November Patch Tuesday

Overview

Microsoft has released patches to address 67 vulnerabilities including six they’ve marked as actively exploited zero-days. These include a Windows Scripting remote code execution (RCE), (CVE-2022-41128), a Mark of the Web (MotW) bypass (CVE-2022-41091), an Escalation of Privilege (EoP) in Print Spooler (CVE-2022-41073), an EoP in a Local Security Authority (LSA) cryptography service (CVE-2022-41125), an EoP (CVE-2022-41040) and an RCE (CVE-2022-41082) in Exchange Server.

Another notable vulnerability this month is in Netlogon (CVE-2022-38023) which operates similarly to the Zerologon attack. This one is only rated as High severity due to complexity (the attack requires some information about the network) but exploitation is considered more likely.

In total there are 27 EoPs, 16 RCEs, 11 Information Disclosures, six Denial of Services (DOS), three spoofing instances and four security feature bypasses.

Impact

CVE-2022-38023 – A network-based attacker could gain administrator privileges.

CVE-2022-41128 – An attacker could execute code on a vulnerable machine if they were able to entice a user into connecting to a malicious server.

CVE-2022-41091, CVE-2022-41049 (ZippyReads) – An attacker could craft a malicious file which bypasses Microsoft’s MotW protections.

CVE-2022-41073, CVE-2022-41125, CVE-2022-41040 – A local Windows user could gain system-level privileges.

CVE-2022-41082 (ProxyNotShell) – An authenticated, network-based attacker could execute code on a Microsoft Exchange server.

Affected Products

.NET Framework
AMD CPU Branch
Azure
Azure Real Time Operating System
Linux Kernel
Microsoft Dynamics
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Network Policy Server (NPS)
Open Source Software
Role: Windows Hyper-V
SysInternals
Visual Studio
Windows Advanced Local Procedure Call
Windows ALPC
Windows Bind Filter Driver
Windows BitLocker
Windows CNG Key Isolation Service
Windows Devices Human Interface
Windows Digital Media
Windows DWM Core Library
Windows Extensible File Allocation
Windows Group Policy Preference Client
Windows HTTP.sys
Windows Kerberos
Windows Mark of the Web (MOTW)
Windows Netlogon
Windows Network Address Translation (NAT)
Windows ODBC Driver
Windows Overlay Filter
Windows Point-to-Point Tunneling Protocol
Windows Print Spooler Components
Windows Resilient File System (ReFS)
Windows Scripting
Windows Win32K

Containment, Mitigations & Remediations

Microsoft has written advice for admins about enforcing Netlogon protections.

Indicators of Compromise

ZippyReads in the wild
d599c99968765eddfed0f9c8a3e6d1f4531eb2bbaadfbab6d0cf3bdbad0c8b3c
29facd8248b5e0acd89e6835adb9c239f2d998deb1846a0cf2efc708eff4a535
f9deaed4ae870eb29a5ded42c8175596e5ce0e8b04ef1fc076af9d72d8c47648

Mitre Methodologies

T1210  – Exploitation of Remote Services

T1212 – Exploitation for Credential Access

T1068 – Exploitation for Privilege Escalation

Further Information

November 2022 Security Updates

Glossary

CVE – Common vulnerabilities and exposures (a scheme to categorise and index vulnerabilities)
DoS – Denial of Service (an attack that prevents a service from operating)
EoP – Escalation of Privilege
IoC – Indicator of Compromise (an artifact that can be used to identify malicious activity such as an Internet Protocol (IP) or domain used by an attacker)
LPE – Local Privilege Escalation (allows a user to gain more permissions on a device)
MotW – Mark of the Web (a safety feature to discourage users from running things they’ve just downloaded)
RCE – Remote Code Execution (a hacking tool that allows the attacker to run code on another machine)