Headline
Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”
Tuesday, November 8, 2022 13:11
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”
Three of the critical entries are remote code execution (RCE) vulnerabilities for Windows Point-to-Point Tunneling Protocol (PPTP).
- CVE-2022-41039
- CVE-2022-41044
- CVE-2022-41088
An unauthenticated attacker can send a specially crafted request to an RAS (Remote Access Server), which may lead to remote code execution. Although according to Microsoft, these three vulnerabilities are less likely to be exploited, as the attacker must win a complex race condition. In August of 2022’s Patch Tuesday release, several vulnerabilities for Windows PPTP were also disclosed.
Another notable vulnerability in this release is CVE-2022-41118, a remote code execution vulnerability for both the JScript9 and Chakra scripting languages. While exploiting this vulnerability requires that the attacker win a race condition, Microsoft has determined that exploitation is more likely. Successful exploitation of CVE-2022-41118 requires that the attacker convince the victim to visit a malicious server share or website. This requirement can likely be met by phishing emails or another form of social engineering.
Two of the entries listed as critical are privilege escalation vulnerabilities in Windows Kerberos. Microsoft has determined that exploitation of both is more likely.
- CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege
- CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-37966 is a privilege escalation vulnerability in Windows Kerberos, where an unauthenticated attacker may be able to leverage vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass constrained delegation security features in a Windows AD environment. The attack complexity has been labeled as “High.”
CVE-2022-37967 is another privilege escalation vulnerability in Windows Kerberos, where an authenticated attacker could leverage cryptographic protocol vulnerabilities in the Windows Kerberos AES-SHA1 cipher suite. If an attacker is successful in gaining control over the service that is allowed for delegation, they can modify Kerberos PAC to elevate their privileges. In contrast to CVE-2022-37966, the attack complexity is considered “Low.”
Also listed in this release is CVE-2022-38015, a Windows Hyper-V denial of service vulnerability. This affects Windows 10 and 11 hosts, as well as Windows Server 2016 and 2022. While the attack complexity is listed as “Low,” Microsoft considers successful exploitation as “Less Likely.”
The last critical disclosure is CVE-2022-41080, a Microsoft Exchange Server elevation of privilege vulnerability, which has a low attack complexity and successful exploitation is considered “More Likely.” CVE-2022-41080 affects Microsoft Exchange Server versions listed below:
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 22
- Microsoft Exchange Server 2016 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 11
- Microsoft Exchange Server 2019 Cumulative Update 12
Talos would also like to highlight three “Important” vulnerabilities as Microsoft has listed them as being successfully exploited in the wild:
- CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability
- CVE-2022-41073 - Windows Print Spooler Elevation of Privilege Vulnerability
- CVE-2022-41125 - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60815-60816, 60818-60819, 60820-60821, 60822-60823, 60831-60832, 60833-60834. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300309, 300310, 300311, 300312, 300315, 300316.
Related news
Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An update for krb5 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-17049: It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Ubuntu Security Notice 5936-1 - Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos keys. A remote attacker could possibly use this issue to elevate privileges.
Ubuntu Security Notice 5822-2 - USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes. It was discovered that Samba incorrectly handled the bad password count logic. It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure Channel. Greg Hudson discovered that Samba incorrectly handled PAC parsing. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets.
Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.
The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release
Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.
Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month's breach. The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. "This zero-day exploit is associated with CVE-2022-41080," the Texas-based
The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.
The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.
The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.
Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,
Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022. Samba is an open source Windows
Tech giant Microsoft released its last set of monthly security updates for 2022 with fixes for 49 vulnerabilities across its software products. Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to 24 vulnerabilities that have been addressed in the Chromium-based Edge browser since the start of the month.
Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]
<p><span><span><span><span><span><span>On November 8th, 2022, Microsoft released a series of security updates for various Windows operating systems to fix two security issues:</span></span></span></span></span></span></p> <ul> <li aria-level="1"><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966"&
Windows Hyper-V Denial of Service Vulnerability.
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41039, CVE-2022-41044.
Windows Print Spooler Elevation of Privilege Vulnerability.
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41039, CVE-2022-41088.
Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.
Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.
Windows Kerberos Elevation of Privilege Vulnerability.
Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.
Windows Scripting Languages Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41128.
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
Windows Scripting Languages Remote Code Execution Vulnerability
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability.
By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately
Let's face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.
Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.