Akamai’s Perspective on December’s Patch Tuesday 2022
Microsoft’s Patch Tuesday for December 2022 has been released, and we at Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched. It seems Christmas came early this year, as December’s update is much leaner than previous months’ — so maybe we can panic a little bit less before the holidays. — at least until the next Log4Shell successor shows up (we have a nice contender already, so please patch, folks!).
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
In this report, we’re focusing on the following areas in which bugs were patched:
For each affected service that we cover in this report, we try to offer recommendations for monitoring and mitigation when patching isn’t possible. Of course, no mitigation is as good as actual patching, so make sure to patch your systems whenever possible and keep them up-to-date.
Windows PowerShell
Windows PowerShell is a useful tool for system administration and management, as well as automation. It is available by default with most versions of Windows. This month, there was one critical CVE patched, CVE-2022-41076. It got a CVSS score of 8.5. This CVE is actually for PowerShell Remote. PowerShell supports remote commands over the WinRM protocol. It is not enabled by default. Servers have to enable PSRemoting before such access or communication can be made. A successful exploitation of the CVE allows an authenticated attacker to escape the configuration of their PSRemote session, and run unapproved commands.
Scope
Since PowerShell Remote communication is carried over WinRM, we can assess the scope of its usage by looking for WinRM connections. In our monitored environments, 77% of monitored environments had at least one machine with WinRM enabled, and in those networks, an average of 27% of monitored machines were accepting WinRM connections. We had some networks with no WinRM at all, and a few with more than 95% machines with WinRM enabled.
General recommendations
The first and foremost recommendation is always to patch all systems. In case you can’t patch immediately, we can rely on some aspects of PowerShell Remote to mitigate some of the risks:
PowerShell Remote and WinRM aren’t enabled by default. As such, only machines with them enabled are at risk. You can check if WinRM is enabled by seeing if the WinRM service is running, or by using the PowerShell command Test-WSMan. Furthermore, if you have network visibility, you can look for communication over TCP ports 5985 and 5986, the default WinRM ports.
For machines with WinRM enabled, you can use microsegmentation to limit access to only needed sources (e.g.,., only IT personnel or services). This can be over TCP ports 5985 and 5986 — the default WinRM ports. To determine who or what should be allowed access, we recommend using a network visibility tool or a network sniffer to see the existing communication patterns.
If you find machines with WinRM enabled that aren’t getting any connections, or you believe WinRm does not need to be enabled, then you can disable it.
By using visibility, segmentation, and disabling unnecessary usage of the service, you can greatly reduce the impact of the CVE, until you can find the time to patch the system.
Windows Client/Server Run-Time Subsystem
Windows Client/Server Run-Time Subsystem (CSRSS) is a system process that is responsible for a variety of functions on a Windows computer. These include creating and deleting processes and threads, and providing support for console applications.
The csrss.exe process is so essential that it starts on every Windows machine as the system boots, and cannot be terminated. A termination of this process would cause the dreaded Blue Screen of Death (system crash).
This month, one Elevation of Privilege CVE is patched in CSRSS, CVE-2022-44673, with a CVSS score of 7 and marked as Important. According to Microsoft’s report, an attacker who successfully exploits this vulnerability can gain SYSTEM privileges.
Although the attack complexity is marked as “high,” Microsoft also mentions in their report that “exploitation is more likely,”, and since CSRSS runs on every Windows machine, we highly recommend patching.
Microsoft Office
It can’t be Christmas without some gifts, and the Microsoft Office CVEs are in a giving mood this month. There are 10 vulnerabilities, all with a CVSS score of 7.8, with Important severity. They are spread across three products/components: Visio, OneNote, and Microsoft Office Graphics.
The attack vector
Although all CVEs are marked as remote code execution, they are in fact arbitrary code execution (ACE) vulnerabilities. This means that an attacker cannot exploit the vulnerabilities themselves, but instead have to trick the user into exploiting them through social engineering. A successful exploit of this vulnerability requires tricking the user/victim into downloading a specially crafted file, and then opening it in the respective vulnerable software.
Keeping end users vigilant against social engineering attempts can help reduce the risk of a successful exploit. Make sure end users understand not to fall for Christmas scams, or you may come back from the holidays to some proverbial coal in your network. Also, since those applications usually don’t reside on servers, it might be easier to actually patch the user endpoints, as user downtime is usually less costly than server downtime.
CVEs
CVE Number |
Component |
|---|---|
Microsoft Office Graphics |
|
Microsoft Office Visio |
|
Microsoft Office OneNote |
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we already covered in the past, and we don’t have anything new to say about mitigating them. If you’re interested in our analysis of or general recommendations for those services, we encourage you to look at our previous posts.
Service |
CVE Number |
Effect |
Required Access |
|---|---|---|---|
Remote code execution |
Authenticated with Manage List permissions |
||
Remote code execution |
Network |
||
Remote code execution |
Authenticated connection over WCF TCP |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change.
