October Patch Tuesday: Two Zero-day and 15 Critical Vulnerabilities Patched by Microsoft | (2023)

On Tuesday, Microsoft rolled out security patches for 85 vulnerabilities, a number not unusual for the company’s October Patch Tuesday. What is unusual, however, is that the company has failed to develop a patch for the two Exchange Server vulnerabilities that came to light earlier this month.

Microsoft is all set to cross last year’s total vulnerability patch count of 1,200 in 2022, with the total number of CVEs addressed until October Patch Tuesday hovering around the 1,100 mark. “If that happens, 2022 would be the second busiest year for Microsoft CVEs,” noted Dustin Childs of Trend Micro’s Zero Day Initiative.

15 of the 85 vulnerabilities addressed in the October Patch Tuesday are rated Critical in severity, 69 as Important and one as moderately severe. For the two unpatched Exchange Server vulnerabilities, dubbed NotProxyShell, Microsoft recommended admins apply mitigation while they work on a fix. The company didn’t mention a timeline for the patches to NotProxyShell, both of which are being actively exploited in the wild.

Ankit Malhotra, manager of Signature Engineering at Qualys, noted in a blog post, “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.”

However, the October patchload takes care of plenty of other serious bugs in Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure/Azure Arc/Azure DevOps, Windows Resilient File System (ReFS), Active Directory Domain Services and Active Directory Certificate Services, Hyper-V, Visual Studio Code, and Nu Get Client.

See More: September Patch Tuesday: Microsoft Patches 64 Vulnerabilities Including Two Zero-Day Flaws

Critical Severity Vulnerability Patches from October Patch Tuesday

CVE-2022-41033

First up is CVE-2022-41033, an elevation of privilege (EoP) vulnerability residing in Windows COM+ Event System Service. With a CVSS score of 7.8, CVE-2022-41033 is not exactly critically severe, although it is a zero-day vulnerability, meaning it is being actively targeted through a publicly available exploit.

“One of the most serious vulnerabilities fixed this month is the Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033), even though its CVSS rating is just 7.8,” Mike Walters, VP of Vulnerability and Threat Research at Action1, told Spiceworks.

“The reason is simple: There has been an exploit for this vulnerability for a long time now, and it can be easily combined with an RCE exploit. It is an excellent tool in a hacker’s arsenal for elevating privileges on a Windows system because it enables an attacker who has local access to a machine to gain SYSTEM privileges and do anything they like with that target system.”

“The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs,” Walters added. A successful exploit would require a user on the target machine to open an attachment or visit a malicious website. This explains the low CVSS score.

Besides being a zero-day vulnerability, prioritization is important for CVE-2022-41033 because it impacts all versions of Windows starting with Windows 7 and Windows Server 2008. “This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server.”

Walters recommended, “Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it.”

See More: Déjà vu: Microsoft Exchange Server Found With Two Zero-day Bugs Similar to ProxyShell

CVE-2022-37968

A Connect EoP flaw, CVE-2022-37968 has the highest possible CVSS score of 10 among the 85 vulnerabilities fixed on October Patch Tuesday. “It could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. It affects the cluster connect feature of these clusters,” Walters said.

CVE-2022-37968 has a low attack complexity and requires fewer privileges and no user interaction for exploitation. Walters explained, “An adversary who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet.”

“Successful exploitation of this vulnerability allows an unauthenticated user to elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster. If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18 and 1.8.11 and they are available from the internet, upgrade immediately.”

Debra M. Fezza Reed, principal business analyst for vulnerability and threat research engineering at Qualys, pointed out that Azure Stack Edge devices are also vulnerable to CVE-2022-37968 because its users can deploy Kubernetes workloads on their devices via Azure Arc.

CVE-2022-37987/CVE-2022-37989

Also EoP vulnerabilities, CVE-2022-37987/CVE-2022-37989 have a CVSS score of 7.8. Both have a low attack complexity, and require low privileges and no user interaction to exploit. “Both attacks enable elevation of privileges to SYSTEM,” Walters explained.

“Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability (CVE-2022-37987 and CVE-2022-37989) are both related to the behavior of the CSRSS process when searching for dependencies.”

Microsoft noted that their exploitation is more likely, possibly because the latter failed to patch a previously reported vulnerability.

“CVS-2022-37989 is a failed fix for an earlier bug, CVE-2022-22047, which has been seen in the wild; this vulnerability occurs because CSRSS can accept input from untrusted processes,” Walters explained. “The CVE-2022-37987 vulnerability is a new attack that works by tricking CSRSS into downloading dependency information from an unprotected location.”

CVE-2022-41038

CVE-2022-41038 is a remote code execution vulnerability existing in SharePoint Server whose exploitability assessment by Microsoft revealed it is more likely to be exploited, provided the threat actor has Manage List permissions.

“In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions,” Walters further added.

“Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet. Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet.”

Users/admins can download and apply the cumulative update or the security update to patch CVE-2022-41038, which impacts all versions of SharePoint since SharePoint 2013 Service Pack 1.

Other vulnerability patches that should be prioritized

Besides CVE-2022-41033, Microsoft also patched another zero-day bug tracked as CVE-2022-41043. It is an information disclosure vulnerability residing in Microsoft Office. The technical details for CVE-2022-41043 are publicly available though the vulnerability is not actively exploited.

The table below lists all 15 critical vulnerabilities and the two zero-day ones.

Vulnerability

Exists InCVSS ScoreTypeExploitation
CVE-2022-37968Azure Arc-enabled Kubernetes cluster10Connect EoP

Less Likely

CVE-2022-37976

Active Directory Certificate Services8.8EoPLess Likely
CVE-2022-41038Microsoft SharePoint Server8.8RCE

More Likely

CVE-2022-30198

Windows Point-to-Point Tunneling Protocol8.1RCELess Likely
CVE-2022-24504Windows Point-to-Point Tunneling Protocol8.1RCE

Less Likely

CVE-2022-33634

Windows Point-to-Point Tunneling Protocol8.1RCELess Likely
CVE-2022-22035Windows Point-to-Point Tunneling Protocol8.1RCE

Less Likely

CVE-2022-38047

Windows Point-to-Point Tunneling Protocol8.1RCELess Likely
CVE-2022-38000Windows Point-to-Point Tunneling Protocol8.1RCE

Less Likely

CVE-2022-41081

Windows Point-to-Point Tunneling Protocol8.1RCELess Likely
CVE-2022-38049Microsoft Office Graphics7.8RCE

Less Likely

CVE-2022-38048

Microsoft Office7.8RCELess Likely
CVE-2022-41031Microsoft Word7.8RCE

Less Likely

CVE-2022-37979

Windows Hyper-V7.8EoPLess Likely
CVE-2022-34689Windows CryptoAPI7.5Spoofing

More Likely

CVE-2022-41033

Windows COM+ Event System Service7.8EoPDetected
CVE-2022-41043Microsoft Office4Information Disclosure

Less Likely

Of the 85 vulnerabilities fixed, 39 were EoP bugs, 20 RCE, 11 information disclosure, eight denial of service, five spoofing, and two security feature bypass vulnerabilities.

Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!

Image source: Shutterstock

MORE ON VULNERABILITY MANAGEMENT

  • 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects
  • 66% of Organizations Have Vulnerability Backlogs of Over 100,000, Rezilion Finds
  • Google Chrome and Microsoft Edge Are Vulnerable to Spell-Jacking: otto-js
  • HP Business Devices Vulnerable to the Exploitation of Six High-risk Firmware Flaws
Top Articles
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated: 02/05/2023

Views: 6671

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.