Patch Tuesday November 2022: ProxyNotShell and other zero-days receive fixes

November’s Patch Tuesday is starting the holiday season a little early with gifts of zero-day fixes for Microsoft Exchange ProxyNotShell vulnerabilities, which sysadmins and security teams have patiently—or impatiently as is more likely the case—been waiting well over a month for. This moves the response from mitigation to remediation, which is going to be easier for most teams to implement via preferred patching methods.
There are also fixes for OpenSSL vulnerabilities, which had initially stoked fears of far-reaching impact similar to Log4j due to OpenSSL’s widespread distribution. However, since it only affected a small number of versions of OpenSSL 3.0.0 to 3.6.0, the impact has been nowhere near as large as Log4j. At N‑able we were fortunate that this vulnerability did not impact any of our products.
Microsoft Vulnerabilities
A total of 82 vulnerabilities received fixes or updates to previous fixes this month: 62 were new vulnerabilities with 11 marked as critical, 6 under active exploitation, and 17 marked as exploitation more likely. This should put quite a few fixes on the top of prioritization lists this month.
The biggest notable fixes from Microsoft are the aforementioned fixes for CVE-2022-41082 and CVE-2022-41040, collectively referred to as ProxyNotShell. The journey on these vulnerabilities has been far from typical for announced zero-days that carry critical severity ratings and are under active exploitation. Microsoft initially released guidance that had to be updated multiple times as workarounds for the mitigations were quickly discovered by security researchers. With this Patch Tuesday multiple Security Updates have been made available for Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 that address the ProxyNotShell vulnerabilities, and it’s recommended by Microsoft that they be applied immediately.
While ProxyNotShell is this month’s celebrity, other zero-days that received fixes also deserve attention. CVE-2022-41128 is one of the zero-days that are under active exploitation and carries a critical severity rating. It’s ease of use is also trivial for attackers, only requiring an end-user to visit a malicious website that leverages the vulnerability. It also appears to affect all Windows OS versions from Windows 7 and up. This should be getting as much, if not more of your attention than ProxyNotShell.
There is also a fix for a zero-day Windows Print Spooler vulnerability, CVE-2022-41073, which I’m noting simply because Windows Print Spooler has been a popular source of Windows vulnerabilities over the past few months.
Microsoft Patch Tuesday Vulnerability Prioritization
As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely, and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.
CVE |
Description |
Severity |
Status |
Microsoft Exchange Server Elevation of Privilege Vulnerability |
C |
ED |
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
I |
ED |
|
Windows Scripting Languages Remote Code Execution Vulnerability |
C |
ED |
|
Windows Mark of the Web Security Feature Bypass Vulnerability |
I |
ED |
|
Windows Print Spooler Elevation of Privilege Vulnerability |
I |
ED |
|
CVE-2022-41125 |
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability |
I |
ED |
Windows Hyper-V Denial of Service Vulnerability |
C |
ELL |
|
GitHub: CVE-2022-39327 Improper Control of Generation of Code (‘Code Injection’) in Azure CLI |
C |
ELL |
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
C |
EML |
|
Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability |
C |
EML |
|
Windows Kerberos Elevation of Privilege Vulnerability |
C |
EML |
|
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Scripting Languages Remote Code Execution Vulnerability |
C |
EML |
Key: C = Critical; I = Important; EML = Exploitation More Likely; ELL = Exploitation Less Likely; ED = Exploitation Detected
Cumulative Updates
The cumulative updates for the month bring the typical rollup of fixes from previous months and include Servicing Stack Updates. The Windows 10 CUs includes numerous fixes for Windows OS upgrades failing and other bugs, while at the same time introducing a new known bug that is causing issues with Microsoft OneDrive unlinking from Microsoft accounts. Windows 11 CUs brings improvements that were a part of KB5018496 preview build, multiple new Windows 11 features have been added and bugs fixed. There continue to be issues with copying large files with the Microsoft recommended workaround being the use of robocopy or xcopy.
Other Vendors
Citrix is encouraging admins to apply updates to address four vulnerabilities affecting Citrix ADC and Citrix Gateway. Guidance is to upgrade to the latest versions of both asap. In other network appliances, Cisco also released security updates for multiple vulnerabilities this November that can be addressed through software updates.
With respect to the aforementioned OpenSSL vulnerabilities—CVE-2022-3602 and CVE-2022-3786—even though they have high severity ratings, the fact the vulnerabilities only exist in OpenSSL versions 3.0.0 to 3.0.6 means the install base is relatively low. Most environments won’t need to worry about this vulnerability, but you’ll need to verify if and where OpenSSL is in use to be sure.
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more information on Patch Management? Check out this section on our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.
Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.
As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.