Microsoft has fixed 65 vulnerabilities (aka flaws) in the November 2022 update, including ten (10) vulnerabilities classified as Critical as they allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). This month’s Patch Tuesday included a Microsoft Defense in Depth Update (ADV220003) and addressed six (6) known exploited zero-day vulnerabilities. Earlier this month, on November 2, 2022, Microsoft also released two (2) advisories for OpenSSL 3.x for Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service (CVE-2022-3602, CVE-2022-3786).
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.
The November 2022 Microsoft Vulnerabilities are classified as follows:
OpenSSL 3.x Critical Vulnerability Highlights
Last week a CRITICAL vulnerability in OpenSSL was pre-announced to give organizations a head start in coming up with a playbook for how to address the highest severity OpenSSL vulnerability since Heartbleed in 2014. A lot of effort was put in by vendors and organizations alike to come up with a proper response, while eagerly awaiting the announcement on November 1. When the information was released, the vulnerability was downgraded in severity and split into two (2) CVEs (CVE-2022-37786 and CVE-2022-3602), decreasing the impact on products that leverage OpenSSL 3.x. These two (2) OpenSSL vulnerabilities have been addressed in OpenSSL 3.0.7.
OpenSSL Vulnerability Recap – Travis Smith VP, Malware Threat Research, Qualys
CVE-2022-3602 | OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun
CVE-2022-3786 | OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun
The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and are known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
For more information and guidance see Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602).
Products Affected: Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service
Microsoft Patch Tuesday Critical Vulnerability Highlights
CVE-2022-41128 | Windows Scripting Languages Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8 / 10.
This vulnerability affects the JScript9 scripting language, part of the component Scripting Language. Successful exploitation requires user interaction by the victim.
This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.
The attack may be initiated remotely. It is highly recommended to apply a patch to fix this issue.
Potential Impact: Availability, Confidentiality, and Integrity.
Extended Security Updates (ESU) Vulnerability
Exploitability Assessment: Exploitation Detected
CVE-2022-41080 | Microsoft Exchange Server Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8 / 10.
The technical details are unknown, and an exploit is not publicly available. Applying a patch is able to eliminate this problem. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.
Potential Impact: Availability, Confidentiality, and Integrity.
Exploitability Assessment: Exploitation More Likely
CVE-2022-37966 | Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 8.1 / 10.
Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.
For more information, please see How to manage the Kerberos Protocol changes related to CVE-2022-37966.
Potential Impact: Availability, Confidentiality, and Integrity.
Exploitability Assessment: Exploitation More Likely
CVE-2022-41044 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.1 / 10.
Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.
For more information, please see How to manage the Kerberos Protocol changes related to CVE-2022-37966.
Potential Impact: Availability, Confidentiality, and Integrity.
Extended Security Updates (ESU) Vulnerability
Exploitability Assessment: Exploitation Less Likely
Microsoft Release Summary
This month’s Release Notes cover multiple Microsoft product families, including Azure, Developer Tools, Extended Security Updates (ESU), Microsoft Dynamics, Microsoft Office, Open Source Software, and Windows.
A total of 39 unique Microsoft products, features, and roles, including but not limited to Azure CLI, Microsoft Exchange Server Cumulative Update, Windows Endpoint, Windows Server, and Windows Server 2022 Datacenter: Azure Edition (Hotpatch) were included in this release.
Downloads include Cumulative Updates, IE Cumulative, Monthly Rollups, Security Hotpatch Updates, Security Only, and Security Updates.
Did you know? Microsoft Security Response Center (MSRC) | Improvements in Security Update Notifications Delivery – And a New Delivery Method.
Qualys Patch Tuesday QIDs are published as Security Alerts typically late in the evening on the day of Patch Tuesday, followed later by the publication of the monthly queries for the Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard by 1 pm PT on Wednesday.
Patch Tuesday is a process. Please check back periodically throughout the week of Patch Tuesday as this blog is continually updated through Friday. New insights, information, and resources are added and updated as they become available.
The Qualys Product Management and Threat Research team members host a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, this month’s Patch Tuesday high-impact vulnerabilities will be discussed. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
The content within this section will spotlight upcoming Vulnerability Management, Patch Management, Threat Protection, Custom Assessment and Remediation, and Policy Compliance adjacent events available to our prospective, new, and existing customers.
WEBINARS
Qualys Workshop Wednesday
At Qualys Inc, providing cybersecurity through technology is what we do. Join us each month as we tap into the minds of Qualys experts to share how you can get the most out of your investment and understand ways in which you can quickly reduce your cyber risk exposure using the Qualys Cloud Platform. Each 45-minute monthly session, hosted on the first Wednesday of the month, will showcase practical hands-on tips and tricks, news on new capabilities and services, as well as useful customer success stories that can help you get the most out of the Qualys Cloud Platform.
Join us for the next Workshop Wednesday on December 7, 2022
Qualys Threat Thursdays
The Qualys Threat Research team invites you to join their regular monthly webinar series covering the latest threat intelligence analysis and insight.
November 2022 Threat Thursday Topic is Empire, an Open-Source cross-platform post-exploitation framework that has been in active development since 2015.
Never miss an update. Subscribe Today!
Click Here to quickly navigate to Qualys Threat Thursday blog posts.
CONFERENCES
