What You Need To Know: October Patch Tuesday 2022

Microsoft released 85 fixes this month including 15 Critical, one Public Aware and one Weaponised Threat.

There are 15 Rated Critical, 69 rated Important with the last rated as Moderate.  Azure, Azure Arc, and Azure DevOps, Microsoft Edge (Chromium-based), Office and Office Components, Visual Studio Code, Active Directory Domain Services and Active Directory Certificate Services & Hyper-V have all been updated.

Robert Brown, Head of Customer Success for Syxsense said, “CVE-2022-41033 is a vulnerability which has been seen to be actively exploited already, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.  We have also seen a CVSS score of 10.0 being fixed today, CVE-2022-37968 which impacts Azure Arc-enabled Kubernetes.  This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster.”

Syxsense Recommendations

Based on the Vendor Severity & CVSS Score, we have made a few recommendations below.  As usual we recommend our customers enter the CVE numbers below into your Patch Management solution and deploy as soon as possible.

CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Note:  The vulnerability is being actively exploited in the wild.

Syxscore
Vendor Severity: Important
CVSS: 7.8
Weaponised: Yes
Public Aware: No
Countermeasure: No

Syxscore Risk
Attack Vector: Local
Attack Complexity: Low
Privileges: Low
User Interaction: None
Scope (Jump Point): Unchanged / No

CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability

An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.

Note:  The vulnerability has a Jump Point.

Syxscore
Vendor Severity: Critical
CVSS: 10.0
Weaponised: No
Public Aware: No
Countermeasure: No

Syxscore Risk
Attack Vector: Network
Attack Complexity: Low
Privileges: None
User Interaction: None
Scope (Jump Point): Changed / Yes

CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability

An attacker could exploit this vulnerability by sending a specially crafted API call to the Local Security Authority AuthBroker. The attacker could use the vulnerability for a container “sandbox” escape to elevate privileges.

Note:  The vulnerability has a Jump Point.

Syxscore
Vendor Severity: Important
CVSS: 8.8
Weaponised: No
Public Aware: No
Countermeasure: No

Syxscore Risk
Attack Vector: Local
Attack Complexity: Low
Privileges: None
User Interaction: None
Scope (Jump Point): Changed / Yes

Syxsense Cortex Workflows are being set up to remediate all of October’s patches with the click of a button. If you would like to see how Syxsense can help you automate your patch remediation process, click to schedule a customized demo.

Microsoft’s October Patch Tuesday Fixes:

Reference Description Vendor Severity CVSS Score Publicly Aware Weaponised Countermeasure Recommended Additional Details
CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability Important 7.8 No Yes Yes An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-41043 Microsoft Office Information Disclosure Vulnerability Important 4 Yes No Yes
CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability Critical 10 No No Yes An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc; therefore Azure Stack Edge devices are also vulnerable.

