Patch Tuesday October 2022: ProxyNotShell, Fortinet and enough Zero-days to keep everyone busy

Before October’s Patch Tuesday even arrived, earlier in the week there was a rush of mitigations for FortiOS, FortiProxy, FortiSwitchManager, and Microsoft Exchange Server Zero-Days being implemented by admins and security teams. Add to this two new Zero-Days addressed by Microsoft updates, previous Zero-Days remaining unpatched, Zero-Days under active exploitation, 13 Microsoft vulnerabilities marked critical, and 15 marked as exploitation more likely and it’s likely IT teams will need a little hustle in their step to keep up this month.

Microsoft Vulnerabilities 

A total of 84 vulnerabilities are addressed within this Microsoft Patch Tuesday. While this represents a slight uptick compared to last month, the risk exposure created by newly announced Zero-Days and un-patched Zero-Day vulnerabilites is quite an escalation. This is one of those months where just applying all available updates isn’t going to be enough to see you through.

CVE-2022-41043 is a Microsoft Office Information Disclosure Vulnerability Zero-Day. Since it’s rated as low severity, exploitation is less likely, a fix was issued for it this month and it apparently only affects Microsoft Office 2019 and 2021 for Mac, there isn’t too much to be concerned about around this vulnerability. 

CVE-2022-41033 is an escalation of privilege vulnerability under active exploitation that allows an attacker to gain SYSTEM privilege. There is not much additional information on this vulnerability as yet, outside of it being the only actively exploited vulnerability receiving a patch this month.

The big headliners for the month though are CVE-2022-41040 and CVE-2022-41082. These can be chained together to allow remote code execution against Microsoft Exchange Servers. The ‘celebrity’ name for the vulnerabilities is ProxyNotShell—this may be a familiar to some because of ProxyShell, a similar vulnerability from 2021. Just as ProxyShell caused a lot of havoc, ProxyNotShell looks likely to follow in its footsteps as it is currently under active exploitation. ProxyNotShell did not receive any security updates or fixes as part of October’s Patch Tuesday, so if you’re looking for a better understanding of what it is and what you should do, check out Kevin Beaumont’s (@GossiTheDog) great write-up here. Microsoft’s current guidance is to apply their recommended mitigations. If you were waiting for Microsoft to release a fix via Windows Update you’re out of luck and should be prioritizing applying mitigations today.

There are also three escalation of privilege vulnerabilities affecting Microsoft Exchange Server that received fixes this month. Your Exchange admins have quite a prioritization list this month. 

Microsoft Patch Tuesday Vulnerability Prioritization

October’s Patch Tuesday is a great reminder that sometimes you can’t just wait for an automated fix to come down the line. At times you’ve got to roll-up your sleeves and apply manual remediations. Patch management solutions can make our lives easier, but they can’t handle dealing with all vulnerabilities. ProxyNotShell should be priority one for any Exchange admins, with the other Exchange vulnerabilities being addressed with regular security updates. 

Critical Severity, Exploitation More Likely, and Exploitation Detected vulnerabilities as always should be ranking fairly high on your priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around. 

Cumulative Updates

The cumulative updates were released for current builds of Windows 10 with KB5018410 and KB5018427 for Windows 11. Containing the usual rollup of fixes from previous months and including Servicing Stack Updates in the CU should make these easy to rollout. The Windows 11 CU includes numerous fixes for 30 bugs, but fails to resolve a performance issue that occurs when copying files over SMB that was first introduced with Windows 11 22H2 update. Go old-school and use xcopy or robocopy as a workaround if you are still seeing this performance impact.

Other Vendors

Fortinet also announced an authentication bypass affecting FortiGate firewalls, FortiProxy, and FortiSwitchManager. CVE-2022-40684 allows an attacker to perform administrative actions on those devices. This is under active exploitation and affects multiple versions of FortiOS, FortiProxy, and FortiSwitchManager. If you have Fortinet appliances deployed then updating firmware should be high on your prioritization list. 

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines. 

Looking for more information on Patch Management? Check out this section on our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd