In this issue, you will learn about patches for:
- Most serious Microsoft vulnerabilities
- Windows COM+ Event System Service Elevation of Privilege Vulnerability
- Microsoft SharePoint Server Remote Code Execution Vulnerability
- Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
- Azure Arc-enabled Kubernetes Cluster Connect Elevation of Privilege Vulnerability
- Microsoft Edge
- Google Chrome
- Mozilla Firefox
October Patch Tuesday brings us 84 fixed vulnerabilities from Microsoft, an increase of almost 34% over September. Moreover, the number of critical updates is huge — 13 (160% more) — and one of them addresses a zero day that is being actively exploited in the wild.
Unfortunately, Patch Tuesday did not include a fix for the Microsoft Exchange ProxyNotShell vulnerability. Many people have been eagerly waiting for one because the exploit is already in full use in the wild. Microsoft created a fix almost a month ago but for some reason is in no hurry to release it. Instead, organizations are still limited to the workaround.
Here are details on the most interesting critical updates.
Windows COM+ Event System Service Elevation of Privilege Vulnerability
One of the most serious vulnerabilities fixed this month is the Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033), even though its CVSS rating is just 7.8. The reason is simple: There has been an exploit for this vulnerability for a long time now, and it can be easily combined with an RCE exploit. It is an excellent tool in a hacker’s arsenal for elevating privileges on a Windows system because it enables an attacker who has local access to a machine to gain SYSTEM privileges and do anything they like with that target system.
All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable. The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs.
Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it. This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server.
Microsoft SharePoint Server Remote Code Execution Vulnerability
Another serious vulnerability, CVE-2022-41038, affects all versions of SharePoint starting with SharePoint 2013 Service Pack 1. In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint server and gain administrative permissions. Microsoft reports that an exploit has likely been created already and is being used by hacker groups, but there is no proof of this yet. This vulnerability is worth taking seriously if you have a SharePoint server open to the Internet.
Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
CVE-2022-37987 and CVE-2022-37989 are both related to the behavior of the CSRSS process when searching for dependencies. CVS-2022-37989 is a failed fix for an earlier vulnerability, CVE-2022-22047, which has been seen in the wild; it occurs because CSRSS can accept input from untrusted processes. CVE-2022-37987 is a new vulnerability that works by tricking CSRSS into downloading dependency information from an unprotected location. Both vulnerabilities can lead to an adversary elevating their privileges to SYSTEM. Microsoft believes that the exploit is most likely already in the hackers’ arsenal.
Azure Arc-enabled Kubernetes Cluster Connect Elevation of Privilege Vulnerability
The CVE-2022-37968 vulnerability has a rare CVSS score of 10. It affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, and could allow an attacker to gain administrative control over those clusters. An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability can enable an unauthenticated user to elevate their privileges to cluster admin and gain control over the Kubernetes cluster. If you are using these types of containers with lower version than 1.5.8, 1.6.19, 1.7.18 and 1.8.11 and they are available from the Internet, upgrade immediately.
The newest version of Microsoft Edged fixes one high-severity vulnerability:
- Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability, CVE-2022-38012
CVE-2022-38012 has high complexity, requires user interaction, and can be executed only by an adversary with local access to the system. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. This vulnerability could lead to a browser sandbox escape.
Google Chrome 106 for Windows, Mac and Linux features patches for 20 vulnerabilities, including five with high severity. Half of the vulnerabilities are post-release exploit bugs that could lead to RCE, DoS, or data corruption. Combined with other vulnerabilities, they could be used to completely compromise the system.
Of the five high-severity issues that are fixed in Chrome 106, four are post-release usage vulnerabilities (CVE-2022-3304, CVE-2022-3305, CVE-2022-3306, CVE-2022-3307) that affect the CSS, Survey, and Media browser components. The fifth is insufficient validation of unreliable input in developer tools (CVE-2022-3201).
Chrome 106 also fixes three mid-level vulnerabilities (CVE-2022-3309, CVE-2022-3311, CVE-2022-3314). They are also related to post-release usage but affect three other Chrome components: Assistant, Import, and Logging.
The browser update also addresses the lack of medium severity policy enforcement in developer tools (CVE-2022-3308) and customizable tabs (CVE-2022-3310); insufficient validation of unreliable input in VPN (CVE-2022-3312); improper full-screen security UI (CVE-2022-3313); and type confusion in Blink (CVE-2022-3315).
Google does not report exploitation of Chrome vulnerabilities in the wild. Accordingly, the update is highly recommended.
Firefox 105 fixed 13 vulnerabilities, 9 marked as dangerous (7 reside under CVE-2022-40962) and caused by memory handling issues, such as buffer overflows and access to already freed memory areas. These problems could lead to the execution of attacker code when opening specially crafted pages.
- CVE-2022-3266, out of bounds read when decoding H264. An out-of-bounds read can occur when decoding H264 video, resulting in a potentially exploitable crash.
- CVE-2022-40959, bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages did not have their FeaturePolicy fully initialized, leading to a bypass that leaked device permissions into untrusted subdocuments.
- CVE-2022-40960, data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free, causing a potentially exploitable crash.
The new Firefox 104 also fixes a serious address bar spoofing issue related to XSLT error handling. The vulnerability, tracked as CVE-2022-38472, can be used for phishing. Another fix addresses CVE-2022-38473, which is also related to XSLT documents from various sources that could pose security and privacy risks. The bulletin states: “A cross-origin iframe referencing an XSLT document would inherit the parent domain’s permissions (such as microphone or camera access).”
Two low-severity bugs have also been fixes. CVE-2022-38474 allows recording of audio without displaying an audio notification, and CVE-2022-38475 allows writing a value to an array of zero length. The low rating is due to the fact that the attacker has no way to bypass the permission request.
So far, Mozilla is unaware of any attacks exploiting any of these vulnerabilities in the wild.
Although Chrome is the web browser most commonly targeted, attackers are not ignoring Firefox, so it is recommended to install the update promptly. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations familiarize themselves with Mozilla’s recommendations and install the necessary patches.
Cisco patched potentially serious vulnerabilities in several of its networking and communications products, including Enterprise NFV, Expressway, and TelePresence.
The company told customers that its Expressway series and TelePresence Video Communication Server software are subject to two high-severity vulnerabilities:
- CVE-2022-20814 relates to improper certificate validation. It could allow a remote attacker who has not authenticated to gain access to sensitive data through an MiTM attack. Successful exploitation of the vulnerability could result in an attacker intercepting or altering traffic.
- CVE-2022-20853 allows CSRF cross-site request spoofing attacks, enabling an attacker to trigger a DoS condition by forcing a user to click a specially crafted link.
Cisco also fixed a serious problem in its enterprise NFV infrastructure software (NFVIS) related to improper update file signature verification (CVE-2022-20929). An attacker could exploit the vulnerability by providing an inauthentic update file to the administrator.
The company also released security advisories to address medium-severity vulnerabilities in Smart Software Manager On-Prem, Jabber, BroadWorks, ATA, Touch 10, and Secure Web Appliance.
The vendor says it is not aware of any actual attacks targeting these vulnerabilities.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1 RMM, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
Get started today and use Action1 RMM on 100 endpoints free of charge with no functionality limitations.