The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

For its October Patch Tuesday update, Microsoft addressed a critical security vulnerability in its Azure cloud service, carrying a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale.

The tech giant also patched two "important"-rated zero-day bugs, one of which is being actively exploited in the wild; and further, there may be a third issue, in SharePoint, that's also being actively exploited.

Notably, however, the Microsoft didn't issue fixes for the two unpatched Exchange Server zero-day bugs that came to light in late September.

In all for October, Microsoft released patches for 85 CVEs, including 15 critical bugs. Affected products run the gamut of the product portfolio as usual: Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).

These are in addition to 11 patches for Microsoft Edge (Chromium-based) and a patch for side-channel speculation in ARM processors released earlier in the month.

**A Perfect 10: Rare Ultra-Critical Vuln**

The 10-out-of-10 bug (CVE-2022-37968) is an elevation of privilege (EoP) and remote code-execution (RCE) issue that could allow an unauthenticated attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters; it could also affect Azure Stack Edge devices.

While cyberattackers would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster to be successful, exploitation has a big payoff: They can elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster.

"If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately," Mike Walters, vice president of vulnerability and threat research at Action1, warned via email.

**A Pair (Maybe a Triad) of Zero-Day Patches – but Not THOSE Patches**

The new zero-day confirmed as being under active exploit (CVE-2022-41033) is an EoP vulnerability in the Windows COM+ Event System Service. It carries a 7.8 CVSS score.

The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs. All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable, and a simple attack can lead to gaining SYSTEM privileges, researchers warned.

"Since this is a privilege escalation bug, it is likely paired with other code-execution exploits designed to take over a system," Dustin Childs, from the Zero Day Initiative (ZDI), noted in an analysis today. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month,' people tend to click everything, so test and deploy this fix quickly."

Satnam Narang, senior staff research engineer at Tenable, noted in an emailed recap that an authenticated attacker could execute a specially crafted application in order to exploit the bug and elevate privileges to SYSTEM.

"While elevation of privilege vulnerabilities requires an attacker to gain access to a system through other means, they are still a valuable tool in an attacker’s toolbox, and this month’s Patch Tuesday has no shortage of elevation-of-privilege flaws, as Microsoft patched 39, accounting for nearly half of the bugs patched (46.4%)," he said.

This particular EoP problem should go to the head of the line for patching, according to Action1's Walters.

"Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it," he wrote, in an emailed analysis. "This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server."

The other confirmed publicly known bug (CVE-2022-41043) is an information-disclosure issue in Microsoft Office for Mac that has a low CVSS risk rating of just 4 out of 10.

Waters pointed to another potentially exploited zero-day: a remote code execution (RCE) problem in SharePoint Server (CVE-2022-41036, CVSS 8.8) that affects all versions starting with SharePoint 2013 Service Pack 1.

"In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions," he said.

Most importantly, "Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet," he said. "Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet."  

**No ProxyNotShell Patches**

It should be noted that these are not the two zero-day patches that researchers were expecting; those bugs, CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell, remain unaddressed. When chained together, they can allow RCE on Exchange Servers.

"What may be more interesting is what isn’t included in this month's release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks,” Childs wrote. “These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September … Cumulative Update (CU) is installed.”

"Despite high hopes that today's Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates," says Caitlin Condon, senior manager for vulnerability research at Rapid7. "Microsoft's recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix."

As of early September, Rapid7 Labs observed up to 191,000 potentially vulnerable instances of Exchange Server exposed to the Internet via port 443, she adds. However, unlike the ProxyShell and ProxyLogon exploit chains, this group of bugs requires an attacker to have authenticated network access for successful exploitation.

"So far, attacks have remained limited and targeted," she says, adding, "That's unlikely to continue as time goes on and threat actors have more opportunity to gain access and hone exploit chains. We'll almost certainly see additional post-authentication vulnerabilities released in the coming months, but the real concern would be an unauthenticated attack vector popping up as IT and security teams implement end-of-year code freezes."

**Admins Take Note: Other Bugs to Prioritize**

As far as other issues to prioritize, ZDI's Childs flagged two Windows Client Server Run-time Subsystem (CSRSS) EoP bugs tracked as CVE-2022-37987 and CVE-2022-37989 (both 7.8 CVSS).

"CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation," he explained. "This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location."

Also notable: Nine CVEs categorized as RCE bugs with critical severity were also patched today, and seven of them affect the Point-to-Point Tunneling Protocol, according to Greg Wiseman, product manager at Rapid7. "\[These\] require an attacker to win a race condition to exploit them," he noted via email.

Automox researcher Jay Goodman adds that CVE-2022-38048 (CVSS 7.8) affects all supported versions of Office, and they could allow an attacker to take control of a system "where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights." While the vulnerability is less likely to be exploited, according to Microsoft, the attack complexity is listed as low.

And finally, Gina Geisel, also an Automox researcher, warns that CVE-2022-38028 (CVSS 7.8), a Windows Print Spooler EoP bug, as a low-privilege and low-complexity vulnerability that requires no user interaction.

"An attacker would have to log on to an affected system and run a specially crafted script or application to gain system privileges," she notes. "Examples of these attacker privileges include installing programs; modifying, changing, and deleting data; creating new accounts with full user rights; and moving laterally around networks."

