Cart

Your Cart is Empty

Back To Shop

Cart

Your Cart is Empty

Back To Shop

The November 2022 Security Update Review

Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for November 2022

For November, Adobe released no patches at all. They’ve released as few as one in the past, but this is the first month in the last six years where they had no fixes at all. Perhaps the U.S. elections play a factor, as Patch Tuesday hasn’t fallen on Election Day since 2016. Whatever the cause, enjoy a month of no Adobe updates.

Microsoft Patches for November 2022

This month, Microsoft released 64 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure and Azure Real Time Operating System; Microsoft Dynamics; Exchange Server; Office and Office Components; SysInternals; Visual Studio; SharePoint Server; Network Policy Server (NPS); Windows BitLocker; and Linux Kernel and Open Source Software. This is in addition to five other CVEs from third parties being integrated into Microsoft products bringing the total number of fixes to 69. Eight of these CVEs were submitted through the ZDI program.

Of the 64 new patches released today, 11 are rated Critical and 53 are rated Important in severity. This volume is similar to previous November releases. It also pushes Microsoft over the number of fixes they released in 2021 and makes this year their second busiest ever for patches.

One of the new CVEs released this month is listed as publicly known and six others are listed as being in the wild at the time of release, which includes the two Exchange bugs listed as under active attack since September. Let’s take a closer look at some of the more interesting updates for this month, starting with those Exchange fixes we’ve been waiting for:

–       CVE-2022-41028 – Microsoft Exchange Server Remote Code Execution Vulnerability
–       CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
These patches address the recent Exchange bugs that are currently being used in active attacks. They were expected last month, but they are finally here (along with several other Exchange fixes). These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. At some point later, they were detected in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy these fixes. There were some who doubted these patches would release this month, so it’s good to see them here.

–       CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability
This bug in JScript is also listed as being exploited in the wild. An attack would need to lure a user to either a specially crafted website or server share. In doing so, they would get their code to execute on an affected system at the level of the logged-on user. Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits.

–       CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability
If you follow Will Dormann on Twitter, you probably have already read quite a bit about these types of bugs. Mark of the Web (MoW) is meant to be applied to files downloaded from the Internet. These files should be treated differently and receive security warning dialogs when accessing them. This vulnerability is also listed as being under active attack, but again, Microsoft provides no information on how widespread these attacks may be.

–       CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability
The legacy of PrintNightmare continues as threat actors continue to mine the vast attack surface that is the Windows Print Spooler. While we’ve seen plenty of other patches since PrintNightmare, this one is listed as being in the wild. While not specifically called out, disabling the print spooler should be an effective workaround. Of course, that breaks printing, but if you’re in a situation where patching isn’t feasible, it is an option.

–       CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
The final bug listed under active attack for November is this privilege escalation in the “Cryptography Application Programming Interface – Next Generation” (CNG) Key Isolation Service. An attacker can abuse this bug to run their code at SYSTEM. They would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit. As with all the other in-the-wild exploits, there’s no indication of how widely this is being used, but it’s likely somewhat targeted at this point. Still, test and deploy the updates quickly.

Here’s the full list of CVEs released by Microsoft for November 2022:



CVE Title Severity CVSS Public Exploited Type
CVE-2022-41091 Windows Mark of the Web Security Feature
Bypass Vulnerability
Important 5.4 Yes Yes SFB
CVE-2022-41040 Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical 8.8 No Yes EoP
CVE-2022-41082 Microsoft Exchange Server Remote Code
Execution Vulnerability
Critical 8.8 No Yes RCE
CVE-2022-41128 Windows Scripting Languages Remote Code
Execution Vulnerability
Critical 8.8 No Yes RCE
CVE-2022-41125 Windows CNG Key Isolation Service Elevation
of Privilege Vulnerability
Important 7.8 No Yes EoP
CVE-2022-41073 Windows Print Spooler Elevation of Privilege
Vulnerability
Important 7.8 No Yes EoP
CVE-2022-39327 * GitHub: CVE-2022-39327 Improper Control of
Generation of Code (‘Code Injection’) in Azure CLI
Critical N/A No No RCE
CVE-2022-41080 Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical 8.8 No No EoP
CVE-2022-38015 Windows Hyper-V Denial of Service
Vulnerability
Critical 6.5 No No DoS
CVE-2022-37967 Windows Kerberos Elevation of Privilege
Vulnerability
Critical 7.2 No No EoP
CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of
Privilege Vulnerability
Critical 8.1 No No EoP
CVE-2022-41039 Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2022-41088 Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2022-41044 Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2022-41118 Windows Scripting Languages Remote Code
Execution Vulnerability
Critical 7.5 No No RCE
CVE-2022-3602 * OpenSSL: CVE-2022-3602 X.509 certificate
verification buffer overrun
High 7.5 No No RCE
CVE-2022-3786 * OpenSSL: CVE-2022-3786 X.509 certificate
verification buffer overrun
High 7.5 No No DoS
CVE-2022-41064 .NET Framework Information Disclosure
Vulnerability
Important 5.8 No No Info
CVE-2022-23824 * AMD: CVE-2022-23824 IBPB and Return Address
Predictor Interactions
Important Unknown No No Info
CVE-2022-41085 Azure CycleCloud Elevation of Privilege
Vulnerability
Important 7.4 No No EoP
CVE-2022-41051 Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2022-41099 BitLocker Security Feature Bypass
Vulnerability
Important 4.6 No No SFB
CVE-2022-39253 * GitHub: CVE-2022-39253 Local clone
optimization dereferences symbolic links by default
Important 5.5 No No Info
CVE-2022-41066 Microsoft Business Central Information
Disclosure Vulnerability
Important 4.4 No No Info
CVE-2022-41096 Microsoft DWM Core Library Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41105 Microsoft Excel Information Disclosure
Vulnerability
Important 7.8 No No Info
CVE-2022-41106 Microsoft Excel Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2022-41063 Microsoft Excel Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2022-41104 Microsoft Excel Security Feature Bypass
Vulnerability
Important 5.5 No No SFB
CVE-2022-41123 Microsoft Exchange Server Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41078 Microsoft Exchange Server Spoofing
Vulnerability
Important 8 No No Spoofing
CVE-2022-41079 Microsoft Exchange Server Spoofing
Vulnerability
Important 8 No No Spoofing
CVE-2022-41047 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2022-41048 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2022-41107 Microsoft Office Graphics Remote Code
Execution Vulnerability
Important 7.8 No No RCE
CVE-2022-41062 Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important 8.8 No No RCE
CVE-2022-41122 Microsoft SharePoint Server Spoofing
Vulnerability
Important 6.5 No No Spoofing
CVE-2022-41120 Microsoft Windows Sysmon Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41060 Microsoft Word Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2022-41103 Microsoft Word Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2022-41061 Microsoft Word Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2022-38023 Netlogon RPC Elevation of Privilege
Vulnerability
Important 8.1 No No EoP
CVE-2022-41056 Network Policy Server (NPS) RADIUS Protocol
Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2022-41097 Network Policy Server (NPS) RADIUS Protocol
Information Disclosure Vulnerability
Important 6.5 No No Info
CVE-2022-41119 Visual Studio Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2022-41100 Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41045 Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41093 Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41114 Windows Bind Filter Driver Elevation of
Privilege Vulnerability
Important 7 No No EoP
CVE-2022-41095 Windows Digital Media Receiver Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41050 Windows Extensible File Allocation Table
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41098 Windows GDI+ Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2022-41052 Windows Graphics Component Remote Code
Execution Vulnerability
Important 7.8 No No RCE
CVE-2022-41086 Windows Group Policy Elevation of Privilege
Vulnerability
Important 6.4 No No EoP
CVE-2022-37992 Windows Group Policy Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2022-41057 Windows HTTP.sys Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2022-41055 Windows Human Interface Device Information
Disclosure Vulnerability
Important 5.5 No No Info
CVE-2022-41053 Windows Kerberos Denial of Service
Vulnerability
Important 7.5 No No DoS
CVE-2022-41049 Windows Mark of the Web Security Feature
Bypass Vulnerability
Important 5.4 No No SFB
CVE-2022-41058 Windows Network Address Translation (NAT)
Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2022-41101 Windows Overlay Filter Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41102 Windows Overlay Filter Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41090 Windows Point-to-Point Tunneling Protocol
Denial of Service Vulnerability
Important 5.9 No No DoS
CVE-2022-41116 Windows Point-to-Point Tunneling Protocol
Denial of Service Vulnerability
Important 5.9 No No DoS
CVE-2022-41054 Windows Resilient File System (ReFS)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-38014 Windows Subsystem for Linux (WSL2) Kernel
Elevation of Privilege Vulnerability
Important 7 No No EoP
CVE-2022-41113 Windows Win32 Kernel Subsystem Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2022-41109 Windows Win32k Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2022-41092 Windows Win32k Elevation of Privilege
Vulnerability
Important 7.8 No No EoP

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

There are four additional bugs in Exchange Server receiving fixes this month, and three of those were reported by ZDI Vulnerability Researcher Piotr Bazydło. Most notably, the privilege escalation bug is due to Exchange having a hardcoded path to a file on the “D:” drive. If a “D:” exists and an attacker puts a DLL in the specified folder, Exchange will load the DLL. By default, low-privileged users have write access to the “D:” drive (assuming it exists). Another vector would be if the low-privileged attacker can insert an optical disk or attach an external drive that will be assigned the letter “D:”. Hard to believe a hard-coded path still exists within Exchange, but here we are. The two spoofing bugs would allow an authenticated attacker to obtain the NTLMv2 challenge and eventually perform further NTLM Relaying attacks. I have a strong premonition many Exchange administrators have a long weekend in front of them.

