Patch Tuesday October 2022: ProxyNotShell, Fortinet and enough Zero-days to keep everyone busy

Before October’s Patch Tuesday even arrived, earlier in the week there was a rush of mitigations for FortiOS, FortiProxy, FortiSwitchManager, and Microsoft Exchange Server Zero-Days being implemented by admins and security teams. Add to this two new Zero-Days addressed by Microsoft updates, previous Zero-Days remaining unpatched, Zero-Days under active exploitation, 13 Microsoft vulnerabilities marked critical, and 15 marked as exploitation more likely and it’s likely IT teams will need a little hustle in their step to keep up this month.
Microsoft Vulnerabilities
A total of 84 vulnerabilities are addressed within this Microsoft Patch Tuesday. While this represents a slight uptick compared to last month, the risk exposure created by newly announced Zero-Days and un-patched Zero-Day vulnerabilites is quite an escalation. This is one of those months where just applying all available updates isn’t going to be enough to see you through.
CVE-2022-41043 is a Microsoft Office Information Disclosure Vulnerability Zero-Day. Since it’s rated as low severity, exploitation is less likely, a fix was issued for it this month and it apparently only affects Microsoft Office 2019 and 2021 for Mac, there isn’t too much to be concerned about around this vulnerability.
CVE-2022-41033 is an escalation of privilege vulnerability under active exploitation that allows an attacker to gain SYSTEM privilege. There is not much additional information on this vulnerability as yet, outside of it being the only actively exploited vulnerability receiving a patch this month.
The big headliners for the month though are CVE-2022-41040 and CVE-2022-41082. These can be chained together to allow remote code execution against Microsoft Exchange Servers. The ‘celebrity’ name for the vulnerabilities is ProxyNotShell—this may be a familiar to some because of ProxyShell, a similar vulnerability from 2021. Just as ProxyShell caused a lot of havoc, ProxyNotShell looks likely to follow in its footsteps as it is currently under active exploitation. ProxyNotShell did not receive any security updates or fixes as part of October’s Patch Tuesday, so if you’re looking for a better understanding of what it is and what you should do, check out Kevin Beaumont’s (@GossiTheDog) great write-up here. Microsoft’s current guidance is to apply their recommended mitigations. If you were waiting for Microsoft to release a fix via Windows Update you’re out of luck and should be prioritizing applying mitigations today.
There are also three escalation of privilege vulnerabilities affecting Microsoft Exchange Server that received fixes this month. Your Exchange admins have quite a prioritization list this month.
Microsoft Patch Tuesday Vulnerability Prioritization
October’s Patch Tuesday is a great reminder that sometimes you can’t just wait for an automated fix to come down the line. At times you’ve got to roll-up your sleeves and apply manual remediations. Patch management solutions can make our lives easier, but they can’t handle dealing with all vulnerabilities. ProxyNotShell should be priority one for any Exchange admins, with the other Exchange vulnerabilities being addressed with regular security updates.
Critical Severity, Exploitation More Likely, and Exploitation Detected vulnerabilities as always should be ranking fairly high on your priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.
CVE |
Description |
Severity |
Exploitability |
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Windows CryptoAPI Spoofing Vulnerability |
Critical |
Exploitation More Likely |
|
Windows DWM Core Library Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Windows Client Server Run-time Subsystem (CSRSS) |
Important |
Exploitation More Likely |
|
Win32k Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Windows Graphics Component Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
Exploitation More Likely |
|
Windows Mixed Reality Developer Tools Information Disclosure Vulnerability |
Important |
Exploitation More Likely |
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Windows Client Server Run-time Subsystem (CSRSS) |
Important |
Exploitation More Likely |
|
Windows Graphics Component Elevation of Privilege Vulnerability |
Important |
Exploitation More Likely |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
Exploitation More Likely |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Critical |
Exploitation More Likely |
|
Azure Arc-enabled Kubernetes cluster Connect |
Critical |
Exploitation |
|
Microsoft Office Remote Code Execution Vulnerability |
Critical |
Exploitation |
|
Windows Hyper-V Elevation of Privilege Vulnerability |
Critical |
Exploitation |
|
Active Directory Certificate Services |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
|
Windows Point-to-Point Tunneling Protocol |
Critical |
Exploitation |
Cumulative Updates
The cumulative updates were released for current builds of Windows 10 with KB5018410 and KB5018427 for Windows 11. Containing the usual rollup of fixes from previous months and including Servicing Stack Updates in the CU should make these easy to rollout. The Windows 11 CU includes numerous fixes for 30 bugs, but fails to resolve a performance issue that occurs when copying files over SMB that was first introduced with Windows 11 22H2 update. Go old-school and use xcopy or robocopy as a workaround if you are still seeing this performance impact.
Other Vendors
Fortinet also announced an authentication bypass affecting FortiGate firewalls, FortiProxy, and FortiSwitchManager. CVE-2022-40684 allows an attacker to perform administrative actions on those devices. This is under active exploitation and affects multiple versions of FortiOS, FortiProxy, and FortiSwitchManager. If you have Fortinet appliances deployed then updating firmware should be high on your prioritization list.
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more information on Patch Management? Check out this section on our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.