Skip links

It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes

Patch Tuesday Microsoft fixed more than 80 security flaws in its products for October’s Patch Tuesday. But let’s start off with what Redmond didn’t fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August.

CVE-2022-41040 is a server-side request forgery vulnerability while CVE-2022-41082 is a remote code execution (RCE) bug. Both can be exploited together to run PowerShell commands on a vulnerable system and take control of it.

Vietnamese cybersecurity firm GTSC discovered the two vulnerabilities, and reported that they were exploited in early August 2022. A month later, Zero Day Initiative (ZDI) purchased the bugs and disclosed them to Microsoft. 

Since late September, Redmond has issued almost daily mitigation updates, though all of these temporary fixes have been bypassed by security researchers. 

“With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed,” ZDI advised.

Of the CVEs that Microsoft did patch today, 13 are rated “critical” and allow for privilege elevation, spoofing, or RCE. The rest are deemed “important,” which isn’t exactly as reassuring as it sounds.

Another bug under exploit, another that’s publicly disclosed

One of these “important” bugs is under active exploitation and another has been publicly disclosed, so let’s start with those two.

CVE-2022-41033 is a privilege escalation vulnerability in Windows COM+ Event System Service with a CVSS severity rating of 7.8 out of 10. According to Microsoft, it’s got a “low” attack complexity and, if exploited, could give an attacker system-level privileges. We say ‘if’ – it is actually being exploited in the wild, according to Redmond.

As ZDI noted, privilege escalation bugs are often paired with RCE to take over a system. “These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website,” ZDI’s Dustin Childs said.

“Despite near-constant anti-phishing training, especially during ‘Cyber Security Awareness Month,’ people tend to click everything, so test and deploy this fix quickly,” he added.

Additionally, details of an information disclosure bug in Microsoft Office, tracked as CVE-2022-41043, has been publicly disclosed, so patch that one next before Redmond has to list it as under active exploit.

Discovered by SpecterOps’ Cody Thomas, it also has a low attack complexity and can be exploited to gain access to users’ authentication tokens and potentially other sensitive info.

Critical Microsoft fixes

Of the critical vulnerabilities, CVE-2022-37968, a privilege escalation flaw in Azure Arc Connect, received the maximum 10 out of 10 CVSS score, making it the highest-severity bug Redmond addressed this month.

It affects the cluster connect feature in Azure Arc-enabled Kubernetes clusters and could be exploited by an unauthenticated user to gain admin-level control over the cluster. “Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability,” Redmond warned.

Two more critical privilege escalation vulnerabilities, CVE-2022-37976 and CVE-2022-37979 affect Windows Active Directory and Hyper-V, respectively.  

The Windows’ point-to-point protocol has eight CVEs patched this month, seven of which are critical remote code execution bugs: CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047 and CVE-2022-41081.

While Microsoft says these are “less likely to be exploited,” and noted that for a successful exploit an attacker would need additional access, Immersive Labs’ Director of Cyber Threat Research Kev Breen suggested patching these sooner than later.

“Although there aren’t any details on what the race condition may be, with time on their side, attackers can be persistent and use automation to win any race conditions,” he told The Register. “Organizations with publicly exposed PPTP VPN servers should prioritize patching these services or applying firewall rules to limit access.”

And finally, the other three critical RCEs, CVE-2022-38048, CVE-2022-38049 and CVE-2022-41031, target Microsoft Office and Word.

“These are usually popular targets for adversaries, as they are one of the most popular pieces of software in the world and can be exploited just by tricking a user into opening a specially crafted document,” Cisco Talos researchers Jon Munshaw and Vanja Svajcer noted.

SAP pushes nearly two-dozen fixes

SAP released 23 new and updated SAP security patches this month, which included two HotNews Notes and six High Priority Notes. 

One of these, SAP Security Note #3242933, fixes a 9.9-rated critical path traversal vulnerability in SAP Manufacturing Execution. 

“The CVSS score of 9.9 is based on the fact that the impact on confidentiality, integrity, and availability can be high, depending on the kind of information that can be accessed during an attack,” said Thomas Fritsch, SAP security researcher at Onapsis.

Meanwhile, the second HotNews Note, #3239152, received a CVSS score of 9.6. It patches an account hijacking vulnerability in the SAP Commerce login page. 

“Attackers were able to inject redirect information into the login page’s URLs, causing the login page to redirect sensitive information such as login credentials to an arbitrary server on the Internet,” Fritsch said. 

“Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit,” he added.

Adobe patches 29 CVEs

Adobe’s monthly security fixes include four updates that patch 29 CVEs across its ColdFusion, Acrobat and Reader, Commerce and Magento, and Dimension software products. 

None of these are under exploit or listed as publicly known, though some received high CVSS scores, so we suggest patching ASAP.

The Commerce and Magento update fixes a stored cross-site scripting (XSS) bug that received a perfect 10/10 severity rating. Additionally, the ColdFusion update fixes five critical arbitrary code execution bugs. Another bug in this product that’s rated “important” is due to the use of hard-coded credentials. 

Despite Adobe’s assurance that none of these bugs have been exploited in the wild, as ZDI noted: “Hard to imagine hard-coded credentials have existed in the product for so long without being discovered.” 

Apple’s email fix

Apple pushed a security update for iOS 16 in the iPhone 8 and later to fix an “input validation issue” in its mail app.

While it doesn’t provide a whole lot in the way of details about CVE-2022-22658, Apple told customers that “processing a maliciously crafted email message may lead to a denial-of-service.”

Android’s got some critical RCEs

Google fixed 48 Android vulnerabilities, four of which are critical and could allow for remote code execution (RCE). None of these have been exploited in the wild.

Google doesn’t publish information about specific bugs in its monthly Android bulletin. It did, however, note: “the most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed.”

The other three critical CVEs affect Qualcomm components in Android devices.

VMware joins the patch party

VMware issued two security advisories to fix three vulnerabilities in VMware ESXi, vCenter Server, and Aria Operations.

The worst of the bunch, deemed “important,” is CVE-2022-31680 — a deserialization vulnerability in vCenter Server platform services controller. “A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server,” the virtualization giant warned.

But wait, there’s Cisco

Cisco published or updated 12 security alerts for 15 vulnerabilities this month, and labeled four of the CVEs “high” impact with the rest “medium” severity.

Of the new high-risk bugs, all of which could be exploited by an unauthenticated, remote attacker: CVE-2022-20814, in the certificate validation of Cisco Expressway-C and Cisco TelePresence VCS, could allow access to sensitive data. 

Meanwhile, CVE-2022-20853, in the REST API of Cisco Expressway Series and Cisco TelePresence VCS could be used to pull off a cross-site request forgery attack on an affected system.

And CVE-2022-20929, a vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software, could allow an unauthenticated attacker with local access to fully compromise the system.

None of these have been exploited in the wild. ®