Microsoft Patch Tuesday October 2022: Exchange ProxyNotShell RCE, Windows COM+ EoP, AD EoP, Azure Arc Kubernetes EoP

Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239106&gt;

$ cat comments_links.txt 
Qualys|October 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/10/11/october-2022-patch-tuesday
ZDI|THE OCTOBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/10/11/the-october-2022-security-update-review

$python3.8 process_classify_ms_products.py  # Automated classifier for Microsoft products

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "October" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
MS PT Year: 2022
MS PT Month: October
MS PT Date: 2022-10-11
MS PT CVEs found: 84
Ext MS PT Date from: 2022-09-14
Ext MS PT Date to: 2022-10-10
Ext MS PT CVEs found: 21
ALL MS PT CVEs: 105
...

All vulnerabilities: 105
Urgent: 2
Critical: 1
High: 29
Medium: 71
Low: 2

Let's take a look at the most interesting vulnerabilities:

1. Two vulnerabilities Remote Code Execution - Microsoft Exchange (CVE-2022-41040, CVE-2022-41082). This is the hyped ProxyNotShell, that were disclosed on September 28. The first CVE is aServer-Side Request Forgery (SSRF)vulnerability, and the second one allowsRemote Code Execution (RCE) when PowerShell is accessible to the attacker. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. There were no patches for more than a month. At the same time, there are public exploits and signs of exploitation in the wild. Let's wait for patches to appear on the Microsoft website on the pages for CVE-2022-41040 and CVE-2022-41082.
2. Elevation of Privilege - Windows COM+ Event System Service (CVE-2022-41033). This patch fixes a bug that Microsoft lists as being used in active attacks. The impact of exploitation is loss of confidentiality, integrity, and availability. Microsoft has not disclosed how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
3. In this Patch Tuesday, there were 3 vulnerabilities for which the existence of a publicly available exploit was mentioned in the Microsoft CVSS Temporal Score (Proof-of-Concept Exploit). VM vendors didn't write much about them. But it seems to me that the existence of a non-public PoC is an important enough factor to draw attention to these vulnerabilities: Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2022-38000),Elevation of Privilege- Windows Graphics Component (CVE-2022-38051),Spoofing - Microsoft Edge (CVE-2022-41035).
4. Elevation of Privilege - Active Directory (CVE-2022-37976). A malicious DCOM client could force a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack. An attacker who successfully exploited this vulnerability could gain domain administrator privileges. Exploitability Assessment: Exploitation Less Likely.
5. Elevation of Privilege - Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968). This vulnerability has CVSSv3 score of 10, the highest possible rating. An unauthenticated attacker could exploit this vulnerability in order to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must take action to manually upgrade Azure Arc-enabled Kubernetes clusters.
6. Remote Code Execution - Microsoft Office (CVE-2022-38048). This bug was reported to the ZDI (Zero Day Initiative) by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file.

Full Vulristics report: ms_patch_tuesday_october2022