November Patch Tuesday Updates

Microsoft releases 64 fixes this month including 15 Critical, one Public Aware and 6 Weaponised Threats

There are 11 Rated Critical and 53 are rated Important. Microsoft Windows, Azure and Azure Real Time Operating Systems, Exchange, Office and Office Components, Visual Studio, SharePoint, Network Policy Server (NPS) and Windows BitLocker have all been updated.

Robert Brown, Head of Customer Success for Syxsense said, “We have never seen in over the past 3 years 6 weaponised threats fixed in a single month. One of these are both Weaponised and Public Aware meaning the exact steps to exploit are available on the internet if you know where to look. Another Weaponised threat happens to impact the Print Spooler, careful testing should be performed to ensure issues like the Print Nightmare are not repeated as you expedite the rollout of this fix.”

Syxsense Recommendations

Based on the Vendor Severity & CVSS Score, we have made a few recommendations below. As usual we recommend our customers enter the CVE numbers below into your Patch Management solution and deploy as soon as possible.

CVE-2022-41091 Windows Mark of the Web Security Feature Bypass Vulnerability
An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defences, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

Note: The vulnerability is Publicly Aware and Weaponised

Syxscore
Vendor Severity: Important
CVSS: 5.4
Weaponised: Yes
Public Aware: Yes
Countermeasure: No

Syxscore Risk
Attack Vector: Network
Attack Complexity: Low
Privileges: None
User Interaction: Required
Scope (Jump Point): Unchanged / No

CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability
The disclosed vulnerability allows a remote user to perform SSRF attacks. Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the target system.

Note: The vulnerability is being Weaponised

Syxscore
Vendor Severity: Critical
CVSS: 8.8
Weaponised: Yes
Public Aware: No
Countermeasure: No

Syxscore Risk
Attack Vector: Network
Attack Complexity: Low
Privileges: Low
User Interaction: None
Scope (Jump Point): Unchanged / No

CVE-2022-41073 Windows Print Spooler Elevation of Privilege Vulnerability
There is a boundary error within the Windows Print Spooler. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This impacts everything from Windows 7 all the way to Windows 11.

Note: The vulnerability is being Weaponised

Syxscore
Vendor Severity: Important
CVSS: 7.8
Weaponised: Yes
Public Aware: No
Countermeasure: No

Syxscore Risk
Attack Vector: Local
Attack Complexity: Low
Privileges: Low
User Interaction: None
Scope (Jump Point): Unchanged / No

Syxsense Cortex Workflows are being set up to remediate all of November’s patches with the click of a button. If you would like to see how Syxsense can help you automate your patch remediation process, click to schedule a customized demo.

