Microsoft November 2022 Patch Tuesday has been released with patches for a total of 68 vulnerabilities, which include 6 actively exploited zero days and 11 critical vulnerabilities.
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.
A third zero-day is CVE-2022-41128, a critical Windows vulnerability that also allows a threat actor to execute malicious code remotely. The vulnerability, which works when a vulnerable device accesses a malicious server, was discovered by Clément Lecigne of Google’s Threat Analysis Group. Because TAG tracks hacking backed by nation-states, the discovery likely means that government-backed hackers are behind the zero-day exploits.
Two more zero-days are escalation-of-privilege vulnerabilities, a class of vulnerability that, when paired with a separate vulnerability or used by someone who already has limited system privileges on a device, elevates system rights to those needed to install code, access passwords, and take control of a device. As security in applications and operating systems has improved in the past decade, so-called EoP vulnerabilities have grown in importance.
The critical vulnerabilities in the Patch Tuesday and the products they affect are as follows:
|Product||CVE ID||CVE Title||CVSS Score|
|Azure||CVE-2022-39327||GitHub: CVE-2022-39327 Improper Control of Generation of Code (‘Code Injection’) in Azure CLI||9.8|
|Microsoft Exchange Server||CVE-2022-41040||Microsoft Exchange Information Disclosure Vulnerability||8.8|
|Microsoft Exchange Server||CVE-2022-41080||Microsoft Exchange Server Elevation of Privilege Vulnerability||8.8|
|Role: Windows Hyper-V||CVE-2022-38015||Windows Hyper-V Denial of Service Vulnerability||6.5|
|Windows Kerberos||CVE-2022-37967||Windows Kerberos Elevation of Privilege Vulnerability||7.2|
|Windows Kerberos||CVE-2022-37966||Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability||8.1|
|Windows Point-to-Point Tunneling Protocol||CVE-2022-41044||Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability||8.1|
|Windows Point-to-Point Tunneling Protocol||CVE-2022-41039||Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability||8.1|
|Windows Point-to-Point Tunneling Protocol||CVE-2022-41088||Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability||8.1|
|Windows Scripting||CVE-2022-41118||Windows Scripting Languages Remote Code Execution Vulnerability||7.5|
|Windows Scripting||CVE-2022-41128||Windows Scripting Languages Remote Code Execution Vulnerability||8.8|
Zero Day Vulnerabilities
- CVE-2022-41128 (CVSS Score: 8.8): The JScript9 scripting language in the Windows Scripting Languages is vulnerable to remote code execution. The vulnerability requires users to enter an attacker-crafted website.
- CVE-2022-41040 (CVSS Score: 8.8): The attacker could run the PowerShell in the context of the system.
- CVE-2022-41082 (CVSS Score: 8.8): An unauthenticated, remote attacker could use arbitrary code execution to target Microsoft Exchange server accounts and execute malicious code via a network call.
- CVE-2022-41073 (CVSS Score: 7.8)and CVE-2022-41125 (CVSS Score: 7.8): Exploiting these vulnerabilities could enable an attacker with System privileges.
- CVE-2022-41091 (CVSS Score: 5.4): To circumvent Mark of the Web (MOTW) defenses, an attacker can create a malicious file, which results in a limited loss of integrity and accessibility of security features.
- CVE-2022-39327 (CVSS Score: 9.8): Azure CLI versions before 2.40.0 are vulnerable to code injection. Only the Windows-based computers that run any version of PowerShell and Azure CLI commands containing the ‘&’ or ‘|’ symbols are affected.
- CVE-2022-41080 (CVSS Score: 8.8): The vulnerability allows privilege escalation on Microsoft Exchange Server.
- CVE-2022-37966 (CVSS Score: 8.1): Successful exploitation could enable an unauthenticated attacker with administrator rights. Windows AD environments could be breached by an attacker using cryptographic protocol flaws in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC.
- CVE-2022-41039 and CVE-2022-41044 (CVSS Scores: 8.1): A RAS server may receive a connection request specially crafted by an unauthenticated attacker, which may result in remote code execution (RCE).
- CVE-2022-41088 (CVSS Score: 8.1): An attacker can send a specially crafted malicious PPTP packet to a PPTP server to exploit this vulnerability, which could result in remote code execution.
- CVE-2022-41118 (CVSS Score: 8.1): The JScript9 and Chakra scripting in Windows Scripting Languages are vulnerable to remote code execution.
- CVE-2022-37967 (CVSS Score: 7.2): An authenticated attacker could exploit the cryptographic protocol flaw in Windows Kerberos and modify Kerberos PAC to gain administrative privileges.
- CVE-2022-38015 (CVSS Score: 6.5): Successful exploitation could allow a Hyper-V guest to interfere with the host’s functionality.
Patches generally install automatically within about 24 hours. Install updates immediately can go to Windows > Settings > Updates and Security > Windows Update.