Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities

Patch Tuesday
Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”

Three of the critical entries are remote code execution (RCE) vulnerabilities for Windows Point-to-Point Tunneling Protocol (PPTP).

An unauthenticated attacker can send a specially crafted request to an RAS (Remote Access Server), which may lead to remote code execution. Although according to Microsoft, these three vulnerabilities are less likely to be exploited, as the attacker must win a complex race condition. In August of 2022’s Patch Tuesday release, several vulnerabilities for Windows PPTP were also disclosed.

Another notable vulnerability in this release is CVE-2022-41118, a remote code execution vulnerability for both the JScript9 and Chakra scripting languages. While exploiting this vulnerability requires that the attacker win a race condition, Microsoft has determined that exploitation is more likely. Successful exploitation of CVE-2022-41118 requires that the attacker convince the victim to visit a malicious server share or website. This requirement can likely be met by phishing emails or another form of social engineering.

Two of the entries listed as critical are privilege escalation vulnerabilities in Windows Kerberos. Microsoft has determined that exploitation of both is more likely.

CVE-2022-37966 is a privilege escalation vulnerability in Windows Kerberos, where an unauthenticated attacker may be able to leverage vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass constrained delegation security features in a Windows AD environment. The attack complexity has been labeled as “High.”

CVE-2022-37967 is another privilege escalation vulnerability in Windows Kerberos, where an authenticated attacker could leverage cryptographic protocol vulnerabilities in the Windows Kerberos AES-SHA1 cipher suite. If an attacker is successful in gaining control over the service  that is allowed for delegation, they can modify Kerberos PAC to elevate their privileges. In contrast to CVE-2022-37966, the attack complexity is considered “Low.”

Also listed in this release is CVE-2022-38015, a Windows Hyper-V denial of service vulnerability. This affects Windows 10 and 11 hosts, as well as Windows Server 2016 and 2022. While the attack complexity is listed as “Low,” Microsoft considers successful exploitation as “Less Likely.”

The last critical disclosure is CVE-2022-41080, a Microsoft Exchange Server elevation of privilege vulnerability, which has a low attack complexity and successful exploitation is considered “More Likely.” CVE-2022-41080 affects Microsoft Exchange Server versions listed below:

  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 22
  • Microsoft Exchange Server 2016 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 11
  • Microsoft Exchange Server 2019 Cumulative Update 12

Talos would also like to highlight three “Important” vulnerabilities as Microsoft has listed them as being successfully exploited in the wild:

  • CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability
  • CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability
  • CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60815-60816, 60818-60819, 60820-60821, 60822-60823, 60831-60832, 60833-60834. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300309, 300310, 300311, 300312, 300315, 300316.