage Kubernetes clusters and on-prem infrastructure as if they were deployed within Azure. Organizations with a multi or hybrid-cloud approach may utilize Azure Arc Connect to manage services outside of Azure within a single pane of glass.
CVE-2022-37968 is a critical, CVSSv3.1 score 10/10 elevation of privilege vulnerability within Azure Arc Connect. Attackers that know the external DNS endpoint for the cluster can utilize a simple, unauthenticated attack over the network to elevate to administrator privileges – a particularly dangerous combination within a tool that organizations use to manage cloud resources and data.
A successful elevation of privilege could lead to various malicious activities such as remote code execution, denial of service, or data theft.
If you use Azure Arc Connect, Kubernetes clusters connected to the vulnerable Arc could also be affected. We recommend patching within 72 hours due to the exploit's simplicity and the potential risk and impact of a vulnerable cloud management tool. – Peter Pflaster
CVE-2022-41038 – Microsoft SharePoint Server Remote Code Execution Vulnerability – CRITICAL
SharePoint is a widely-used enterprise collaboration tool primarily used for storage and document management, though many organizations run highly custom instances. CVE-2022-41038 is a critical, CVSSv3.1 8.8/10 remote code execution (RCE) vulnerability found in SharePoint Enterprise and Foundation 2013 Service Pack 1, SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition. CVE-2022-41036/41037/38053 are also Important, CVSSv3.1 8.8/10 RCE vulnerabilities affect the above versions of SharePoint.
Attackers with authenticated SharePoint access (gained via phishing or other means) with permission to use Manage Lists within the product can use a simple network-based attack to execute code remotely on vulnerable SharePoint Servers. Attackers may target organizations to distribute ransomware or exfiltrate documents. Microsoft notes that CVE-2022-41038 is more likely to be exploited, so we recommend patching vulnerable systems within 72 hours. – Peter Pflaster
Start your free trial now.
Get started with Automox in no time.
