November Patch Tuesday Updates
Microsoft releases 64 fixes this month including 15 Critical, one Public Aware and 6 Weaponised Threats
There are 11 Rated Critical and 53 are rated Important. Microsoft Windows, Azure and Azure Real Time Operating Systems, Exchange, Office and Office Components, Visual Studio, SharePoint, Network Policy Server (NPS) and Windows BitLocker have all been updated.
Robert Brown, Head of Customer Success for Syxsense said, “We have never seen in over the past 3 years 6 weaponised threats fixed in a single month. One of these are both Weaponised and Public Aware meaning the exact steps to exploit are available on the internet if you know where to look. Another Weaponised threat happens to impact the Print Spooler, careful testing should be performed to ensure issues like the Print Nightmare are not repeated as you expedite the rollout of this fix.”
Syxsense Recommendations
Based on the Vendor Severity & CVSS Score, we have made a few recommendations below. As usual we recommend our customers enter the CVE numbers below into your Patch Management solution and deploy as soon as possible.
CVE-2022-41091 Windows Mark of the Web Security Feature Bypass Vulnerability
An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defences, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.
Note: The vulnerability is Publicly Aware and Weaponised
Syxscore
Vendor Severity: Important
CVSS: 5.4
Weaponised: Yes
Public Aware: Yes
Countermeasure: No
Syxscore Risk
Attack Vector: Network
Attack Complexity: Low
Privileges: None
User Interaction: Required
Scope (Jump Point): Unchanged / No
CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability
The disclosed vulnerability allows a remote user to perform SSRF attacks. Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the target system.
Note: The vulnerability is being Weaponised
Syxscore
Vendor Severity: Critical
CVSS: 8.8
Weaponised: Yes
Public Aware: No
Countermeasure: No
Syxscore Risk
Attack Vector: Network
Attack Complexity: Low
Privileges: Low
User Interaction: None
Scope (Jump Point): Unchanged / No
CVE-2022-41073 Windows Print Spooler Elevation of Privilege Vulnerability
There is a boundary error within the Windows Print Spooler. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This impacts everything from Windows 7 all the way to Windows 11.
Note: The vulnerability is being Weaponised
Syxscore
Vendor Severity: Important
CVSS: 7.8
Weaponised: Yes
Public Aware: No
Countermeasure: No
Syxscore Risk
Attack Vector: Local
Attack Complexity: Low
Privileges: Low
User Interaction: None
Scope (Jump Point): Unchanged / No
Syxsense Cortex Workflows are being set up to remediate all of November’s patches with the click of a button. If you would like to see how Syxsense can help you automate your patch remediation process, click to schedule a customized demo.
Microsoft’s November Patch Tuesday Fixes
| CVE Reference | Description | Vendor Severity | CVSS Score | Publicly Aware | Weaponised | Countermeasure | Additional Details | Syxsense Highest Priority |
| CVE-2022-41091 | Windows Mark of the Web Security Feature Bypass Vulnerability | Important | 5.4 | YES | YES | No | In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass. Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass. | Yes |
| CVE-2022-41040 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Critical | 8.8 | No | YES | No | The privileges acquired by the attacker would be the ability to run PowerShell in the context of the system. | Yes |
| CVE-2022-41082 | Microsoft Exchange Server Remote Code Execution Vulnerability | Critical | 8.8 | No | YES | No | The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. | Yes |
| CVE-2022-41128 | Windows Scripting Languages Remote Code Execution Vulnerability | Critical | 8.8 | No | YES | No | Yes | |
| CVE-2022-41125 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important | 7.8 | No | YES | No | This bug was reported through the Microsoft Threat Intelligence Center and Security Response Center. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | No |
| CVE-2022-41073 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | YES | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Yes |
| CVE-2022-23824 | AMD: CVE-2022-23824 IBPB and Return Address Predictor Interactions | Important | TBC | No | No | No | No | |
| CVE-2022-41080 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Critical | 8.8 | No | No | No | Exploitation More Likely | Yes |
| CVE-2022-41047 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. | No |
| CVE-2022-41048 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. | Yes |
| CVE-2022-41062 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | ||
| CVE-2022-37966 | Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability | Critical | 8.1 | No | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain administrator privileges. | |
| CVE-2022-41039 | Windows Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | No | ||
| CVE-2022-41088 | Windows Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | No | ||
| CVE-2022-41044 | Windows Point-to-Point Tunnelling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | No | ||
| CVE-2022-38023 | Netlogon RPC Elevation of Privilege Vulnerability | Important | 8.1 | No | No | No | An attacker who successfully exploited this vulnerability could gain administrator privileges. | |
| CVE-2022-41078 | Microsoft Exchange Server Spoofing Vulnerability | Important | 8 | No | No | No | ||
| CVE-2022-41079 | Microsoft Exchange Server Spoofing Vulnerability | Important | 8 | No | No | No | ||
| CVE-2022-41051 | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41096 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain system privileges. | |
