Monthly Security Patching for Fully-Managed Windows 2012+ servers - October 11, 2022
Posted by David Cunningham on 11 October 2022 09:42 PM
Purpose of Work:|
October's Patch Tuesday is here, and it's not especially spooky. There are 85 windows vulnerabilities being patched this month, compared to 82 in September 2021.
Preliminary reports from early adopters indicate no apparent widespread issues, and as usual the test environment will be updated first and monitored for any showstoppers.
Of those 85 vulnerabilities, one is under attack and another is publicly known, but neither are RCE vulnerabilities.
First for the highlights, we'll start with the vulnerability under active exploitation: a local Elevation of Privilege vulnerability leveraging the COM+ Event System service, and affecting all supported versions of Windows and Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033 ). Based on the information Microsoft has provided so far, there's not a lot to say about this, other than the usual: this being an Elevation of Privilege escalation, it will make any successful remote code execution more dangerous when paired with it; webservers and application servers in particular that are open to the internet could be impacted by this.
Second up, the public vulnerability is an Information Disclosure vulnerability affecting and leveraging recent versions of Office on Mac ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043 ). It seems users affected by this can get their authentication tokens and such sniffed by the attackers, so if you're on a Mac, make sure you're running those updates. Vulnerabilities that are publicly disclosed often have a short fuse before we see them exploited by actual attackers.
Third, we have an Arbitrary Code Execution vulnerability affecting and leveraging all supported versions of Microsoft Office ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38048 ). It's unclear exactly what the vector is, but user interaction is required. Microsoft has labeled this as a "remote code execution" vulnerability to emphasize that attackers are likely to exploit this by sending payloads directly to end-users, per usual.
Fourth on the list (and taking us back to Windows server products), we have an Elevation of Privilege vulnerability leveraging the DCOM Server and Active Directory Certificate Services, affecting all supported versions of Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976 ). The actual EOP vector seems to be through forcing the DCOM Server to authenticate with a malicious client via ADCS, then capturing the resulting credential payload for malicious use. There don't appear to be any special adjustments required to get the patch to work, though there is some pre-patching mitigation guidance.
Fifth on the list, there's an Elevation of Privilege vulnerability leveraging Hyper-V and affecting Windows Server 2016 / Windows 10 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37979 ). Curiously, Microsoft mentions in the vulnerability FAQ that "An attacker on a Nested Hyper-V environment would gain Level 1 Hyper-V Windows Root OS privileges", leaving the question open on what they'd achieve on a standard Hyper-V deployment. We'll be making no assumptions, and will patch as if it affects standard Hyper-V deployments the same way it normally would: allowing VMs to break the sandbox and run code on the HV.
Sixth up, we have a Denial of Service vulnerability leveraging the TCP/IP driver in all supported versions of Windows and Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33645 ). As is typical with these TCP/IP stack vulnerabilities as of late, it only affects hosts that have IPv6 enabled at the protocol/interface level, which is a default.
And, finally, there is a whole host of Remote Code Execution vulnerabilities leveraging the Windows Point to Point Tunneling Protocol Server feature, on all supported versions of Windows and Windows server (between each of them, at least: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22035 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24504 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33634 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38047 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38000 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41081 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30198 ). This one is more of an edge case, but if you have a host you're allowing users to dial into via PPTP, I'd shut that down until these patches can be deployed.
There is also an exchange security update this month, so our mail may be impacted more than usual.
I'll add that none of the vulnerabilities this month (including yet more Print Spooler and Kerberos Elevation of Privilege vulnerabilities) seem to require additional action, beyond installing a given patch.
That's all for the highlights, but as usual, there's plenty more where that came from, all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:20PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.