What You Need To Know: October Patch Tuesday 2022
Microsoft released 85 fixes this month including 15 Critical, one Public Aware and one Weaponised Threat.
There are 15 Rated Critical, 69 rated Important with the last rated as Moderate. Azure, Azure Arc, and Azure DevOps, Microsoft Edge (Chromium-based), Office and Office Components, Visual Studio Code, Active Directory Domain Services and Active Directory Certificate Services & Hyper-V have all been updated.
Robert Brown, Head of Customer Success for Syxsense said, “CVE-2022-41033 is a vulnerability which has been seen to be actively exploited already, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. We have also seen a CVSS score of 10.0 being fixed today, CVE-2022-37968 which impacts Azure Arc-enabled Kubernetes. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster.”
Syxsense Recommendations
Based on the Vendor Severity & CVSS Score, we have made a few recommendations below. As usual we recommend our customers enter the CVE numbers below into your Patch Management solution and deploy as soon as possible.
CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Note: The vulnerability is being actively exploited in the wild.
Syxscore
Vendor Severity: Important
CVSS: 7.8
Weaponised: Yes
Public Aware: No
Countermeasure: No
Syxscore Risk
Attack Vector: Local
Attack Complexity: Low
Privileges: Low
User Interaction: None
Scope (Jump Point): Unchanged / No
CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.
Note: The vulnerability has a Jump Point.
Syxscore
Vendor Severity: Critical
CVSS: 10.0
Weaponised: No
Public Aware: No
Countermeasure: No
Syxscore Risk
Attack Vector: Network
Attack Complexity: Low
Privileges: None
User Interaction: None
Scope (Jump Point): Changed / Yes
CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
An attacker could exploit this vulnerability by sending a specially crafted API call to the Local Security Authority AuthBroker. The attacker could use the vulnerability for a container “sandbox” escape to elevate privileges.
Note: The vulnerability has a Jump Point.
Syxscore
Vendor Severity: Important
CVSS: 8.8
Weaponised: No
Public Aware: No
Countermeasure: No
Syxscore Risk
Attack Vector: Local
Attack Complexity: Low
Privileges: None
User Interaction: None
Scope (Jump Point): Changed / Yes
Syxsense Cortex Workflows are being set up to remediate all of October’s patches with the click of a button. If you would like to see how Syxsense can help you automate your patch remediation process, click to schedule a customized demo.
Microsoft’s October Patch Tuesday Fixes:
| Reference | Description | Vendor Severity | CVSS Score | Publicly Aware | Weaponised | Countermeasure | Recommended | Additional Details |
| CVE-2022-41033 | Windows COM+ Event System Service Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | Yes | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | |
| CVE-2022-41043 | Microsoft Office Information Disclosure Vulnerability | Important | 4 | Yes | No | Yes | ||
| CVE-2022-37968 | Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability | Critical | 10 | No | No | Yes | An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc; therefore Azure Stack Edge devices are also vulnerable.