| CVE-2022-41105 | Microsoft Excel Information Disclosure Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41106 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41063 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41123 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41107 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41120 | Microsoft Windows Sysmon Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain administrator privileges. | |
| CVE-2022-41061 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41119 | Visual Studio Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41100 | Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | Scope = Changed, Jump Point = True. | |
| An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||||||||
| CVE-2022-41045 | Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | Scope = Changed, Jump Point = True. | |
| An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||||||||
| CVE-2022-41093 | Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | Scope = Changed, Jump Point = True. | |
| An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||||||||
| CVE-2022-41095 | Windows Digital Media Receiver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41050 | Windows Extensible File Allocation Table Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41052 | Windows Graphics Component Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-37992 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41057 | Windows HTTP.sys Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41101 | Windows Overlay Filter Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41102 | Windows Overlay Filter Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41054 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41113 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41109 | Windows Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41092 | Windows Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | ||
| CVE-2022-41118 | Windows Scripting Languages Remote Code Execution Vulnerability | Critical | 7.5 | No | No | No | ||
| CVE-2022-41056 | Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability | Important | 7.5 | No | No | No | ||
| CVE-2022-41053 | Windows Kerberos Denial of Service Vulnerability | Important | 7.5 | No | No | No | ||
| CVE-2022-41058 | Windows Network Address Translation (NAT) Denial of Service Vulnerability | Important | 7.5 | No | No | No | Exploitation More Likely | |
| CVE-2022-3602 | OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun | High | 7.5 | No | No | No | Impacts Azure SDK for C++, vcpkg and Microsoft Azure Kubernetes Service only. | |
| CVE-2022-3786 | OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun | High | 7.5 | No | No | No | Impacts Azure SDK for C++, vcpkg and Microsoft Azure Kubernetes Service only. | |
| CVE-2022-41085 | Azure Cycle Cloud Elevation of Privilege Vulnerability | Important | 7.4 | No | No | No | An attacker who successfully exploited this vulnerability could gain administrator privileges. | |
| CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability | Critical | 7.2 | No | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain administrator privileges. | |
| CVE-2022-41114 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | Important | 7 | No | No | No | ||
| CVE-2022-38014 | Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | No | ||
| CVE-2022-38015 | Windows Hyper-V Denial of Service Vulnerability | Critical | 6.5 | No | No | No | Scope = Changed / Jump Pont = True. | |
| Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. | ||||||||
| CVE-2022-41122 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 6.5 | No | No | No | Exploitation More Likely | |
| CVE-2022-41097 | Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability | Important | 6.5 | No | No | No | Exploiting this vulnerability could allow the disclosure of initialized or uninitialized memory in the process heap. | |
| CVE-2022-41086 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 6.4 | No | No | No | An attacker who successfully exploited this vulnerability could gain domain administrator privileges. | |
| CVE-2022-41090 | Windows Point-to-Point Tunnelling Protocol Denial of Service Vulnerability | Important | 5.9 | No | No | No | ||
| CVE-2022-41116 | Windows Point-to-Point Tunnelling Protocol Denial of Service Vulnerability | Important | 5.9 | No | No | No | ||
| CVE-2022-41064 | .NET Framework Information Disclosure Vulnerability | Important | 5.8 | No | No | No | Scope = Changed / Jump Pont = True. | |
| Customers using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected: | ||||||||
| If you are using System.Data.SqlClient on .NET Framework you must install the November update for .NET Framework | ||||||||
| If you are using System.Data.SqlClient on .NET Core, .NET 5 or .NET 6 you must update the nuget package to an updated version as listed in the affected packages. | ||||||||
| If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 5/6, .NET Framework) and you are using a version that is vulnerable you must update as listed in the affected packages. | ||||||||
| CVE-2022-41104 | Microsoft Excel Security Feature Bypass Vulnerability | Important | 5.5 | No | No | No | ||
| CVE-2022-41060 | Microsoft Word Information Disclosure Vulnerability | Important | 5.5 | No | No | No | ||
| CVE-2022-41103 | Microsoft Word Information Disclosure Vulnerability | Important | 5.5 | No | No | No | ||
| CVE-2022-41098 | Windows GDI+ Information Disclosure Vulnerability | Important | 5.5 | No | No | No | ||
| CVE-2022-41055 | Windows Human Interface Device Information Disclosure Vulnerability | Important | 5.5 | No | No | No | Exploitation More Likely | |
| CVE-2022-41049 | Windows Mark of the Web Security Feature Bypass Vulnerability | Important | 5.4 | No | No | No | ||
| CVE-2022-41099 | BitLocker Security Feature Bypass Vulnerability | Important | 4.6 | No | No | No | A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data. | |
| CVE-2022-41066 | Microsoft Business Central Information Disclosure Vulnerability | Important | 4.4 | No | No | No |