Tim Lovegrove
Security Analyst
Patch Roundup – November 2022
Welcome to the Patch Roundup blog for November 2022, where we review some of the major updates from the big vendors for the month.
Microsoft Patch Tuesday
Another modest release of updates from Microsoft this month, with 62 distinct vulnerabilities fixed across a wide spread of OSes and software.
The highest scoring vulnerabilities this month all clock in with a CVSS score of 8.8, and affect all on-prem Exchange Server versions (CVE-2022-41080), ODBC Drivers (CVE-2022-41047), SharePoint (CVE-2022-41062) and Windows Scripting Languages (CVE-2022-41128).
The ODBC driver vuln and Windows Scripting Language bugs are interesting in that they abuse user access to remote resources by using malicious servers. For the ODBC attack, a malicious SQL server is made available, the victim is directed to connect to it via social engineering, and the attacker uses the ODBC connection to run malicious code on the victim’s machine. The Scripting Language vulnerability functions in a similar way, with an attacker-controlled file share or website triggering malicious code via the Jscript9 scripting language, after they have tricked the victim into connecting. The latter is being actively exploited in the wild.
While rated with lower CVSS scores, several other vulnerabilities have been addressed that are also being actively exploited in the wild. CVE-2022-41091 affects Microsoft “Mark of the Web” feature – intended to help Office products identify untrustworthy files – and gets round some of the controls this feature implements. CVE-2022-41073 is yet another print spooler “elevation of privilege” bug allowing the attacker to gain SYSTEM privileges, and again seen actively exploited in the wild.
Citrix
On the 8th of November, Citrix announced a pair of Critical vulnerabilities and a third, less serious one affecting the Citrix Gateway and ADC products. CVE-2022-27510 and CVE-2022-27513 are both CVSS rated at 9.8, while CVE-2022-27516 scores 5.3.
CVE-2022-27510 is an authentication bypass enabling “unauthorised access to gateway user capabilities”, which translates to an attacker being able to gain access to the platform and carry out activities with user level permissions. Depending on the apps, machines and users available, this could allow access to sensitive data and systems.
CVE-2022-27513 is more self-explanatory – enabling remote desktop takeover via phishing – but requires the RDP proxy functionality to be configured.
CVE-2022-27516 relates to the “Max Login Attempts” setting, which under certain circumstances can be bypassed to allow a brute force attack to be effective.
The affected versions of Citrix are listed below, the simple solution is to patch to the latest version. At the time of writing it was unclear if any of these vulnerabilities had been weaponised or targeted in the wild, but Citrix have been forthright in recommending admins patch their systems urgently.
· Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
· Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
· Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
· Citrix ADC 12.1-FIPS before 12.1-55.289
· Citrix ADC 12.1-NDcPP before 12.1-55.289
OpenSSL
Finally for this edition, in early November OpenSSL announced 2 high severity vulnerabilities - CVE-2022-3786 and CVE-2022-3602. Both score a 7.5 CVSS rating and were initially described as critical bugs, but have since been downgraded. The flaw in X.509 certificate verification can trigger a buffer overrun resulting in the host system crashing and can be activated by a simple client connection to a server hosting maliciously crafted certificates.
The bug is fixed in OpenSSL 3.0.7 and affects all prior version of v3 (3.0.0-3.0.6). The primary concern around this bug is the widespread prevalence of the OpenSSL library in devices and software, and it may be hard to identify and upgrade these embedded or bundled installations across an estate.