Microsoft has released patches for 96 different vulnerabilities in its monthly Patch Tuesday, but has still failed to address the zero-days dubbed ‘ProxyNotShell’, leaving Exchange Servers at potential risk as the company searches for a solution.
Discovered last month, the pair of zero-day vulnerabilities that comprise ProxyNotShell consists of a server-side request forgery (SSRF) flaw and a remote code execution (RCE) bug that affects Microsoft Exchange versions 2013, 2016, and 2019.
There is evidence threat actors have already used the pair to install the China Chopper web shell on Exchange servers in the wild and Microsoft's attempts to mitigate the attacks have been shrouded in confusion.
Exchange Server customers are still waiting for a full patch to fix the widely discussed exploit, beyond manual mitigations already supplied publicly. Experts told IT Pro that customers may begin to question why a patch has taken so long for such a ubiquitous product.
“With products as complex as Microsoft Exchange, one can empathise with how long it is taking to develop - but that is the cost of doing business and when so many organisations rely on your products for their day-to-day operations, security patches in particular need to be prioritised so that customers are not left vulnerable," said Javvad Malik, lead security awareness advocate at KnowBe4.
Microsoft may also be pursuing fixes for an additional zero-day vulnerability that has supposedly led to a wave of recent LockBit ransomware attacks on Exchange Server customers.
Discovered by cyber security researchers at South Korean firm AhnLab, the company's report indicated that attacks have been observed using web shells to perform privilege escalation and exfiltrate terabytes of data.
Other security researchers have expressed doubt over the lack of evidence used to reinforce claims in the AhnLab report, which is at the time of writing returning a 404 error indicating that it may have been taken down by the researchers following criticism.
“There's a lot going on in this report about LockBit ransomware, and I'm not convinced it's a zero-day (there's no evidence in report), but one to keep an eye on," said researcher Kevin Beaumont in a tweet.
Microsoft has not yet publicly confirmed the vulnerability highlighted in the AhnLab report to be a legitimate zero-day.
Patch Tuesday brings critical fixes
In total, Microsoft patched 96 vulnerabilities this week, notably including two zero-day vulnerabilities. Tracked as CVE-2022-41033 and CVE-2022-41043, these vulnerabilities pertain to the Windows COM+ Event System Service and Microsoft Office respectively.
Of the two, only CVE-2022-41043 has been actively exploited in the wild, which if successfully executed, can expose “user tokens and other potentially sensitive information” to threat actors. Despite no active exploitation being observed, experts have said that CVE-2022-41033 "should be at the top of everyone's list to quickly patch".
"This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit," said Kev Breen, director of cyber threat research at Immersive Labs to IT Pro.
"Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network."
Additionally, 13 critical vulnerabilities have been fixed in the patch. This includes CVE-2022-37968, carrying the highest possible value on the CVSSv3.1 severity scale with a score of 10, which could be used to wrest administrative control over Azure Arc-enabled Kubernetes clusters.
"CVE-2022-37968, [a] connect elevation of privilege vulnerability, has a rare CVSS score of 10, said Mike Walters, VP of vulnerability and threat research at Action1.
"Successful exploitation of this vulnerability allows an unauthenticated user to elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster. If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11, and they are available from the internet, upgrade immediately."
Cyber security in manufacturing
The increasing cost of cyber crime means manufacturers need to adapt
Additionally, the patch covers a critical flaw in SharePoint servers that allowed for RCE (CVE-2022-41038), one in Windows CryptoAPI (CVE-2022-34689) that opened the possibility for identity spoofing and code signing, and seven critical vulnerabilities in the Windows point-to-point tunnelling protocol used for public virtual private network (VPN) tunnels.
The remaining 72 patches, one ranked as ‘moderate’ and the rest as ‘important’, cover a range of flaws including those found in Chromium Open Source, which powers Microsoft Edge, as well as elevation privilege vulnerabilities in Windows Kernel, a number of information disclosure vulnerabilities, and several denial of service vulnerabilities across several services.
All patches for the vulnerabilities in this October's Patch Tuesday updates are available to download through Microsoft's Update Catalog.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at email@example.com or on LinkedIn.