Patch Tuesday November 2022: ProxyNotShell and other zero-days receive fixes

November’s Patch Tuesday is starting the holiday season a little early with gifts of zero-day fixes for Microsoft Exchange ProxyNotShell vulnerabilities, which sysadmins and security teams have patiently—or impatiently as is more likely the case—been waiting well over a month for. This moves the response from mitigation to remediation, which is going to be easier for most teams to implement via preferred patching methods. 

There are also fixes for OpenSSL vulnerabilities, which had initially stoked fears of far-reaching impact similar to Log4j due to OpenSSL’s widespread distribution. However, since it only affected a small number of versions of OpenSSL 3.0.0 to 3.6.0, the impact has been nowhere near as large as Log4j. At N‑able we were fortunate that this vulnerability did not impact any of our products. 

Microsoft Vulnerabilities 

A total of 82 vulnerabilities received fixes or updates to previous fixes this month: 62 were new vulnerabilities with 11 marked as critical, 6 under active exploitation, and 17 marked as exploitation more likely. This should put quite a few fixes on the top of prioritization lists this month.

The biggest notable fixes from Microsoft are the aforementioned fixes for CVE-2022-41082 and CVE-2022-41040, collectively referred to as ProxyNotShell. The journey on these vulnerabilities has been far from typical for announced zero-days that carry critical severity ratings and are under active exploitation. Microsoft initially released guidance that had to be updated multiple times as workarounds for the mitigations were quickly discovered by security researchers. With this Patch Tuesday multiple Security Updates have been made available for Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 that address the ProxyNotShell vulnerabilities, and it’s recommended by Microsoft that they be applied immediately.

While ProxyNotShell is this month’s celebrity, other zero-days that received fixes also deserve attention. CVE-2022-41128 is one of the zero-days that are under active exploitation and carries a critical severity rating. It’s ease of use is also trivial for attackers, only requiring an end-user to visit a malicious website that leverages the vulnerability. It also appears to affect all Windows OS versions from Windows 7 and up. This should be getting as much, if not more of your attention than ProxyNotShell. 

There is also a fix for a zero-day Windows Print Spooler vulnerability, CVE-2022-41073, which I’m noting simply because Windows Print Spooler has been a popular source of Windows vulnerabilities over the past few months.  

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

Find out more

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely, and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around. 

Key: C = Critical; I = Important; EML = Exploitation More Likely; ELL = Exploitation Less Likely; ED = Exploitation Detected

Cumulative Updates

The cumulative updates for the month bring the typical rollup of fixes from previous months and include Servicing Stack Updates. The Windows 10 CUs includes numerous fixes for Windows OS upgrades failing and other bugs, while at the same time introducing a new known bug that is causing issues with Microsoft OneDrive unlinking from Microsoft accounts. Windows 11 CUs brings improvements that were a part of KB5018496 preview build, multiple new Windows 11 features have been added and bugs fixed. There continue to be issues with copying large files with the Microsoft recommended workaround being the use of robocopy or xcopy. 

Related Product

N‑central [archived 6/2/23]

Gerencie redes de grande porte ou amplie suas operações de TI com o RMM, projetado para provedores de serviços em expansão.

Find out more

Other Vendors

Citrix is encouraging admins to apply updates to address four vulnerabilities affecting Citrix ADC and Citrix Gateway. Guidance is to upgrade to the latest versions of both asap. In other network appliances, Cisco also released security updates for multiple vulnerabilities this November that can be addressed through software updates. 

With respect to the aforementioned OpenSSL vulnerabilities—CVE-2022-3602 and CVE-2022-3786—even though they have high severity ratings, the fact the vulnerabilities only exist in OpenSSL versions 3.0.0 to 3.0.6 means the install base is relatively low. Most environments won’t need to worry about this vulnerability, but you’ll need to verify if and where OpenSSL is in use to be sure. 

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines. 

Looking for more information on Patch Management? Check out this section on our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd