Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday


Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.



Microsoft finally patched the publicly known ProxyNotShell and Mark of the Web (MotW) security vulnerabilities in its penultimate monthly security update for 2022 — two of six zero-day bugs under active exploit in the wild.
The targeted zero-days are part of a tranche of 68 security fixes for Novembers Patch Tuesday group, 11 of which are rated critical.
The fixes address CVEs that affect the gamut of the security giants product line, including Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open source software bugs affecting Microsoft products.
The group of zero-days listed as under active attack is the largest for Microsoft so far this year.
Two of them are the critical
ProxyNotShell flaws
affecting Exchange Server, first disclosed in September. Both carry a CVSS vulnerability-severity score rating of 8.8 out of 10. The bug tracked as
CVE-2022-41040
is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and
CVE-2022-41082
is a remote code execution (RCE) flaw when PowerShell is remotely accessible to the attacker. They can be chained together for full pwning of an Exchange Server.
At long last, Microsoft released patches for the ProxyNotShell vulnerabilities that are being actively exploited by Chinese threat actors, Automox researcher Preetham Gurram said in a
Nov. 8 analysis
. The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid Exchange Servers where temporary mitigation has not been applied.
Microsoft also addressed the known and analyzed
Mark of the Web issues
— theyre being tracked as 
CVE-2022-41091
 and 
CVE-2022-41049
, two separate vulnerabilities that exist in different versions of Windows. The important-rated bugs both allow attackers to sneak malicious attachments and files past Microsofts MotW security feature — Microsoft says only the former is being exploited in the wild. 
Another zero-day being used in active campaigns is a critical RCE bug affecting Windows Scripting Languages (
CVE-2022-41128
, CVSS 8.8). Mike Walters, vice president of vulnerability and threat research at Action1, tells Dark Reading that it specifically affects the JScript9 scripting language, which is Microsoft’s legacy JavaScript dialect, used by the Internet Explorer browser.
The new zero-day vulnerability … as low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website, he explains. It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. … However, the proof-of-concept has not yet been publicly disclosed.
The remaining two bugs are important-rated elevation of privilege (EoP) issues carrying 7.8 CVSS scores. One is a memory bug that affects Microsofts next-gen cryptography, the Windows CNG Key Isolation Service (
CVE-2022-41125
).
With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability, Automox researcher Gina Geisel said in an emailed analysis. With a long list of Windows 10 and 11 affected (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts.
The second exists in Windows Print Spooler (
CVE-2022-41073
), and Action1s Walters describes it as a relative of last years PrintNightmare bug.
Microsoft continues to patch minions of the
PrintNightmare vulnerability
, he says. This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop.
Other issues in Novembers update that admins should prioritize include a vulnerability in Windows Kerberos RC4-HMAC (
CVE-2022-37966
). It earns a critical rating (CVSS 8.1), even though an attacker needs to have access and the ability to run code on the target system to exploit it.
Thats likely because Kerberos is an authentication protocol to verify a user or the hosts identity, noted Automoxs Gurram. It provides a token that enables a service to act on behalf of its client when connecting to other services; when used within an organizations domain, it enables single sign-on (SSO).
The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field, Gurram said. RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts.
ZDIs
 Dustin Childs noted in a blog post
that for this bug and another critical-rated issue in Kerberos tracked as
CVE-2022-37967
(CVSS 7.2), admins will need to take additional actions beyond just applying the patch.
Specifically, you’ll need to review
KB5020805
and
KB5021131
to see the changes made and next steps, he advised. Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality.
Childs also flagged three critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1, and all allowing RCE (
CVE-2022-41039
,
CVE-2022-41088
, and
CVE-2022-41044
).
There seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols, Childs said. If you rely on PPTP, you should really consider upgrading to something more modern.
The remaining critical bugs are as follows:
CVE-2022-38015
: A denial-of-service (DoS) bug in Hyper-V (CVSS 6.5), which Microsoft said could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”
CVE-2022-41118:
An RCE bug affecting the Chakra and Jscript scripting languages (CVSS 7.5)
CVE-2022-39327:
An Azure CLI RCE bug (no CVSS) — a
previously released fix
that is just being documented now.
Even though this months update is relatively light, admins should get to patching ASAP, according to Bharat Jogi, director of vulnerability and threat research at Qualys — especially with so many zero-day exploits circulating.
As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.), he said in emailed commentary. It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday