WARNING: MICROSOFT PATCH TUESDAY NOVEMBER 2022 PATCHES 62 VULNERABILITIES (9 CRITICAL, 6 ACTIVELY EXPLOITED)
Number of CVE's per type
- 26 Elevation of Privilege Vulnerabilities
- 15 Remote Code Execution Vulnerabilities
- 8 Information Disclosure Vulnerabilities
- 6 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
Sources
https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov
Risks
This month’s Patch Tuesday includes 9 critical and 6 actively exploited 0-day vulnerabilities.
Description
CVE-2022-41080 - Microsoft Exchange Server Elevation of Privilege Vulnerability
This is a Privilege Escalation vulnerability with a CVSS Base Score of 8.8 affecting Microsoft Exchange Server 2013 Cumulative Update 23, Microsoft Exchange Server 2016 Cumulative Update 22, Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft Exchange Server 2019 Cumulative Update 11, Microsoft Exchange Server 2019 Cumulative Update 12.
Technical details to exploit this vulnerability are unknown, but the attack complexity is low and successful exploitation is more likely.
CVE-2022-41128 - Windows Scripting Languages Remote Code Execution Vulnerability
This is an actively exploited 0-day vulnerability affecting the JScript9 scripting language which has a CVSS Base Score of 8.8.
The attack can be initiated remotely: an attacker has to convince a victim to visit a server share or website they host, typically by way of an enticement in an email or chat message.
CVE-2022-41039, CVE-2022-41044 and CVE-2022-41088 - Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerabilities
These three critical Remote Code Execution (RCE) vulnerabilities have a CVSS Base Score of 8.1 and affect the Windows Point-to-Point Tunneling Protocol (PPTP).
An unauthenticated attacker can send a crafted request to a RAS (Remote Access Server), that can lead to remote code execution. These three vulnerabilities are less likely to be exploited, as the attacker must win a complex race condition.
CVE-2022-37967 - Windows Kerberos Elevation of Privilege Vulnerability
This Privilege Escalation vulnerability has a CVSS Base Score of 8.1 and the attack complexity is low.
An attacker can leverage cryptographic protocol vulnerabilities in the Windows Kerberos AES-SHA1 cipher suite to gain control over the service that is allowed for delegation and modify Kerberos PAC (Privileged Attribute Certificate) to elevate their privileges.
CVE-2022-41073 - Windows Print Spooler Elevation of Privilege Vulnerability
The Privilege Escalation vulnerability affects the Windows Print Spooler service and has a CVSS Base Score of 7.8.
This 0-day flaw is being exploited in the wild and allows a low privileged user to gain SYSTEM level privileges.
CVE-2022-41125 - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
This is yet another actively exploited 0-day Privilege Escalation vulnerability with a CVSS Base Score of 7.8 which is known to be exploited in the wild.
The vulnerability affects the Windows Cryptography Next Generation (CNG) Key Isolation Service used for Windows cryptographic support and operations. Successful exploitation allows an attacker to gain SYSTEM privileges.
CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability
The vulnerability is a 0-day that is being actively exploited in the wild.
By crafting a malicious file, an attacker can evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, such as Protected View in Microsoft Office, which rely on MOTW tagging.
CVE-2022-41040 and CVE-2022-41082 - Microsoft Exchange Server Elevation of Privilege and Microsoft Exchange Server Remote Code Execution Vulnerability
It is worth noting that these two 0-day and actively exploited vulnerabilities, discovered at the end of September 2022, are now patched with this month’s security updates.
Recommended Actions
The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
References
https://blog.talosintelligence.com/microsoft-patch-tuesday-for-november-2022/
https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday
https://thehackernews.com/2022/11/install-latest-windows-update-asap.html
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/
https://news.sophos.com/en-us/2022/11/08/microsoft-patches-62-vulnerabilities-including-kerberos-and-mark-of-the-web-and-exchange-sort-of/
https://www.tenable.com/blog/microsofts-november-2022-patch-tuesday-addresses-62-cves-cve-2022-41073