Monthly Security Patching for Fully-Managed Windows 2012+ servers - November 8, 2022
Posted by David Cunningham on 08 November 2022 11:10 PM
Purpose of Work:|
November's patch Tuesday has arrived. There are 69 windows vulnerabilities being patched this month, compared to 55 in November 2021.
Of those 69 vulnerabilities, 6 are under active exploitation, with one of those publicly disclosed. Only two of the six vulnerabilities found 'in the wild' are Remote Code Execution vulnerabilities: the first requires user interaction, the other requires unprivileged authentication, so nothing wormable appears to be out there and spreading.
Preliminary reports from early adopters indicate no apparent widespread issues (though there are some edge case problems I've seen reported with WinRM functionality), and the test environment has shown no major trouble, post-update, so I guess that's something to be thankful for.
To kick off the highlights, we'll start with a pair of Remote Code Execution vulnerabilities affecting all supported versions of windows, and using the Windows Scripting Language engines as their vector ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41118 ). Both affect Jscript9, with CVE-2022-41128 also affecting the Chakra language. CVE-2022-41128 is on the shortlist of actively exploited vulnerabilities this month, has a no authenticatoin / network vector, but requires user interaction to exploit: specifically, a user must be tricked into clicking on a link to a malicious server carrying the exploit as a payload. CVE-2022-41118 is not in the wild yet, but works in a similar fashion, requiring user interaction. Until this one is patched in your environment, users should be wary of email links on windows VDIs or workstations.
There are also a pair of exchange server vulnerabilities this month, affecting all supported versions ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040 , https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082 ). One is RCE, the other is EOP, and both require authentication. We'll be updating our own exchange server (which may affect mail flow tonight, so if you get a bounce, contact us via phone or helpdesk), and recommend you do the same if you maintain one. This patch appears to require additional hardening actions after installation.
There are three more vulnerabilities detected 'in the wild' this month: an EOP vuln leveraging the Print Spooler and affecting all supported versions of windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073 ), an EOP vuln leveraging the CNG Key Isolation service and affecting Windows 8/Server 2012 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125 ), and lastly, a security feature bypass vulnerability affecting Windows 10/2016 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091 ). There's not much to talk about with the Elevation of Privilege vulnerabilities: they require no additional action, and of course can only be used to amplify non-privileged compromises. The security bypass feature is interesting for those who work with end-user systems like VDI or workstations: it allows for bypassing of the "Mark of the Web" security flag applied to downloaded files that causes browser and Microsoft office programs to treat said files with more suspicion and prompt for end-user review before executing those files.
Fourth on the list, there's a pair of EOP vulnerabilities leveraging different aspects of Kerberos and affecting all supported versions of Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966 ). These vulnerabilities will require post-patching action to properly mitigate, and like most Kerberos patches, the fixes will be eventually made mandatory via a phased rollout. Said updates have major implications for AD domains and domain controllers, so I recommend anyone in charge of an AD domain reviews both articles and their linked articles carefully, as we will be doing. Both updates are still in their staging phase at this time, having just been released.
There are a few other vulnerabilities worth mentioning offhand without further detail: a Hyper-V denial of service vulnerability ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38015 ) and three RCE vulnerabilities affecting the windows point-to-point tunneling protocol service ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41044 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41088 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41039 ).
As usual, we're only scratching the surface with the highlights. The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 11PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.