Scope = Changed: Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability. |
|
| CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege Vulnerability | Critical | 8.8 | No | No | Yes – Setting LegacyAuthenticationLevel – Win32 apps | Microsoft Docs to 5= RPC_C_AUTHN_LEVEL_PKT_INTEGRITY might protect most processes on the machine against this attack. Note that COM does not currently have a notion of minimum authentication level if authenticated, for example it is not possible to accept calls at RPC_C_AUTHN_LEVEL_NONE or >= RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (server-side concern, but mentioning for completeness as it limits configuration-based options), nor is there a way to set the client-side authentication level for a process independent of the server-side authentication level. | Yes | An attacker who successfully exploited this vulnerability could gain domain administrator privileges. |
| CVE-2022-38016 | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | Important | 8.8 | No | No | Yes | Scope = Changed. An attacker could exploit this vulnerability by sending a specially crafted API call to the Local Security Authority AuthBroker. The attacker could use the vulnerability for a container “sandbox” escape to elevate privileges. | |
| CVE-2022-41038 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | 8.8 | No | No | In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. | ||
| CVE-2022-38040 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | An attacker could exploit the vulnerability by tricking an authenticated user into opening a malicious MDB file in Access via ODBC, which could result in the attacker being able to execute arbitrary code on the victim’s machine with the permission level at which Access is running. | ||
| CVE-2022-41036 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | Exploitation More Likely. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. | ||
| CVE-2022-41037 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. | ||
| CVE-2022-38053 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | Exploitation More Likely. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. | ||
| CVE-2022-37982 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. | ||
| CVE-2022-38031 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. | ||
| CVE-2022-38045 | Server Service Remote Protocol Elevation of Privilege Vulnerability | Important | 8.8 | No | No | An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents. | ||
| CVE-2022-30198 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-24504 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-33634 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-22035 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-38047 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-38000 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-41081 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side. | ||
| CVE-2022-38049 | Microsoft Office Graphics Remote Code Execution Vulnerability | Critical | 7.8 | No | No | |||
| CVE-2022-38048 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | |||
| CVE-2022-41031 | Microsoft Word Remote Code Execution Vulnerability | Critical | 7.8 | No | No | |||
| CVE-2022-37979 | Windows Hyper-V Elevation of Privilege Vulnerability | Critical | 7.8 | No | No | Scope = Changed: Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. | ||
| CVE-2022-37983 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | This vulnerability is subject to a local escalation of privilege attack. The attacker would most likely arrange to run an executable or script on the local computer. An attacker could gain access to the computer through a variety of methods, such as via a phishing attack where a user clicks an executable file that is attached to an email. | ||
| CVE-2022-41032 | NuGet Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-41083 | Visual Studio Code Elevation of Privilege Vulnerability | Important | 7.8 | No | No | Yes – Create a folder C:\ProgramData\jupyter\kernels\ and configure it to be writable only by the current user | An attacker who successfully exploited this vulnerability could execute code in the context of another Visual Studio Code user on the vulnerable system. | |
| CVE-2022-41034 | Visual Studio Code Remote Code Execution Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38050 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||
| CVE-2022-38044 | Windows CD-ROM File System Driver Remote Code Execution Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37989 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||
| CVE-2022-37987 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||
| CVE-2022-37980 | Windows DHCP Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37970 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | This vulnerability is subject to a local escalation of privilege attack. The attacker would most likely arrange to run an executable or script on the local computer. An attacker could gain access to the computer through a variety of methods, such as via a phishing attack where a user clicks an executable file that is attached to an email. | ||
| CVE-2022-33635 | Windows GDI+ Remote Code Execution Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38051 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||
| CVE-2022-37997 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | Exploitation More Likely. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||
| CVE-2022-37975 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37999 | Windows Group Policy Preference Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37993 | Windows Group Policy Preference Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37994 | Windows Group Policy Preference Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37995 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37988 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38037 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38038 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37990 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38039 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37991 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38028 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-38003 | Windows Resilient File System Elevation of Privilege | Important | 7.8 | No | No | |||