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

In dllist_remove_node of TBD, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-242344778

_Published October 3, 2022 | Updated October 5, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-10-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-10-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20419

A-237290578

ID

Critical

12L, 13

CVE-2022-20420

A-238377411

EoP

High

13

CVE-2022-20351

A-224771921

ID

High

10, 11, 12, 12L

CVE-2021-39624

A-67862680

DoS

High

11, 12, 12L

CVE-2021-39758

A-205130886

EoP

Moderate

10, 11, 12

CVE-2022-20415

A-231322873

EoP

Moderate

10, 11, 12, 12L, 13

**Media Framework**

The most severe vulnerability in this section could lead to local information disclosure with User execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20413

A-235850634

ID

High

10, 11, 12, 12L, 13

CVE-2022-20418

A-231986464

ID

High

12, 12L, 13

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with System execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20412

A-230794395

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20416

A-237717857

EoP

High

12, 12L, 13

CVE-2022-20417

A-237288416

EoP

High

12, 12L, 13

CVE-2021-39673

A-195410559 \[2\]

ID

High

13

CVE-2022-20394

A-204906124

ID

High

10, 11, 12, 12L

CVE-2022-20410

A-205570663

ID

High

10, 11, 12, 12L, 13

CVE-2022-20425

A-235823407

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

There are no security issues addressed in Google Play system updates (Project Mainline) this month.

**2022-10-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-1786

A-230867044  
Upstream kernel \[2\]

EoP

High

io\_uring

CVE-2022-20421

A-239630375  
Upstream kernel

EoP

High

Binder driver

CVE-2022-20422

A-237540956  
Upstream kernel

EoP

High

armv8 emulation

CVE-2022-20423

A-239842288  
Upstream kernel \[2\]

EoP

High

USB

**Kernel components**

The vulnerability in this section could lead to local escalation of privilege with System execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20409

A-238177383  
Upstream kernel

EoP

Moderate

io\_uring

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0696

A-242344778 \*

High

PowerVR-GPU

CVE-2021-0951  

A-242345085 \*

High

PowerVR-GPU

CVE-2021-0699

A-242345178 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26471

A-234037999  
M-ALPS07319121 \*

High

telephony

CVE-2022-26472

A-234037216  
M-ALPS07319095 \*

High

ims

**UNISOC components**

These vulnerabilities affect UNISOC components and further details are available directly from UNISOC. The severity assessment of these issues is provided directly by UNISOC.

   

CVE

References

Severity

Component

CVE-2022-20430

A-242221233  
U-1882896 \*

High

Telephony

CVE-2022-20431

A-242221238  
U-1882896 \*

High

Telephony

CVE-2022-20432

A-242221899  
U-1882896 \*

High

Telephony

CVE-2022-20433

A-242221901  
U-1882896 \*

High

Telephony

CVE-2022-20434

A-242244028  
U-1882896 \*

High

Telephony

CVE-2022-20435

A-242248367  
U-1901996 \*

High

Android

CVE-2022-20436

A-242248369  
U-1901996 \*

High

Android

CVE-2022-20437

A-242258929  
U-1916307 \*

High

Android

CVE-2022-20438

A-242259920  
U-1916307 \*

High

Android

CVE-2022-20439

A-242266172  
U-1916307 \*

High

Andorid

CVE-2022-20440

A-242259918  
U-1916307 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25720

A-238214313  
QC-CR#3048142  
QC-CR#3049634  
QC-CR#3051517  
QC-CR#3102432

Critical

WLAN

CVE-2022-22077

A-238108281  
QC-CR#3155201

High

Kernel

CVE-2022-25723

A-238108282  
QC-CR#3072203

High

Kernel

CVE-2022-33214

A-238103940  
QC-CR#3178237

High

Display

CVE-2022-33217

A-238103939  
QC-CR#3182864

High

Kernel

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25718

A-238106982 \*

Critical

Closed-source component

CVE-2022-25748

A-238106075 \*

Critical

Closed-source component

CVE-2022-25660

A-228101818 \*

High

Closed-source component

CVE-2022-25661

A-228101758 \*

High

Closed-source component

CVE-2022-25687

A-238106629 \*

High

Closed-source component

CVE-2022-25736

A-238214356 \*

High

Closed-source component

CVE-2022-25749

A-238106077 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-10-01 or later address all issues associated with the 2022-10-01 security patch level.
*   Security patch levels of 2022-10-05 or later address all issues associated with the 2022-10-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-10-01\]
*   \[ro.build.version.security\_patch\]:\[2022-10-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-10-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-10-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-10-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

October 3, 2022

Bulletin Published

1.1

October 5, 2022

Bulletin revised to include AOSP links

CVE-2021-0696: Android Security Bulletin—October 2022  |  Android Open Source Project

In CarSettings of app packages, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220741473

_Published October 3, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-10-05 or later from the October 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the System component that could enable local escalation of privilege in Bluetooth settings. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the October 2022 Android Security Bulletin, the October 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2022-10-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**System**

The vulnerability in this section could enable local escalation of privilege in Bluetooth settings.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20429

A-220741473

EoP

High

10, 11, 12, 12L

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-10-01 or later address all issues associated with the 2022-10-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-10-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-10-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

October 3, 2022

Bulletin Published

CVE-2022-20429: Android Automotive OS Update Bulletin—October 2022  |  Android Open Source Project

Visual Studio Code Remote Code Execution Vulnerability.

CVE-2022-41034

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41037, CVE-2022-41038.

CVE-2022-41036

Microsoft Office Graphics Remote Code Execution Vulnerability.

CVE-2022-38049

Microsoft Word Remote Code Execution Vulnerability.

CVE-2022-41031

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41036, CVE-2022-41037.

CVE-2022-41038

Microsoft Office Remote Code Execution Vulnerability.

CVE-2022-38048

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41036, CVE-2022-41038.

Tag

#rce