What has been patched in October 2022 Patch Tuesday? Microsoft has issued patches for 85 vulnerabilities, including one zero-day. Unfortunately, the so-called ProxyNotShell flaws (CVE-2022-41040 and CVE-2022-41082), have not been patched yet, and affected parties should follow Microsoft’s mitigation recommendations.
CVE-2022-41040 is a server-side request forgery issue which can be exploited by an authenticated attacker to chain together with CVE-2022-41082. The second vulnerability is a remote code execution issue allowing threat actors to remotely execute Powershell commands on a vulnerable Powershell server. Initially, Microsoft said that threat actors need to be already authenticated to the targeted server in order for the attack to succeed. This condition makes a ProxyNotShell attack less dangerous than the ProxyLogin vulnerability, discovered in the spring of 2021.
CVE-2022-41033 in Detail
The zero-day addressed in this month’s Patch Tuesday has been identified as CVE-2022-41033. This is an elevation of privilege issue in the Windows COM+ Event System Service. The service automatically distributes events to COM (Component Object Model) components.
It is known that the CVE-2022-41033 zero-day has been exploited in the wild but the nature of the attacks hasn’t been revealed. However, Microsoft said that the attack complexity is low, and that no user interaction is required to carry it out. Upon successful exploit, an attacker could gain SYSTEM privileges.
According to Mike Walters, Vice President of Vulnerability and Threat Research at Action1, all Windows versions, starting with Windows 7 and Windows Server 2008, are exposed. “The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs,” the researcher said.
Applying the patch is mandatory, as an attacker who is logged on to a guest or ordinary user computer can easily gain SYSTEM privileges. The zero-day is “especially significant for organizations whose infrastructure relies on Windows Server,” Walters added.
Other Vulnerabilities Patched in October 2022
Another notable vulnerability fixed this month has been rated 10 out of 10 on the CVSS scale making it a highly critical issue. CVE-2022-37968 is an “Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability,” as described by Microsoft. According to Trend Micro Zero Day Initiative, an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. The recommendation for organizations running these containers is to ensure auto-upgrade is enabled, or update manually to the fixed version by running the specific commands in the Azure CLI.
Another dangerous flaw fixed this month is CVE-2022-38048 in Microsoft Office. The vulnerability is a remote code execution issue which is rated as critical.