Cybersecurity Advisory: Patches for 6 Actively Exploited Zero Days

It's important that organizations deploy last week's "Patch Tuesday" patches as soon as possible. These patches include several critical, high, and important severity vulnerabilities, but more importantly, it addresses 6 vulnerabilities that are known to be under active exploitation by threat actors "in the wild".

Security Advisory Notice
Security Patches for 6 Actively Exploited 0-Days

Affected Software / System

This advisory specifically applies to the following:

• Microsoft Exchange Servers – Server 2013, 2016, and 2019
• All other Microsoft products ranging from Windows 7 for 32-bit Systems to Windows 11 and Windows Server 2022

CVE (if applicable)

• CVE-2022-41040 (Server-Side Request Forgery (SSRF) vulnerability)
  
• CVE-2022-41082 (allows remote code execution (RCE) when PowerShell is accessible to the attacker

Type

Remote Code Execution, Elevation of Privilege, and Feature Bypass Vulnerabilities.

Exploit Status: 

Weaponization and exploitation is being reported, and widespread exploitation against unpatched servers and devices is expected to continue.

Rating

Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)

CVE-2022-41040, CVE-2022-41082

• CVSS 3.x Score: 8 High
• Microsoft Max Severity: Critical

Windows Scripting Languages Remote Code Execution Vulnerability

CVE-2022-41128

• CVSS 3.x Score: 8 High
• Microsoft Max Severity: Critical

Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

CVE-2022-41125

• CVSS 3.x Score: 8 High
• Microsoft Max Severity: Important

Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2022-41073

• CVSS 3.x Score: 8 High
• Microsoft Max Severity: Important

Windows Mark of the Web (MotW) Security Feature Bypass Vulnerability

CVE-2022-41091

• CVSS 3.x Score: 4 Medium
• Microsoft Max Severity: Important

Vulnerability Summary

Microsoft’s Patch Tuesday updates address 12 vulnerabilities rated by Microsoft as critical, two vulnerabilities rated by Microsoft as High severity, and 55 vulnerabilities rated by Microsoft as important. Six of the vulnerabilities that were patched include previously disclosed zero-day vulnerabilities that are known to be under active exploitation in the wild. These include the following vulnerabilities that the Ingalls SOC recommends patching ASAP:

• Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)

The ProxyNotShell vulnerabilities (CVE-2022-41040, CVE-2022-41082) include an Elevation of Privilege vulnerability and a Remote Code execution availability that allows authenticated attackers to achieve remote code execution via PowerShell.

Please Note: Microsoft Exchange is not patched by the Windows Update process. In order to update/patch Exchange Servers, please consult the Microsoft Exchange blog.

• Windows Scripting Languages Remote Code Execution Vulnerability

CVE-2022-41128 is an RCE vulnerability in the Jscript9 scripting language engine that allows a threat actor to execute arbitrary code with the user’s level of privileges if the user visits specially crafted websites or server shares.

• Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

CVE-2022-41125 is an Elevation of Privileges vulnerability that allows attackers to gain SYSTEM privileges. This vulnerability can be used to disable security or antivirus tools, execute credential harvesting software such as Mimikatz, and to enable attackers to move laterally. 

• Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2022-41073 is a Windows print spooler elevation of privilege vulnerability which could enable an attacker to gain system privileges. Most versions of Windows and Windows Server are impacted by this actively exploited issue, and this vulnerability can also be used to disable security or antivirus tools, execute credential harvesting software such as Mimikatz, and to enable attackers to move laterally.

• Windows Mark of the Web (MotW) Security Feature Bypass Vulnerability

CVE-2022-41091 is a 'mark of the web security bypass' vulnerability. Microsoft warns that an attacker could host a malicious website, send a maliciously crafted email or instant message, or add malicious content to a compromised user-provider content website. A malicious ZIP file has been shown to be able to execute this exploit.

Impact

The impact of these vulnerabilities has already been observed “in the wild” by security researchers and Microsoft. Once a targeted system is compromised through one of these vulnerabilities, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.

Mitigations

Update all Microsoft Exchange servers ASAP. Updates for the Exchange CVE’s can be found here: CVE-2022-41040 and CVE-2022-41082.

Please Note: Microsoft Exchange is not patched by the Windows Update process. In order to update/patch Exchange Servers, please consult the Microsoft Exchange blog.

Update any additional Microsoft products to their latest versions. Updates for the other four zero-days can be found here: CVE-2022-41128, CVE-2022-41125, CVE-2022-41073, and CVE-2022-41091.

Ingalls MDR Clients Protections:

The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time regarding the previously listed CVE’s and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threathunting and analysis.

Ingalls Recommends the Following Actions:

Implement the above mitigation actions on every Microsoft Exchange Server in your environment. Promptly install updates from Microsoft to all devices in your environment to ensure patching is completed.

Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact dennis.zanoni@iinfosec.com for more information.