| CVE-2022-37986 | Windows Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37984 | Windows WLAN Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | |||
| CVE-2022-37998 | Windows Local Session Manager (LSM) Denial of Service Vulnerability | Important | 7.7 | No | No | Scope = Changed. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. | ||
| CVE-2022-37973 | Windows Local Session Manager (LSM) Denial of Service Vulnerability | Important | 7.7 | No | No | Scope = Changed. This vulnerability could lead to a contained execution environment escape. | ||
| CVE-2022-34689 | Windows CryptoAPI Spoofing Vulnerability | Critical | 7.5 | No | No | An attacker could manipulate an existing public x.509 certificate to spoof their identify and perform actions such as authentication or code signing as the targeted certificate. | ||
| CVE-2022-38036 | Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability | Important | 7.5 | No | No | |||
| CVE-2022-37978 | Windows Active Directory Certificate Services Security Feature Bypass | Important | 7.5 | No | No | High Complexity: The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a man-in-the-middle (MITM) attack. | ||
| CVE-2022-38041 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | |||
| CVE-2022-33645 | Windows TCP/IP Driver Denial of Service Vulnerability | Important | 7.5 | No | No | Yes – Systems are not affected if IPv6 is disabled on the target machine. | ||
| CVE-2022-41042 | Visual Studio Code Information Disclosure Vulnerability | Important | 7.4 | No | No | Scope = Changed. A successful attack can break out of the Visual Studio Code Workspace Trust | ||
| CVE-2022-38042 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.1 | No | No | An attacker who successfully exploited this vulnerability could gain domain administrator privileges. | ||
| CVE-2022-37971 | Microsoft Windows Defender Elevation of Privilege Vulnerability | Important | 7.1 | No | No | |||
| CVE-2022-38021 | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | Important | 7 | No | No | An attacker who successfully exploited this vulnerability could gain specific limited SYSTEM privileges. | ||
| CVE-2022-38029 | Windows ALPC Elevation of Privilege Vulnerability | Important | 7 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | ||
| CVE-2022-38027 | Windows Storage Elevation of Privilege Vulnerability | Important | 7 | No | No | |||
| CVE-2022-38017 | StorSimple 8000 Series Elevation of Privilege Vulnerability | Important | 6.8 | No | No | |||
| CVE-2022-37977 | Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Important | 6.5 | No | No | |||
| CVE-2022-38001 | Microsoft Office Spoofing Vulnerability | Important | 6.5 | No | No | |||
| CVE-2022-37974 | Windows Mixed Reality Developer Tools Information Disclosure Vulnerability | Important | 6.5 | No | No | |||
| CVE-2022-35770 | Windows NTLM Spoofing Vulnerability | Important | 6.5 | No | No | |||
| CVE-2022-38033 | Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability | Important | 6.5 | No | No | An attacker who successfully exploits this vulnerability would be able to remotely read registry keys under HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine not normally accessible to a normal user. | ||
| CVE-2022-35829 | Service Fabric Explorer Spoofing Vulnerability | Important | 6.2 | No | No | Yes | Scope = Changed: The vulnerability is in the web client, but the malicious scripts execute in the victim’s browser on their machine. | |
| CVE-2022-38046 | Web Account Manager Information Disclosure Vulnerability | Important | 6.2 | No | No | An attacker who successfully exploited this vulnerability could view unbound refresh tokens issued by one cloud on a different cloud. | ||
| CVE-2022-37965 | Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability | Important | 5.9 | No | No | |||
| CVE-2022-38032 | Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | Important | 5.9 | No | No | |||
| CVE-2022-38026 | Windows DHCP Client Information Disclosure Vulnerability | Important | 5.5 | No | No | |||
| CVE-2022-38025 | Windows Distributed File System (DFS) Information Disclosure Vulnerability | Important | 5.5 | No | No | |||
| CVE-2022-37985 | Windows Graphics Component Information Disclosure Vulnerability | Important | 5.5 | No | No | Exploiting this vulnerability could allow the disclosure of initialized or uninitialized memory in the process heap. | ||
| CVE-2022-37996 | Windows Kernel Memory Information Disclosure Vulnerability | Important | 5.5 | No | No | The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. | ||
| CVE-2022-38043 | Windows Security Support Provider Interface Information Disclosure Vulnerability | Important | 5.5 | No | No | Exploiting this vulnerability could allow the disclosure of certain kernel memory content. | ||
| CVE-2022-37981 | Windows Event Logging Service Denial of Service Vulnerability | Important | 4.3 | No | No | |||
| CVE-2022-38030 | Windows USB Serial Driver Information Disclosure Vulnerability | Important | 4.3 | No | No | |||
| CVE-2022-38034 | Windows Workstation Service Elevation of Privilege Vulnerability | Important | 4.3 | No | No | An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to local clients only. | ||
| CVE-2022-38022 | Windows Kernel Elevation of Privilege Vulnerability | Important | 2.5 | No | No | An attacker would only be able to delete empty folders on a vulnerable system in the context of the SYSTEM account. They would not gain privileges to view or modify file contents or delete folders containing files. |