Microsoft has issued fixes for a total of 85 newly discovered common vulnerabilities and exposures (CVEs) in its October Patch Tuesday drop, among them a single zero-day vulnerability, but has not yet moved to patch two other zero-days discovered in Exchange Server in September, raising eyebrows in the community.
The two vulnerabilities in Exchange – informally dubbed ProxyNotShell – have been actively exploited for at least a fortnight, but so far have only been addressed in the form of defensive mitigation advice and updates from Microsoft. They are tracked as CVE-2022-41040 and CVE-2022-41802.
Dustin Childs of the Zero Day Initiative (ZDI) said: “These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed.
“This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information. Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates.”
Ankit Malhotra, manager of signature engineering at Qualys, added: “It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite mitigation was bypassed multiple times.
“Organisations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.”
The new zero-day is an elevation of privilege vulnerability in the Windows COM+ Event System Service, and is likely being used alongside other exploits to take over a target system. It is tracked as CVE-2022-41033.
Mike Walters, vice-president of vulnerability and threat research at remote monitoring and management specialist Action1, said patching CVE-2022-41033 was absolutely critical.
“There has been an exploit for this vulnerability for a long time now, and it can be easily combined with an RCE exploit. It is an excellent tool in a hacker’s arsenal for elevating privileges on a Windows system because it enables an attacker who has local access to a machine to gain system privileges and do anything they like with that target system.
“All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable. The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs,” he said.
Also of note this month is CVE-2022-41043, an information disclosure vulnerability in Microsoft Office which specifically targets Outlook for Mac, but it carries a particularly low severity rating and, according to Chris Goettl, Ivanti vice-president of security product management, there are “no real” samples of exploit code available.
“While the public disclosure definitely points to a problem, a threat actor will not have a workable sample to start building off of right away,” Goettl told Computer Weekly’s sister title SearchWindowsServer.com.
As for critical bugs, there are 15 rated as critical in the October update. These are as follows:
- CVE-2022-22035, a remote code execution (RCE) vulnerability in the Windows Point-to-Point Tunneling Protocol;
- CVE-2022-24504, a second RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
- CVE-2022-30198, a third RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
- CVE-2022-33634, yet another RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
- CVE-2022-34689, a spoofing vulnerability in Windows CryptoAPI;
- CVE-2022-37968, a privilege escalation vulnerability in Azure Arc-enabled Kubernetes clusters;
- CVE-2022-37976, a privilege escalation vulnerability in Active Directory Certificate Services;
- CVE-2022-37979, a privilege escalation vulnerability in Windows Hyper-V;
- CVE-2022-38000, another RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
- CVE-2022-38047, the sixth RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
- CVE-2022-38048, an RCE vulnerability in Microsoft Office;
- CVE-2022-38049, an RCE vulnerability in Microsoft Office Graphics;
- CVE-2022-41031, an RCE vulnerability in Microsoft Word;
- CVE-2022-41038, an RCE vulnerability in Microsoft SharePoint Server;
- And CVE-2022-41081, which takes the total of critical RCE vulnerabilities in the Windows Point-to-Point Tunneling Protocol to seven.