Head Nerds
Gestione delle patch
Sicurezza

Patch Tuesday October 2022: ProxyNotShell, Fortinet and enough Zero-days to keep everyone busy

Before October’s Patch Tuesday even arrived, earlier in the week there was a rush of mitigations for FortiOS, FortiProxy, FortiSwitchManager, and Microsoft Exchange Server Zero-Days being implemented by admins and security teams. Add to this two new Zero-Days addressed by Microsoft updates, previous Zero-Days remaining unpatched, Zero-Days under active exploitation, 13 Microsoft vulnerabilities marked critical, and 15 marked as exploitation more likely and it’s likely IT teams will need a little hustle in their step to keep up this month.

Microsoft Vulnerabilities 

A total of 84 vulnerabilities are addressed within this Microsoft Patch Tuesday. While this represents a slight uptick compared to last month, the risk exposure created by newly announced Zero-Days and un-patched Zero-Day vulnerabilites is quite an escalation. This is one of those months where just applying all available updates isn’t going to be enough to see you through.

CVE-2022-41043 is a Microsoft Office Information Disclosure Vulnerability Zero-Day. Since it’s rated as low severity, exploitation is less likely, a fix was issued for it this month and it apparently only affects Microsoft Office 2019 and 2021 for Mac, there isn’t too much to be concerned about around this vulnerability. 

CVE-2022-41033 is an escalation of privilege vulnerability under active exploitation that allows an attacker to gain SYSTEM privilege. There is not much additional information on this vulnerability as yet, outside of it being the only actively exploited vulnerability receiving a patch this month.

The big headliners for the month though are CVE-2022-41040 and CVE-2022-41082. These can be chained together to allow remote code execution against Microsoft Exchange Servers. The ‘celebrity’ name for the vulnerabilities is ProxyNotShell—this may be a familiar to some because of ProxyShell, a similar vulnerability from 2021. Just as ProxyShell caused a lot of havoc, ProxyNotShell looks likely to follow in its footsteps as it is currently under active exploitation. ProxyNotShell did not receive any security updates or fixes as part of October’s Patch Tuesday, so if you’re looking for a better understanding of what it is and what you should do, check out Kevin Beaumont’s (@GossiTheDog) great write-up here. Microsoft’s current guidance is to apply their recommended mitigations. If you were waiting for Microsoft to release a fix via Windows Update you’re out of luck and should be prioritizing applying mitigations today.

There are also three escalation of privilege vulnerabilities affecting Microsoft Exchange Server that received fixes this month. Your Exchange admins have quite a prioritization list this month. 

Microsoft Patch Tuesday Vulnerability Prioritization

October’s Patch Tuesday is a great reminder that sometimes you can’t just wait for an automated fix to come down the line. At times you’ve got to roll-up your sleeves and apply manual remediations. Patch management solutions can make our lives easier, but they can’t handle dealing with all vulnerabilities. ProxyNotShell should be priority one for any Exchange admins, with the other Exchange vulnerabilities being addressed with regular security updates. 

Critical Severity, Exploitation More Likely, and Exploitation Detected vulnerabilities as always should be ranking fairly high on your priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around. 

CVE

Description

Severity

 Exploitability

CVE-2022-21980

Microsoft Exchange Server Elevation of Privilege Vulnerability

Important

 Exploitation More Likely

CVE-2022-24516

Microsoft Exchange Server Elevation of Privilege Vulnerability

Important

 Exploitation More Likely

CVE-2022-24477

Microsoft Exchange Server Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-34689

Windows CryptoAPI Spoofing Vulnerability

Critical

Exploitation More Likely

CVE-2022-37970

Windows DWM Core Library Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-37987

Windows Client Server Run-time Subsystem (CSRSS)
Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-38050

Win32k Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-38051

Windows Graphics Component Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-41036

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

Exploitation More Likely

CVE-2022-37974

Windows Mixed Reality Developer Tools Information Disclosure Vulnerability

Important

Exploitation More Likely

CVE-2022-38028

Windows Print Spooler Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-37989

Windows Client Server Run-time Subsystem (CSRSS)
Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-37997

Windows Graphics Component Elevation of Privilege Vulnerability

Important

Exploitation More Likely

CVE-2022-38053

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

Exploitation More Likely

CVE-2022-41038

Microsoft SharePoint Server Remote Code Execution Vulnerability

Critical

Exploitation More Likely

CVE-2022-37968

Azure Arc-enabled Kubernetes cluster Connect
Elevation of Privilege Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-38048

Microsoft Office Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-37979

Windows Hyper-V Elevation of Privilege Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-37976

Active Directory Certificate Services
Elevation of Privilege Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-33634

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-22035

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-24504

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-38047

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-41081

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-30198

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

CVE-2022-38000

Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability

Critical

Exploitation
Less Likely

Cumulative Updates

The cumulative updates were released for current builds of Windows 10 with KB5018410 and KB5018427 for Windows 11. Containing the usual rollup of fixes from previous months and including Servicing Stack Updates in the CU should make these easy to rollout. The Windows 11 CU includes numerous fixes for 30 bugs, but fails to resolve a performance issue that occurs when copying files over SMB that was first introduced with Windows 11 22H2 update. Go old-school and use xcopy or robocopy as a workaround if you are still seeing this performance impact.

Other Vendors

Fortinet also announced an authentication bypass affecting FortiGate firewalls, FortiProxy, and FortiSwitchManager. CVE-2022-40684 allows an attacker to perform administrative actions on those devices. This is under active exploitation and affects multiple versions of FortiOS, FortiProxy, and FortiSwitchManager. If you have Fortinet appliances deployed then updating firmware should be high on your prioritization list. 

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines. 

 

Looking for more information on Patch Management? Check out this section on our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.

Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.

N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.