Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for November 2022
For November, Adobe released no patches at all. They’ve released as few as one in the past, but this is the first month in the last six years where they had no fixes at all. Perhaps the U.S. elections play a factor, as Patch Tuesday hasn’t fallen on Election Day since 2016. Whatever the cause, enjoy a month of no Adobe updates.
Microsoft Patches for November 2022
This month, Microsoft released 64 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure and Azure Real Time Operating System; Microsoft Dynamics; Exchange Server; Office and Office Components; SysInternals; Visual Studio; SharePoint Server; Network Policy Server (NPS); Windows BitLocker; and Linux Kernel and Open Source Software. This is in addition to five other CVEs from third parties being integrated into Microsoft products bringing the total number of fixes to 69. Six of these CVEs were submitted through the ZDI program.
Of the 64 new patches released today, nine are rated Critical and 52 are rated Important in severity. This volume is similar to previous November releases. It also pushes Microsoft over the number of fixes they released in 2021 and makes this year their second busiest ever for patches.
One of the new CVEs released this month is listed as publicly known and six others are listed as being in the wild at the time of release, which includes the two Exchange bugs listed as under active attack since September. Let’s take a closer look at some of the more interesting updates for this month, starting with those Exchange fixes we’ve been waiting for:
– CVE-2022-41028 – Microsoft Exchange Server Remote Code Execution Vulnerability
– CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
These patches address the recent Exchange bugs that are currently being used in active attacks. They were expected last month, but they are finally here (along with several other Exchange fixes). These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. At some point later, they were detected in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy these fixes. There were some who doubted these patches would release this month, so it’s good to see them here.
– CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability
This bug in JScript is also listed as being exploited in the wild. An attack would need to lure a user to either a specially crafted website or server share. In doing so, they would get their code to execute on an affected system at the level of the logged-on user. Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits.
– CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability
If you follow Will Dormann on Twitter, you probably have already read quite a bit about these types of bugs. Mark of the Web (MoW) is meant to be applied to files downloaded from the Internet. These files should be treated differently and receive security warning dialogs when accessing them. This vulnerability is also listed as being under active attack, but again, Microsoft provides no information on how widespread these attacks may be.
– CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability
The legacy of PrintNightmare continues as threat actors continue to mine the vast attack surface that is the Windows Print Spooler. While we’ve seen plenty of other patches since PrintNightmare, this one is listed as being in the wild. While not specifically called out, disabling the print spooler should be an effective workaround. Of course, that breaks printing, but if you’re in a situation where patching isn’t feasible, it is an option.
– CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
The final bug listed under active attack for November is this privilege escalation in the “Cryptography Application Programming Interface – Next Generation” (CNG) Key Isolation Service. An attacker can abuse this bug to run their code at SYSTEM. They would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit. As with all the other in-the-wild exploits, there’s no indication of how widely this is being used, but it’s likely somewhat targeted at this point. Still, test and deploy the updates quickly.
Here’s the full list of CVEs released by Microsoft for November 2022:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2022-41091
Windows Mark of the Web Security Feature
Bypass Vulnerability
Important
5.4
Yes
Yes
SFB
CVE-2022-41040
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical
8.8
No
Yes
EoP
CVE-2022-41082
Microsoft Exchange Server Remote Code
Execution Vulnerability
Critical
8.8
No
Yes
RCE
CVE-2022-41128
Windows Scripting Languages Remote Code
Execution Vulnerability
Critical
8.8
No
Yes
RCE
CVE-2022-41125
Windows CNG Key Isolation Service Elevation
of Privilege Vulnerability
Important
7.8
No
Yes
EoP
CVE-2022-41073
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
Yes
EoP
CVE-2022-39327 *
GitHub: CVE-2022-39327 Improper Control of
Generation of Code (‘Code Injection’) in Azure CLI
Critical
N/A
No
No
RCE
CVE-2022-41080
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical
8.8
No
No
EoP
CVE-2022-38015
Windows Hyper-V Denial of Service
Vulnerability
Critical
6.5
No
No
DoS
CVE-2022-37967
Windows Kerberos Elevation of Privilege
Vulnerability
Critical
7.2
No
No
EoP
CVE-2022-37966
Windows Kerberos RC4-HMAC Elevation of
Privilege Vulnerability
Critical
8.1
No
No
EoP
CVE-2022-41039
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-41088
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-41044
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-41118
Windows Scripting Languages Remote Code
Execution Vulnerability
Critical
7.5
No
No
RCE
CVE-2022-3602 *
OpenSSL: CVE-2022-3602 X.509 certificate
verification buffer overrun
High
7.5
No
No
RCE
CVE-2022-3786 *
OpenSSL: CVE-2022-3786 X.509 certificate
verification buffer overrun
High
7.5
No
No
DoS
CVE-2022-41064
.NET Framework Information Disclosure
Vulnerability
Important
5.8
No
No
Info
CVE-2022-23824 *
AMD: CVE-2022-23824 IBPB and Return Address
Predictor Interactions
Important
Unknown
No
No
Info
CVE-2022-41085
Azure CycleCloud Elevation of Privilege
Vulnerability
Important
7.4
No
No
EoP
CVE-2022-41051
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-41099
BitLocker Security Feature Bypass
Vulnerability
Important
4.6
No
No
SFB
CVE-2022-39253 *
GitHub: CVE-2022-39253 Local clone
optimization dereferences symbolic links by default
Important
5.5
No
No
Info
CVE-2022-41066
Microsoft Business Central Information
Disclosure Vulnerability
Important
4.4
No
No
Info
CVE-2022-41096
Microsoft DWM Core Library Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41105
Microsoft Excel Information Disclosure
Vulnerability
Important
7.8
No
No
Info
CVE-2022-41106
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-41063
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-41104
Microsoft Excel Security Feature Bypass
Vulnerability
Important
5.5
No
No
SFB
CVE-2022-41123
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41078
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing
CVE-2022-41079
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing
CVE-2022-41047
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-41048
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-41107
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-41062
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2022-41122
Microsoft SharePoint Server Spoofing
Vulnerability
Important
6.5
No
No
Spoofing
CVE-2022-41120
Microsoft Windows Sysmon Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41060
Microsoft Word Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-41103
Microsoft Word Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-41061
Microsoft Word Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-38023
Netlogon RPC Elevation of Privilege
Vulnerability
Important
8.1
No
No
EoP
CVE-2022-41056
Network Policy Server (NPS) RADIUS Protocol
Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2022-41097
Network Policy Server (NPS) RADIUS Protocol
Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2022-41119
Visual Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-41100
Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41045
Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41093
Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41114
Windows Bind Filter Driver Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-41095
Windows Digital Media Receiver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41050
Windows Extensible File Allocation Table
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41098
Windows GDI+ Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-41052
Windows Graphics Component Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-41086
Windows Group Policy Elevation of Privilege
Vulnerability
Important
6.4
No
No
EoP
CVE-2022-37992
Windows Group Policy Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41057
Windows HTTP.sys Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41055
Windows Human Interface Device Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-41053
Windows Kerberos Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2022-41049
Windows Mark of the Web Security Feature
Bypass Vulnerability
Important
5.4
No
No
SFB
CVE-2022-41058
Windows Network Address Translation (NAT)
Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2022-41101
Windows Overlay Filter Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41102
Windows Overlay Filter Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41090
Windows Point-to-Point Tunneling Protocol
Denial of Service Vulnerability
Important
5.9
No
No
DoS
CVE-2022-41116
Windows Point-to-Point Tunneling Protocol
Denial of Service Vulnerability
Important
5.9
No
No
DoS
CVE-2022-41054
Windows Resilient File System (ReFS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38014
Windows Subsystem for Linux (WSL2) Kernel
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-41113
Windows Win32 Kernel Subsystem Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41109
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41092
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
There are four additional bugs in Exchange Server receiving fixes this month, and three of those were reported by ZDI Vulnerability Researcher Piotr Bazydło. Most notably, the privilege escalation bug is due to Exchange having a hardcoded path to a file on the “D:” drive. If a “D:” exists and an attacker puts a DLL in the specified folder, Exchange will load the DLL. By default, low-privileged users have write access to the “D:” drive (assuming it exists). Another vector would be if the low-privileged attacker can insert an optical disk or attach an external drive that will be assigned the letter “D:”. Hard to believe a hard-coded path still exists within Exchange, but here we are. The two spoofing bugs would allow an authenticated attacker to obtain the NTLMv2 challenge and eventually perform further NTLM Relaying attacks. I have a strong premonition many Exchange administrators have a long weekend in front of them.
Looking at the remaining Critical-rated fixes, the two privilege escalation bugs in Kerberos stand out. You’ll need to take additional actions beyond just applying the patch. Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps. Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality. There’s another patch for Scripting Languages. In this case, it’s JScript and Chakra, and this one is not listed as under active attack. There are three Critical-rated fixes for Point-to-Point Tunneling Protocol (PPTP). This seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols. If you rely on PPTP, you should really consider upgrading to something more modern. There’s a Critical-rated denial-of-service (DoS) bug in Hyper-V, which is pretty unusual to see. DoS bugs rarely get the Critical tag, but Microsoft states, “Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.” I guess that’s severe enough to earn a Critical rating despite the 6.5 CVSS score. The fix for the Azure CLI was actually released a couple of weeks ago, and it’s getting documented now.
In addition to the fixes we’ve already discussed, there are 11 other patches for remote code execution vulnerabilities, including a memory corruption bug in the Windows Graphics Component reported by ZDI Vulnerability Researcher Hossein Lotfi. There are also multiple RCE bugs in various Office components, including one from ZDI Vulnerability Researchers Mat Powell and Michael DePlante. For these cases, user interaction would be required – the Preview Pane isn’t an exploit vector. There’s an authenticated SharePoint RCE, but a default user has the needed permissions to take over a SharePoint server. The vulnerability in Azure RTOS would require a user to run specially crafted code, so a level of social engineering would likely be needed to exploit this bug. The final two RCE bugs are in the ODBC driver, and these would require some social engineering to exploit as well. An attacker would need to convince someone to connect to their SQL server via ODBC. If they can do that to an affected system, they could execute code remotely on the client.
A total of 26 bugs in this release are Elevation of Privilege (EoP) bugs, including those already mentioned. The majority of these require an authenticated user to run specially crafted code on an affected system, but there are a few that stand out. The first is the fix for Netlogon that reads similar to the aforementioned Kerberos fixes. Microsoft is rolling out updates in phases and admins should review KB5021130 for additional steps. The bug in Azure CloudCycle has a brute force component, which definitely makes exploitation more difficult. Still. If you are using CloudCycle to manage your HPC environments on Azure, ensure you get it updated. The fixes for ALPC note the bugs could be used to escape a contained execution environment. While certainly not the first bugs to do so, I don’t recall Microsoft documenting this before now. Finally, there’s an EoP in SysInternals services. These tools are often used by incident responders, so definitely make sure you have an updated version before heading out to recover a compromised system.
The November release includes eight new fixes for information disclosure bugs. Most of the info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents. There is one notable exception. The vulnerability in Business Central requires admin credentials but could lead to the disclosure of integration secrets that are owned by a different partner. Presumably, you would be able to impersonate the other client with this info.
Four total Security Feature Bypass bugs are getting fixed this month, including the patch for the MoW bug being actively exploited. There’s another fix for a MoW bug, but this one is not listed as under active attack. The fix for Excel addresses a bug that would bypass the content check in the INDIRECT function. More notably, the bug in BitLocker could allow an attacker with physical access to bypass the Device Encryption feature and access the encrypted data. Preventing this is pretty much the “one job” of Device Encryption, so regardless of exploitability, this is a significant bypass.
Today’s release also includes fixes for five additional DoS bugs. Four of these impact network protocols: PPTP, RADIUS, and Network Address Translation (NAT). A successful attack on one of these protocols would cause the service to stop responding. The same is true of the bug in Kerberos, which could impact logging on and other functionality that relies on the Kerberos service.
There is one spoofing bug in SharePoint server, but beyond the authentication requirement, there’s no information regarding the exploit scenario.
Finally, you may have heard of some OpenSSL bugs that had everyone abuzz before their release. To say they fizzled out is a bit of an understatement. Still, the fixes for Microsoft products are included in this release.
There is one new advisory this month adding defense-in-depth functionality to Microsoft Office. The new feature provides hardening around IRM-protected documents to ensure the trust-of-certificate chain. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The final Patch Tuesday of 2021 will be on December 13, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Zero Day Initiative – Blog
