On November 8, 2022, Microsoft published their November 2022 Security Update and patched six actively exploited vulnerabilities. The vulnerabilities impact Windows and Exchange Server.
Windows
Impacted Products |
Windows Server 2022, 2019, 2016, 2012, and 2012 R2; Windows Server 2022 Datacenter: Azure Edition |
Windows 11, 10, 8.1, RT 8.1, and 7 |
CVE-2022-41128 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting the JScript9 scripting language. A threat actor would need to use social engineering to successfully leverage this vulnerability, as there is no way to force a user to access a malicious server or specially crafted server that is needed to exploit CVE-2022-41128. Threat actors will likely leverage phishing emails to entice victims into visiting a malicious server.
CVE-2022-41073 (CVSS: 7.8): A Windows Print Spooler elevation of privilege vulnerability that could allow a low privileged user to obtain SYSTEM-level privileges if successfully exploited. Prior access is needed to exploit CVE-2022-41073.
CVE-2022-41125 (CVSS 7.8): A Windows CNG Key Isolation Service elevation of privilege vulnerability that could allow a low privileged user to obtain SYSTEM-level privileges if successfully exploited. Prior access is needed to exploit CVE-2022-41125.
CVE-2022-41091 (CVSS 5.4): A bypass vulnerability impacting the Windows Mark of the Web (MOTW) security feature, which allows a threat actor to prevent safety warnings from appearing and evade MOTW defenses. A threat actor would need to use social engineering to successfully leverage this vulnerability, as there is no way to force a user to view or interact with the threat actor-controlled content that is needed to exploit CVE-2022-41091.
Exchange Server
Impacted Products |
Microsoft Exchange Server 2019, 2016, and 2013 |
These two vulnerabilities (aka ProxyNotShell) were chained together to obtain remote code execution in recent intrusions. For more information about ProxyNotShell, review the Security Bulletin our previously published security bulletins:
- [September 30, 2022] https://arcticwolf.com/resources/blog/microsoft-exchange-on-prem-zero-day-vulnerabilities-exploited-in-the-wild/
- [October 6, 2022] https://arcticwolf.com/resources/blog/updated-guidance-for-microsoft-exchange-zero-day-vulnerabilities-exploited-in-the-wild/
- [October 6, 2022 afternoon] https://arcticwolf.com/resources/blog/additional-updated-guidance-for-microsoft-exchange-zero-day-vulnerabilities-exploited-in-the-wild/
- [October 10, 2022] https://arcticwolf.com/resources/blog/cve-2022-41040-cve-2022-41082-additional-improvements/
CVE-2022-41040 (CVSS 8.8): Microsoft Exchange Server elevation of privilege vulnerability. Upon successful exploitation a threat actor could run PowerShell in the context of the system.
CVE-2022-41082 (CVSS 8.8): An authenticated Microsoft Exchange Server vulnerability that could lead to RCE in the context of the server’s account via a network call.
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. All vulnerabilities reported above have been used in intrusions and are being actively exploited by threat actors.
Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
Windows
Vulnerability | Impacted Product | Update Catalog |
CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows Server 2022 Datacenter: Azure Edition | KB5019080 (Hotpatch) |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows Server 2022 | KB5019081 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows Server 2019 | KB5019966 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows Server 2016 | KB5019964 |
CVE-2022-41128 CVE-2022-41073 CVE-2022-41125 CVE-2022-41125 |
Windows Server 2012 | KB5020009 |
CVE-2022-41128 CVE-2022-41073 CVE-2022-41125 |
Windows Server 2012 R2 | KB5020023 |
CVE-2022-41128 CVE-2022-41073 |
Windows Server 2008 R2 | KB5020000 |
CVE-2022-41073 | Windows Server 2008 | KB5020019 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows 11 | KB5019961 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows 11 Version 22H2 | KB5019980 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows 10 | KB5019970 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41073 CVE-2022-41125 |
Windows 10 Version 22H2, 21H1, and 20H2 | KB5019959 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41125 |
Windows 10 Version 1809 | KB5019966 |
CVE-2022-41128 CVE-2022-41091 CVE-2022-41125 |
Windows 10 Version 1607 | KB5019964 |
CVE-2022-41128 CVE-2022-41073 CVE-2022-41125 |
Windows RT 8.1 | KB5020023 |
CVE-2022-41128 CVE-2022-41073 CVE-2022-41125 |
Windows 8.1 | KB5020023 |
CVE-2022-41128 CVE-2022-41073 |
Windows 7 | KB5020000 |
Exchange Server
Vulnerability | Impacted Product | Update Catalog |
CVE-2022-41040
CVE-2022-41082 |
Microsoft Exchange Server 2019, 2016, and 2013 | KB5019758 |
Recommendation #2: Restrict Access to External-Facing Exchange Servers
Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Leverage Access Control List (ACL) restrictions on Exchange Control Panel (ECP) and other directories within IIS. The ECP directory should not be exposed to the Internet unless absolutely necessary.
Restrict access to Exchange Servers via VPN for approved users; deny access from TOR, proxy, and third-party VPN IPs to limit exploitation. Furthermore, restrict unnecessary ports and traffic from the Exchange Server.
- Note: Necessary ports for outbound traffic from Exchange Server are 25, 53, 123, 80, and 443
Recommendation #3: Disable Remote PowerShell Access for Non-Admins
Practice the principle of least-privilege when configuring your Microsoft Exchange Server. Disable remote PowerShell access for all non-admin users within your environment. For additional guidance follow Microsoft’s Control Remote PowerShell Access to Exchange Servers documentation.