Looking at the remaining Critical-rated fixes, the two privilege escalation bugs in Kerberos stand out. You’ll need to take additional actions beyond just applying the patch. Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps. Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality. There’s another patch for Scripting Languages. In this case, it’s JScript and Chakra, and this one is not listed as under active attack. There are three Critical-rated fixes for Point-to-Point Tunneling Protocol (PPTP). This seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols. If you rely on PPTP, you should really consider upgrading to something more modern. There’s a Critical-rated denial-of-service (DoS) bug in Hyper-V, which is pretty unusual to see. DoS bugs rarely get the Critical tag, but Microsoft states, “Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.” I guess that’s severe enough to earn a Critical rating despite the 6.5 CVSS score. The fix for the Azure CLI was actually released a couple of weeks ago, and it’s getting documented now.

In addition to the fixes we’ve already discussed, there are 11 other patches for remote code execution vulnerabilities, including a memory corruption bug in the Windows Graphics Component reported by ZDI Vulnerability Researcher Hossein Lotfi. There are also multiple RCE bugs in various Office components, including one from ZDI Vulnerability Researchers Mat Powell and Michael DePlante. For these cases, user interaction would be required – the Preview Pane isn’t an exploit vector. There’s an authenticated SharePoint RCE, but a default user has the needed permissions to take over a SharePoint server. The vulnerability in Azure RTOS would require a user to run specially crafted code, so a level of social engineering would likely be needed to exploit this bug. The final two RCE bugs are in the ODBC driver, and these would require some social engineering to exploit as well. An attacker would need to convince someone to connect to their SQL server via ODBC. If they can do that to an affected system, they could execute code remotely on the client.

A total of 26 bugs in this release are Elevation of Privilege (EoP) bugs, including those already mentioned. The majority of these require an authenticated user to run specially crafted code on an affected system, but there are a few that stand out. The first is the fix for Netlogon that reads similar to the aforementioned Kerberos fixes. Microsoft is rolling out updates in phases and admins should review KB5021130 for additional steps. The bug in Azure CloudCycle has a brute force component, which definitely makes exploitation more difficult. Still. If you are using CloudCycle to manage your HPC environments on Azure, ensure you get it updated. The fixes for ALPC note the bugs could be used to escape a contained execution environment. While certainly not the first bugs to do so, I don’t recall Microsoft documenting this before now. Finally, there’s an EoP in SysInternals services. These tools are often used by incident responders, so definitely make sure you have an updated version before heading out to recover a compromised system. 

The November release includes eight new fixes for information disclosure bugs. Most of the info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents. There is one notable exception. The vulnerability in Business Central requires admin credentials but could lead to the disclosure of integration secrets that are owned by a different partner. Presumably, you would be able to impersonate the other client with this info.

Four total Security Feature Bypass bugs are getting fixed this month, including the patch for the MoW bug being actively exploited. There’s another fix for a MoW bug, but this one is not listed as under active attack. The fix for Excel addresses a bug that would bypass the content check in the INDIRECT function. More notably, the bug in BitLocker could allow an attacker with physical access to bypass the Device Encryption feature and access the encrypted data. Preventing this is pretty much the “one job” of Device Encryption, so regardless of exploitability, this is a significant bypass.

Today’s release also includes fixes for five additional DoS bugs. Four of these impact network protocols: PPTP, RADIUS, and Network Address Translation (NAT). A successful attack on one of these protocols would cause the service to stop responding. The same is true of the bug in Kerberos, which could impact logging on and other functionality that relies on the Kerberos service.

There is one spoofing bug in SharePoint server, but beyond the authentication requirement, there’s no information regarding the exploit scenario.

Finally, you may have heard of some OpenSSL bugs that had everyone abuzz before their release. To say they fizzled out is a bit of an understatement. Still, the fixes for Microsoft products are included in this release.

There is one new advisory this month adding defense-in-depth functionality to Microsoft Office. The new feature provides hardening around IRM-protected documents to ensure the trust-of-certificate chain. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The final Patch Tuesday of 2022 will be on December 13, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!