Microsoft finally patched the publicly known “ProxyNotShell” and Mark of the Web (MotW) security vulnerabilities in its penultimate monthly security update for 2022 — two of six zero-day bugs under active exploit in the wild.
The targeted zero-days are part of a tranche of 68 security fixes for November’s Patch Tuesday group, 11 of which are rated critical.
The fixes address CVEs that affect the gamut of the security giant’s product line, including Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open source software bugs affecting Microsoft products.
Actively Exploited Zero-Day Vulnerabilities
The group of zero-days listed as under active attack is the largest for Microsoft so far this year.
Two of them are the critical ProxyNotShell flaws affecting Exchange Server, first disclosed in September. Both carry a CVSS vulnerability-severity score rating of 8.8 out of 10. The bug tracked as CVE-2022-41040 is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and CVE-2022-41082 is a remote code execution (RCE) flaw when PowerShell is remotely accessible to the attacker. They can be chained together for full “pwning” of an Exchange Server.
“At long last, Microsoft released patches for the ProxyNotShell vulnerabilities that are being actively exploited by Chinese threat actors,” Automox researcher Preetham Gurram said in a Nov. 8 analysis. “The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid Exchange Servers where temporary mitigation has not been applied.”
Microsoft also addressed the known and analyzed Mark of the Web issues — they’re being tracked as CVE-2022-41091 and CVE-2022-41049, two separate vulnerabilities that exist in different versions of Windows. The important-rated bugs both allow attackers to sneak malicious attachments and files past Microsoft’s MotW security feature — Microsoft says only the former is being exploited in the wild.
“The new zero-day vulnerability … as low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website,” he explains. “It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. … However, the proof-of-concept has not yet been publicly disclosed.”
The remaining two bugs are important-rated elevation of privilege (EoP) issues carrying 7.8 CVSS scores. One is a memory bug that affects Microsoft’s next-gen cryptography, the Windows CNG Key Isolation Service (CVE-2022-41125).
“With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability,” Automox researcher Gina Geisel said in an emailed analysis. “With a long list of Windows 10 and 11 affected (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts.”
The second exists in Windows Print Spooler (CVE-2022-41073), and Action1’s Walters describes it as a relative of last year’s PrintNightmare bug.
“Microsoft continues to patch minions of the PrintNightmare vulnerability,” he says. “This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop.”
Critical Bugs of Note for November
Other issues in November’s update that admins should prioritize include a vulnerability in Windows Kerberos RC4-HMAC (CVE-2022-37966). It earns a critical rating (CVSS 8.1), even though an attacker needs to have access and the ability to run code on the target system to exploit it.
That’s likely because Kerberos is an authentication protocol to verify a user or the host’s identity, noted Automox’s Gurram. It provides a token that enables a service to act on behalf of its client when connecting to other services; when used within an organization’s domain, it enables single sign-on (SSO).
“The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field,” Gurram said. “RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts.”
ZDI’s Dustin Childs noted in a blog post that for this bug and another critical-rated issue in Kerberos tracked as CVE-2022-37967 (CVSS 7.2), admins will need to take additional actions beyond just applying the patch.
“Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps,” he advised. “Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality.”
Childs also flagged three critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1, and all allowing RCE (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044).
“There seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols,” Childs said. “If you rely on PPTP, you should really consider upgrading to something more modern.”
The remaining critical bugs are as follows:
- CVE-2022-38015: A denial-of-service (DoS) bug in Hyper-V (CVSS 6.5), which Microsoft said “could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”
- CVE-2022-41118: An RCE bug affecting the Chakra and Jscript scripting languages (CVSS 7.5)
- CVE-2022-39327: An Azure CLI RCE bug (no CVSS) — a previously released fix that is just being documented now.
Even though this month’s update is relatively light, admins should get to patching ASAP, according to Bharat Jogi, director of vulnerability and threat research at Qualys — especially with so many zero-day exploits circulating.
“As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.),” he said in emailed commentary. “It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched.”