9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.5%
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report.
Alternative video link (for Russia): <https://vk.com/video-149273431_456239107>
The most important news of this Patch Tuesday was a release of patches for ProxyNotShell Remote Code Execution - Microsoft Exchange (CVE-2022-41040, CVE-2022-41082) mentioned in the previous episode. These vulnerabilities became public on September 28, and updates for this vulnerability did not appear until November 8. Microsoft could have acted more quickly. But it's good that the problem with these actively exploited vulnerabilities is finally solved.
But besides ProxyNotShell, this November Patch Tuesday had a lot of interesting vulnerabilities. Let's take a look.
$ cat comments_links.txt
Qualys|November 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday
ZDI|THE NOVEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/11/8/the-november-2022-security-update-review
$ python3.8 process_classify_ms_products.py # Automated classifier for Microsoft products
$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "November" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2022
MS PT Month: November
MS PT Date: 2022-11-08
MS PT CVEs found: 66
Ext MS PT Date from: 2022-10-12
Ext MS PT Date to: 2022-11-07
Ext MS PT CVEs found: 17
ALL MS PT CVEs: 83
...
All vulnerabilities: 82
Urgent: 1
Critical: 6
High: 19
Medium: 56
Low: 0
Let's start with vulnerabilities for which there is an exploit or signs of exploitation in the wild.
Now let's look at vulnerabilities for which there are no public exploits or signs of exploitation in the wild, but the descriptions of which are interesting enough to pay attention to.
Full Vulristics report: ms_patch_tuesday_november2022
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.5%