www.belgium.be Logo of the federal government

WARNING: MICROSOFT PATCH TUESDAY October 2022 PATCHES 84 VULNERABILITIES (13 CRITICAL, 71 IMPORTANT)

Reference: 
Advisory #2022-032
Version: 
1.0
Type: 
Several types, ranging from information disclosure to remote code execution and privilege escalation.
CVE/CVSS: 

Microsoft patched 84 CVEs in its October 2022 Patch Tuesday release, 13 rated as critical and 71 rated as important.

Number of CVE's per type

  •     Remote Code Execution: 20
  •     Elevation of Privileges: 39
  •     Denial of Service: 8
  •     Spoofing: 4
  •     Information Disclosure: 11
  •     Security Feature Bypass: 2

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct

Risks

This month’s Patch Tuesday includes 13 critical and 71 important vulnerabilities for a wide range of Microsoft products, affecting Microsoft Software, Server, and Workstations.

Microsoft fixed 2 zero-day vulnerabilities:

        Actively exploited: CVE-2022-41033 - Windows COM+ Event System Service Elevation of Privilege
        Publicly disclosed: CVE-2022-41043 - Microsoft Office Information Disclosure Vulnerability

Microsoft did not patch the 2 ProxyNotShell vulnerabilities (CVE-2022-41040, CVE-2022-41080) who are actively exploitd in the wild.

The Windows' point-to-point protocol has 7 critical remote code execution vulnerabilities (CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081).

Organizations should prioritize exposed PPTP VPN servers or apply addition security controls to limit public access.

Microsoft Office and Microsoft Word have 3 critical remote code execution vulnerabilities(CVE-2022-38048, CVE-2022-38049, CVE-2022-41031.

Products from the Microsoft Office suite are popular targets for threat actors.Office documents are often weaponized and used as a lure in a spear phishing campaign. Awareness training can help organisations to lower the risk of this threat.

The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyse system and network logs for any suspicious activity.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

CVE-2022-41033 - Windows COM+ Event System Service elevation of privilege vulnerability

CVE-2022-41033 is a privilege escalation vulnerability in the Windows COM+ Event System Service.
The Windows COM+ Event System Service enables system event notifications for COM+ component services.

The vulnerability received a CVSSv3 score of 7.8 and is easy to exploit. An authenticated attacker could exploit this vulnerability to gain system-level privileges.

Remark: this 0-day vulnerability is exploited in the wild.

CVE-2022-37968 - Azure Arc-enabled Kubernetes cluster connect elevation of privilege vulnerability

CVE-2022-37968 is a privilege escalation vulnerability in Microsoft’s Azure Arc, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters.

The vulnerability received the highest possible rating CVSS score 10. An unauthenticated attacker could exploit this vulnerability to gain administrative privileges on a Kubernetes cluster.

Remark: Organisations that do not have the auto-upgrade possibility enabled must act to manually upgrade Azure Arc-enabled Kubernetes clusters.

CVE-2022-37976 - Active Directory Certificate Services elevation of privilege vulnerability

CVE-2022-37976 is a privilege escalation vulnerability in the Active Directory Certificate Services.

an attacker could perform a cross-protocol attack to gain domain administrator privileges.

The active directory is an attractive target for threat actors to spread malicious payloads across the entire organization's network.
 

Recommended Actions

The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

References

https://www.theregister.com/2022/10/11/october_patch_tuesday/
https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2022-patch-tuesday-fixes-zero-day-used-in-attacks-84-flaws/