Scope = Changed: Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.
CVE-2022-37976 Active Directory Certificate Services Elevation of Privilege Vulnerability Critical 8.8 No No Yes – Setting LegacyAuthenticationLevel – Win32 apps | Microsoft Docs to 5= RPC_C_AUTHN_LEVEL_PKT_INTEGRITY might protect most processes on the machine against this attack. Note that COM does not currently have a notion of minimum authentication level if authenticated, for example it is not possible to accept calls at RPC_C_AUTHN_LEVEL_NONE or >= RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (server-side concern, but mentioning for completeness as it limits configuration-based options), nor is there a way to set the client-side authentication level for a process independent of the server-side authentication level. Yes An attacker who successfully exploited this vulnerability could gain domain administrator privileges.
CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability Important 8.8 No No Yes Scope = Changed.  An attacker could exploit this vulnerability by sending a specially crafted API call to the Local Security Authority AuthBroker. The attacker could use the vulnerability for a container “sandbox” escape to elevate privileges.
CVE-2022-41038 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
CVE-2022-38040 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No An attacker could exploit the vulnerability by tricking an authenticated user into opening a malicious MDB file in Access via ODBC, which could result in the attacker being able to execute arbitrary code on the victim’s machine with the permission level at which Access is running.
CVE-2022-41036 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No Exploitation More Likely.  In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
CVE-2022-41037 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
CVE-2022-38053 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No Exploitation More Likely.  In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
CVE-2022-37982 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.
CVE-2022-38031 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.
CVE-2022-38045 Server Service Remote Protocol Elevation of Privilege Vulnerability Important 8.8 No No An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents.
CVE-2022-30198 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-24504 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-33634 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-22035 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-38047 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-38000 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-41081 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No To exploit this vulnerability, an attacker would need to send a specially crafted malicious PPTP packet to a PPTP server. This could result in remote code execution on the server side.
CVE-2022-38049 Microsoft Office Graphics Remote Code Execution Vulnerability Critical 7.8 No No
CVE-2022-38048 Microsoft Office Remote Code Execution Vulnerability Critical 7.8 No No
CVE-2022-41031 Microsoft Word Remote Code Execution Vulnerability Critical 7.8 No No
CVE-2022-37979 Windows Hyper-V Elevation of Privilege Vulnerability Critical 7.8 No No Scope = Changed: Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host.
CVE-2022-37983 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No This vulnerability is subject to a local escalation of privilege attack. The attacker would most likely arrange to run an executable or script on the local computer. An attacker could gain access to the computer through a variety of methods, such as via a phishing attack where a user clicks an executable file that is attached to an email.
CVE-2022-41032 NuGet Client Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-41083 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No Yes – Create a folder C:\ProgramData\jupyter\kernels\ and configure it to be writable only by the current user An attacker who successfully exploited this vulnerability could execute code in the context of another Visual Studio Code user on the vulnerable system.
CVE-2022-41034 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No
CVE-2022-38050 Win32k Elevation of Privilege Vulnerability Important 7.8 No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-38044 Windows CD-ROM File System Driver Remote Code Execution Vulnerability Important 7.8 No No
CVE-2022-37989 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-37987 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-37980 Windows DHCP Client Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37970 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No This vulnerability is subject to a local escalation of privilege attack. The attacker would most likely arrange to run an executable or script on the local computer. An attacker could gain access to the computer through a variety of methods, such as via a phishing attack where a user clicks an executable file that is attached to an email.
CVE-2022-33635 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No
CVE-2022-38051 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-37997 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No Exploitation More Likely.  An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-37975 Windows Group Policy Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37999 Windows Group Policy Preference Client Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37993 Windows Group Policy Preference Client Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37994 Windows Group Policy Preference Client Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37995 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37988 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-38037 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-38038 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37990 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-38039 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37991 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-38028 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-38003 Windows Resilient File System Elevation of Privilege Important 7.8 No No
CVE-2022-37986 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37984 Windows WLAN Service Elevation of Privilege Vulnerability Important 7.8 No No
CVE-2022-37998 Windows Local Session Manager (LSM) Denial of Service Vulnerability Important 7.7 No No Scope = Changed.  The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
CVE-2022-37973 Windows Local Session Manager (LSM) Denial of Service Vulnerability Important 7.7 No No Scope = Changed.  This vulnerability could lead to a contained execution environment escape.
CVE-2022-34689 Windows CryptoAPI Spoofing Vulnerability Critical 7.5 No No An attacker could manipulate an existing public x.509 certificate to spoof their identify and perform actions such as authentication or code signing as the targeted certificate.
CVE-2022-38036 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability Important 7.5 No No
CVE-2022-37978 Windows Active Directory Certificate Services Security Feature Bypass Important 7.5 No No High Complexity: The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a man-in-the-middle (MITM) attack.
CVE-2022-38041 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No
CVE-2022-33645 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No Yes – Systems are not affected if IPv6 is disabled on the target machine.
CVE-2022-41042 Visual Studio Code Information Disclosure Vulnerability Important 7.4 No No Scope = Changed.  A successful attack can break out of the Visual Studio Code Workspace Trust
CVE-2022-38042 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.1 No No An attacker who successfully exploited this vulnerability could gain domain administrator privileges.
CVE-2022-37971 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.1 No No
CVE-2022-38021 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability Important 7 No No An attacker who successfully exploited this vulnerability could gain specific limited SYSTEM privileges.
CVE-2022-38029 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-38027 Windows Storage Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-38017 StorSimple 8000 Series Elevation of Privilege Vulnerability Important 6.8 No No
CVE-2022-37977 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability Important 6.5 No No
CVE-2022-38001 Microsoft Office Spoofing Vulnerability Important 6.5 No No
CVE-2022-37974 Windows Mixed Reality Developer Tools Information Disclosure Vulnerability Important 6.5 No No
CVE-2022-35770 Windows NTLM Spoofing Vulnerability Important 6.5 No No
CVE-2022-38033 Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability Important 6.5 No No An attacker who successfully exploits this vulnerability would be able to remotely read registry keys under HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine not normally accessible to a normal user.
CVE-2022-35829 Service Fabric Explorer Spoofing Vulnerability Important 6.2 No No Yes Scope = Changed:  The vulnerability is in the web client, but the malicious scripts execute in the victim’s browser on their machine.
CVE-2022-38046 Web Account Manager Information Disclosure Vulnerability Important 6.2 No No An attacker who successfully exploited this vulnerability could view unbound refresh tokens issued by one cloud on a different cloud.
CVE-2022-37965 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability Important 5.9 No No
CVE-2022-38032 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability Important 5.9 No No
CVE-2022-38026 Windows DHCP Client Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-38025 Windows Distributed File System (DFS) Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-37985 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No Exploiting this vulnerability could allow the disclosure of initialized or uninitialized memory in the process heap.
CVE-2022-37996 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.
CVE-2022-38043 Windows Security Support Provider Interface Information Disclosure Vulnerability Important 5.5 No No Exploiting this vulnerability could allow the disclosure of certain kernel memory content.
CVE-2022-37981 Windows Event Logging Service Denial of Service Vulnerability Important 4.3 No No
CVE-2022-38030 Windows USB Serial Driver Information Disclosure Vulnerability Important 4.3 No No
CVE-2022-38034 Windows Workstation Service Elevation of Privilege Vulnerability Important 4.3 No No An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to local clients only.
CVE-2022-38022 Windows Kernel Elevation of Privilege Vulnerability Important 2.5 No No An attacker would only be able to delete empty folders on a vulnerable system in the context of the SYSTEM account. They would not gain privileges to view or modify file contents or delete folders containing files.