Overview
Microsoft has released the latest Patch Tuesday, and there were plenty of demons to exorcise. Particularly frightening were 15 critical bugs including two 0-days fixed, one of which was actively exploited in the wild.
85 total vulnerabilities were addressed, across at least 6 MS families. The most severe is CVE-2022-41033 which is a flaw in the Windows COM+ event service that provides system notifications when users log on or log off, MS has indicated it is being actively exploited in the wild. Meanwhile, CVE-2022-37968 earned the highest severity score of 10.0, and while it requires a bit of skill to exploit it is especially fearsome for Azure and Kubernetes users. Both flaws should be addressed immediately.
Two more vulns remain undead and continue to haunt Exchange servers. While there is mitigation guidance, if not actively pursued they can allow for remote code execution. Listed as CVE-2022-41040 and CVE-2022-41082, these are considered a variant of last year’s ProxyShell attack, which was technically a collection of three separate vulnerabilities chained together, enabling threat actors to bypass authentication and execute code as a privileged user. Since there are no firm patches, researchers have not disclosed any granular details, and the attack is currently referred to as ProxyNotShell. Please read the listed MS and the source's additional guidance, including some modifications.
The apparitions do not end there, however. No less than 7 vulnerabilities were addressed in Windows Point-to-Point Tunneling Protocol (PPTP). This is one of the oldest, and now obsolete, VPN protocols still in use. Operating on TCP port 1723 and having been around since Windows 95 - and standard on all versions of Windows, exploits for this protocol have been around for more than 20 years. What is interesting about these is that while they require a degree of technical expertise to exploit, the tools are out there. Legacy vulnerabilities that have lower critical ratings usually take longer for organizations to patch. As a result, they are often used to fill our part of an attack chain, CTIG will pay special attention to these in the coming weeks, to highlight several different skills and approaches that apply to the failings of secure communications. For your records, they are listed as CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081
Finally, some good news to report. To defend against brute-force attacks, Microsoft announced the addition of a group policy allowing administrators to protect local accounts across all existing, updatable Windows operating systems. Before now, this existed only on the new release of Windows 11 and has been retrofitted to previous versions. CTIG will verify that the process is sound across legacy systems.
CTIGs look into the future
Stay tuned for next week's webinar, as CTIG will present a demonstration of the triage process, as well as how to turn a patch into an exploit.
Are you looking to build your team’s skills? Get two months of your Cybrary for Teams subscription for free when you use promo code YOURTEAM20 at checkout!
