Akamai’s Perspective on November’s Patch Tuesday

Windows Scripting Languages

Windows Scripting Languages can refer to multiple implementations of scripting languages inside Windows, such as VBScript, JavaScript or others. In this release, Microsoft patched two scripting engines, Jscript and Chakra.

JScript is Microsoft's implementation of ECMAScript, the same standard that’s behind JavaScript and is used by Internet Explorer. Chakra is also a JavaScript engine, forked from JScript, and is used by Microsoft Edge Legacy (newer versions of Edge are based on Chromium). Both are implemented as DLLs, conveniently named jscript9.dll and chakra.dll.

This update fixes two critical remote code execution  vulnerabilities that impact these scripting engines.

The first one, CVE-2022-41128, impacts the JScript9 scripting‏ language with a CVSS score of 8.8 and is labeled as Critical. Not only is its attack complexity low, but it has also been exploited in the wild. For a successful exploitation of the vulnerability, an attacker would have to host a specially crafted server share or website. Then, the attacker would‏ have to convince a user with an affected version of Windows to access their specially crafted server. 

The second vulnerability is CVE-2022-41118, which impacts both JScript9 and Chakra, with a CVSS score of 7.5 and also labeled as Critical. This time its att‏ack complexity is high, that’s because it requires an attacker to win a race condition. The attack flow and the user interaction remain similar to CVE-2022-41128.

General recommendations

The JScript and Chakra engines were developed for Internet Explorer and Edge Legacy. There are more modern web browsers (as well as a Chromium-based Edge), and we recommend using one of them instead. Even so, it is important to note that these engines can be used by other software as well, and therefore a patch would be the only way to protect your machine from these vulnerabilities.

CVEs

Windows Kerberos

Kerberos stands as the backbone of the Windows domain architecture. It is the default authentication mechanism, having replaced NTLM. Two vulnerabilities were fixed this time, both can be used for elevation of privileges and have a CVSS score of 8.1 and 7.2, respectively. 

Apart from patching, system administrators should read both KBs (KB5020805, KB5021131) that were released by Microsoft for specific changes needed in the registry.

The impact

An attacker who successfully exploited this vulnerability could gain administrator privileges.

Where is the vulnerability?

CVE-2022-37966

Before this patch, the default encryption in Kerberos negotiation used to be RC4-MD5. RC4 is a stream cipher encryption, meaning the ciphertext is created by XORing the plaintext with a cipher stream. It is considered weak because it can be easily cracked offline with tools like John the Ripper. The vulnerability lies in this default configuration.

When an attacker negotiates with an Active Directory, they can send a specially crafted request that will use the default authentication of Kerberos. After a successful request, the attacker could take the Kerberos session key and crack it for elevation of privileges.

The default configuration for Kerberos negotiation will be fixed through the registry key ms-DS-SupportedEncryptionType, which will be set to AES encryption (0x27) by default.

CVE-2022-37967

This vulnerability lies in the Privilege Attribute Certificate (PAC) extension in Kerberos. Essentially, PAC is an information “container” for various fields — UserId, GroupsIDs, AccountDomainId, and more. PAC information is added to Kerberos tickets by a domain controller. 

From looking at the KB Microsoft released for the CVE, we believe that the vulnerability can be exploited to bypass the validation of the PAC signature that is being sent to the server. This means that PAC structures that are sent with invalid or missing signatures could bypass the validation process and result in privilege escalation.

This patch is the first step of a phased release for CVE-2022-37067. It includes a fix for CVE-2022-37967, but it is disabled by default. The next phases are planned from December 13, 2022,  to October 10, 2023, which will enable auditing and partial enforcement, respectively.

For CVE-2022-37967,  the patch will add the value 2 to the registry  key KrbtgtFullPacSignature. This value enables auditing of PACs in the system, and system administrators can use it to track abnormalities.

The key KrbtgtFullPacSignature will have an option to enforce or deny bad or missing PAC signatures to handle this vulnerability.

Scope

Kerberos is part of every Windows domain architecture.

CVEs

Netlogon RPC 

The Netlogon Remote Protocol, is the protocol that is used for user and machine authentication on Windows domain environments. It is also used for synchronization between domain controllers. As such, it is quite prominent in Windows domain networks, which is why CVE-2022-38023 could impact most environments.

The impact

An attacker could gain administrative privileges in the domain by abusing this vulnerability.

Where is the vulnerability?

Based on the KB Microsoft released for the CVE, it seems that the CVE is relevant when Netlogon connections happen with RPC Signing, and not RPC Sealing. In RPC Signing, RPC messages are only signed by the sender, and the receiver matches the message content to the signature to verify integrity. RPC Sealing, on the other hand, encrypts the whole message.

Based on the mentioned relevant event logs (event IDs 5838–5841 in the System event log), we believe that the vulnerability may be with incorrect handling or verification of the signature, specifically when dealing with RC4-HMAC encryption.

General recommendations

This patch is the first step of a phased release. It fixes the CVE, and also introduces a new registry key RequireSeal, which will be used to enforce RPC Sealing. As part of being the first step, the registry key is set by default to compatibility mode, but can be disabled by a domain admin. Compatibility mode will make domain controllers allow vulnerable connections from third-party clients, but will enforce RPC Sealing on Windows machines and domain controllers.

The next phases, planned for April 11 and July 11 in 2023, will remove the option to disable the enforcement, and then the compatibility mode, respectively.

We recommend that domain administrators do not disable the new enforcement after patching, and instead work on upgrading clients that use RPC Signing. If you can’t resolve those issues in a prompt manner and must allow RPC Signing, we recommend you at least disable the weaker md5 signing using the pre-existing registry key RejectMD5Clients.

CVEs

Previously covered services

There are many other CVEs covered in this month’s Patch Tuesday, and we won’t be able to cover them all. Some of those CVEs are for services and features that we already covered in past Patch Tuesday analyses. If you’re interested in our analysis of or general recommendations regarding those services, we encourage you to look at our previous posts.

This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change.

 For more breaking security research, follow us on Twitter!