Lucene search

talosblogJon Munshaw ([email protected])TALOSBLOG:FC6B0635136460B7A28F081107A8712E
HistoryOct 11, 2022 - 6:11 p.m.

Microsoft Patch Tuesday for October 2022 — Snort rules and prominent vulnerabilities

Jon Munshaw ([email protected])

0.041 Low





By Jon Munshaw and Vanja Svajcer.

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including seven critical issues in Windows’ point-to-point tunneling protocol.

October’s security update features 11 critical vulnerabilities, with the remainder being “important.”

One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month’s Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited.

An attacker must be authenticated to the target site with the correct permissions to use manage lists in SharePoint to exploit this vulnerability, and eventually gain the ability to execute remote code on the SharePoint server.

CVE-2022-37968, an elevation of privilege vulnerability in Azure Arc Connect, has the highest severity score out of all the vulnerabilities Microsoft fixed this month — a maximum 10 out of 10. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, could allow an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.

CVE-2022-37976 and CVE-2022-37979 are also critical elevation of privilege vulnerabilities in Windows Active Directory and Hyper-V, respectively.

The Windows’ point-to-point tunneling protocol, which is a network protocol used to create VPN tunnels between public networks, contains eight vulnerabilities that Microsoft disclosed Tuesday, seven of which are rated “critical” severity:

CVE-2022-38000 is the most serious among the group with a severity rating of 9. An attacker could successfully exploit this issue to launch remote code at the remote server.

Microsoft Office and Word also contain critical remote code execution vulnerabilities. These are usually popular targets for adversaries, as they are one of the most popular pieces of software in the world and can be exploited just by tricking a user into opening a specially crafted document:

Microsoft has also included 12 vulnerabilities in Google Chromium, the open-source web browser that is the basis for Microsoft’s Edge browser. Google has already disclosed and fixed these issues, so users do not need to take any additional steps to implement patches:

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60693 - 60696, 60698 - 60701, 60706, 60701 - 60705, 60708 and 60709. There are also Snort 3 SIDs 300290 - 300296, 300297 and 300298.