Microsoft’s November Patch Tuesday Fixes

CVE Reference Description Vendor Severity CVSS Score Publicly Aware Weaponised Countermeasure Additional Details Syxsense Highest Priority
CVE-2022-41091 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 YES YES No In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass.  Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass. Yes
CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 8.8 No YES No The privileges acquired by the attacker would be the ability to run PowerShell in the context of the system. Yes
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 8.8 No YES No The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. Yes
CVE-2022-41128 Windows Scripting Languages Remote Code Execution Vulnerability Critical 8.8 No YES No Yes
CVE-2022-41125 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Important 7.8 No YES No This bug was reported through the Microsoft Threat Intelligence Center and Security Response Center.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. No
CVE-2022-41073 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No YES No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Yes
CVE-2022-23824 AMD: CVE-2022-23824 IBPB and Return Address Predictor Interactions Important TBC No No No No
CVE-2022-41080 Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 8.8 No No No Exploitation More Likely Yes
CVE-2022-41047 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No No An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. No
CVE-2022-41048 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No No An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. Yes
CVE-2022-41062 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No No
CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability Critical 8.1 No No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain administrator privileges.
CVE-2022-41039 Windows Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability Critical 8.1 No No No
CVE-2022-41088 Windows Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability Critical 8.1 No No No
CVE-2022-41044 Windows Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability Critical 8.1 No No No
CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability Important 8.1 No No No An attacker who successfully exploited this vulnerability could gain administrator privileges.
CVE-2022-41078 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No No
CVE-2022-41079 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No No
CVE-2022-41051 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-41096 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain system privileges.
CVE-2022-41105 Microsoft Excel Information Disclosure Vulnerability Important 7.8 No No No
CVE-2022-41106 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-41063 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-41123 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-41107 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-41120 Microsoft Windows Sysmon Elevation of Privilege Vulnerability Important 7.8 No No No An attacker who successfully exploited this vulnerability could gain administrator privileges.
CVE-2022-41061 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-41119 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-41100 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Important 7.8 No No No Scope = Changed, Jump Point = True.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41045 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Important 7.8 No No No Scope = Changed, Jump Point = True.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41093 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Important 7.8 No No No Scope = Changed, Jump Point = True.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41095 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41050 Windows Extensible File Allocation Table Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-41052 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-37992 Windows Group Policy Elevation of Privilege Vulnerability Important 7.8 No No No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41057 Windows HTTP.sys Elevation of Privilege Vulnerability Important 7.8 No No No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41101 Windows Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41102 Windows Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41054 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-41113 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important 7.8 No No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41109 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-41092 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-41118 Windows Scripting Languages Remote Code Execution Vulnerability Critical 7.5 No No No
CVE-2022-41056 Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-41053 Windows Kerberos Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-41058 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 7.5 No No No Exploitation More Likely
CVE-2022-3602 OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun High 7.5 No No No Impacts Azure SDK for C++, vcpkg and Microsoft Azure Kubernetes Service only.
CVE-2022-3786 OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun High 7.5 No No No Impacts Azure SDK for C++, vcpkg and Microsoft Azure Kubernetes Service only.
CVE-2022-41085 Azure Cycle Cloud Elevation of Privilege Vulnerability Important 7.4 No No No An attacker who successfully exploited this vulnerability could gain administrator privileges.
CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability Critical 7.2 No No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain administrator privileges.
CVE-2022-41114 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 7 No No No
CVE-2022-38014 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability Important 7 No No No
CVE-2022-38015 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No No Scope = Changed / Jump Pont = True.
Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.
CVE-2022-41122 Microsoft SharePoint Server Spoofing Vulnerability Important 6.5 No No No Exploitation More Likely
CVE-2022-41097 Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability Important 6.5 No No No Exploiting this vulnerability could allow the disclosure of initialized or uninitialized memory in the process heap.
CVE-2022-41086 Windows Group Policy Elevation of Privilege Vulnerability Important 6.4 No No No An attacker who successfully exploited this vulnerability could gain domain administrator privileges.
CVE-2022-41090 Windows Point-to-Point Tunnelling Protocol Denial of Service Vulnerability Important 5.9 No No No
CVE-2022-41116 Windows Point-to-Point Tunnelling Protocol Denial of Service Vulnerability Important 5.9 No No No
CVE-2022-41064 .NET Framework Information Disclosure Vulnerability Important 5.8 No No No Scope = Changed / Jump Pont = True.
Customers using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected:
If you are using System.Data.SqlClient on .NET Framework you must install the November update for .NET Framework
If you are using System.Data.SqlClient on .NET Core, .NET 5 or .NET 6 you must update the nuget package to an updated version as listed in the affected packages.
If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 5/6, .NET Framework) and you are using a version that is vulnerable you must update as listed in the affected packages.
CVE-2022-41104 Microsoft Excel Security Feature Bypass Vulnerability Important 5.5 No No No
CVE-2022-41060 Microsoft Word Information Disclosure Vulnerability Important 5.5 No No No
CVE-2022-41103 Microsoft Word Information Disclosure Vulnerability Important 5.5 No No No
CVE-2022-41098 Windows GDI+ Information Disclosure Vulnerability Important 5.5 No No No
CVE-2022-41055 Windows Human Interface Device Information Disclosure Vulnerability Important 5.5 No No No Exploitation More Likely
CVE-2022-41049 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 No No No
CVE-2022-41099 BitLocker Security Feature Bypass Vulnerability Important 4.6 No No No A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.
CVE-2022-41066 Microsoft Business Central Information Disclosure Vulnerability Important 4.4 No No No