www.belgium.be Logo of the federal government

WARNING: MICROSOFT PATCH TUESDAY NOVEMBER 2022 PATCHES 62 VULNERABILITIES (9 CRITICAL, 6 ACTIVELY EXPLOITED)

Reference: 
Advisory #2022-036
Version: 
1.0
Affected software: 
.NET Framework
AMD CPU Branch
Azure
Azure Real Time Operating System
Linux Kernel
Microsoft Dynamics
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Network Policy Server (NPS)
Open Source Software
Role: Windows Hyper-V
SysInternals
Visual Studio
Windows Advanced Local Procedure Call
Windows ALPC
Windows Bind Filter Driver
Windows BitLocker
Windows CNG Key Isolation Service
Windows Devices Human Interface
Windows Digital Media
Windows DWM Core Library
Windows Extensible File Allocation
Windows Group Policy Preference Client
Windows HTTP.sys
Windows Kerberos
Windows Mark of the Web (MOTW)
Windows Netlogon
Windows Network Address Translation (NAT)
Windows ODBC Driver
Windows Overlay Filter
Windows Point-to-Point Tunneling Protocol
Windows Print Spooler Components
Windows Resilient File System (ReFS)
Windows Scripting
Windows Win32K
Type: 
Several types, ranging from information disclosure to remote code execution and privilege escalation.
CVE/CVSS: 

Number of CVE's per type

  • 26 Elevation of Privilege Vulnerabilities
  • 15 Remote Code Execution Vulnerabilities
  • 8 Information Disclosure Vulnerabilities
  • 6 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 4 Security Feature Bypass Vulnerabilities

 

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov

Risks

This month’s Patch Tuesday includes 9 critical and 6 actively exploited 0-day vulnerabilities.

Description

CVE-2022-41080 - Microsoft Exchange Server Elevation of Privilege Vulnerability

This is a Privilege Escalation vulnerability with a CVSS Base Score of 8.8 affecting Microsoft Exchange Server 2013 Cumulative Update 23, Microsoft Exchange Server 2016 Cumulative Update 22, Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft Exchange Server 2019 Cumulative Update 11, Microsoft Exchange Server 2019 Cumulative Update 12.

Technical details to exploit this vulnerability are unknown, but the attack complexity is low and successful exploitation is more likely.

CVE-2022-41128 - Windows Scripting Languages Remote Code Execution Vulnerability

This is an actively exploited 0-day vulnerability affecting the JScript9 scripting language which has a CVSS Base Score of 8.8.

The attack can be initiated remotely: an attacker has to convince a victim to visit a server share or website they host, typically by way of an enticement in an email or chat message.

CVE-2022-41039, CVE-2022-41044 and CVE-2022-41088 - Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerabilities

These three critical Remote Code Execution (RCE) vulnerabilities have a CVSS Base Score of 8.1 and affect the Windows Point-to-Point Tunneling Protocol (PPTP).

An unauthenticated attacker can send a crafted request to a RAS (Remote Access Server), that can lead to remote code execution. These three vulnerabilities are less likely to be exploited, as the attacker must win a complex race condition.

CVE-2022-37967 - Windows Kerberos Elevation of Privilege Vulnerability

This Privilege Escalation vulnerability has a CVSS Base Score of 8.1 and the attack complexity is low.

An attacker can leverage cryptographic protocol vulnerabilities in the Windows Kerberos AES-SHA1 cipher suite to gain control over the service that is allowed for delegation and modify Kerberos PAC (Privileged Attribute Certificate) to elevate their privileges.

CVE-2022-41073 - Windows Print Spooler Elevation of Privilege Vulnerability

The Privilege Escalation vulnerability affects the Windows Print Spooler service and has a CVSS Base Score of 7.8.

This 0-day flaw is being exploited in the wild and allows a low privileged user to gain SYSTEM level privileges.

CVE-2022-41125 - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

This is yet another actively exploited 0-day Privilege Escalation vulnerability with a CVSS Base Score of 7.8 which is known to be exploited in the wild.

The vulnerability affects the Windows Cryptography Next Generation (CNG) Key Isolation Service used for Windows cryptographic support and operations. Successful exploitation allows an attacker to gain SYSTEM privileges.

CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability

The vulnerability is a 0-day that is being actively exploited in the wild.

By crafting a malicious file, an attacker can evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, such as Protected View in Microsoft Office, which rely on MOTW tagging.

CVE-2022-41040 and CVE-2022-41082 - Microsoft Exchange Server Elevation of Privilege and Microsoft Exchange Server Remote Code Execution Vulnerability

It is worth noting that these two 0-day and actively exploited vulnerabilities, discovered at the end of September 2022, are now patched with this month’s security updates.

Recommended Actions

The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

References

https://blog.talosintelligence.com/microsoft-patch-tuesday-for-november-2022/
https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday
https://thehackernews.com/2022/11/install-latest-windows-update-asap.html
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/
https://news.sophos.com/en-us/2022/11/08/microsoft-patches-62-vulnerabilities-including-kerberos-and-mark-of-the-web-and-exchange-sort-of/
https://www.tenable.com/blog/microsofts-november-2022-patch-tuesday-addresses-62-cves-cve-2022-41073