Akamai’s Perspective on October’s Patch Tuesday 2022
Microsoft’s Patch Tuesday for October 2022 has been released, and we at Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched. In this report, we’ll try to assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide our own perspective on the bugs that were fixed. Be on the lookout for these insights on the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
In this report, we’re focusing on the following areas in which bugs were patched:
In a separate blog post, we also covered two vulnerabilities that were discovered by our team and patched this month. The two vulnerabilities —one in the Server service and the other in the Workstation service — are related to MS-RPC security callback caching, a mechanism we explain in detail in the previous post. The vulnerabilities were found as part of our team’s ongoing efforts into MS-RPC. If you would like to learn more about those specific vulnerabilities, including tools for automation and other knowledge-sharing materials, you can visit our new MS-RPC GitHub repository, which was launched earlier this week.
For each affected service that we cover in this report, we try to offer recommendations for monitoring and mitigation when patching isn’t possible, either by quoting Microsoft’s recommendations or by offering workarounds from our own experience. Of course, no mitigation is as good as actual patching, so make sure to patch your systems whenever possible and keep them up-to-date.
Azure Arc-Enabled Kubernetes Cluster Connect
Azure Arc allows customers to connect on-premises infrastructure to Azure for ease of management. This way, customers can manage all their environments — virtual machines, Kubernetes clusters, databases, servers, and more — using one resource manager, the Azure Resource Manager. Azure Arc-enabled Kubernetes allows the user to attach and configure Kubernetes regardless of where they are running, whether it is on a cloud environment or on-premises environment, and presents them in Azure Resource Manager.
This month there was one critical Elevation of Privilege vulnerability with a CVSS score of 10 in the Azure Arc-enabled Kubernetes Cluster Connect feature. Cluster Connect is the feature that enables the customer to easily connect their Kubernetes cluster to their Azure Arc services by running a reverse proxy agent on the cluster. It also allows users to connect to the apiserver of their cluster without enabling any inbound ports on their firewall. We believe this is one of the factors that gave this CVE its maximal score, since anyone can access it from the internet.
According to Microsoft, in order to exploit this vulnerability, an attacker has to know the randomly generated external DNS endpoint for the cluster and must have internet access. In case of successful exploitation, the Cluster Connect feature will allow an unauthenticated user to elevate their privileges as cluster admins, which can potentially grant them control over the Kubernetes cluster. Azure Stack Edge is also vulnerable to this CVE when it is connected to a vulnerable Azure Arc since it allows customers to deploy Kubernetes workloads on their devices via Azure Arc.
General recommendations
Since the Azure Arc-enabled Kubernetes Cluster Connect feature communicates over TCP port 443, segmentation of this port is not trivial. However, the good news is that if you’re using Azure Arc, its auto-upgrade is enabled by default so you should be protected. If you are not sure whether you are protected, you can check here to see if your automatic upgrade is enabled. If it isn’t, use this manual to upgrade your agent.
CVEs
CVE Number |
Effect |
Required Access |
Elevation of privilege |
Internet access to the vulnerable cluster. No user authentication required. |
Microsoft CryptoAPI
Microsoft CryptoAPI is Microsoft's proprietary way for handling secure connections and code signing verification. One of CryptoAPI’s most significant roles is certificate handling.
Microsoft fixed an issue with the CryptoAPI library on August 2022 Patch Tuesday. This issue was reported by the U.K. National Cyber Security Centre and the U.S. National Security Agency, and the advisory was published in October..
We believe the most relevant change happened in crypt32.dll, where the function CreateChainContextFromPathGraph changed. We assume the vulnerability is related to these changes.
CreateChainContextFromPathGraph is being called by CertGetCertificateChain, which is a well-documented API call that is executed each time a secure connection is made in order to build a certificate chain context. We currently suspect that the vulnerability lies in a missing check inside the function.
If successful, an attacker can spoof their identity and masquerade as a legitimate partner in a secure connection. In order to do so, the attacker probably needs to perform a machine-in-the-middle attack. Furthermore, it is our understanding from the patch notes that the attacker doesn’t need to authenticate in order to exploit this vulnerability. An attacker can also manipulate the X509 certificate in order to bypass code-signing protection.
General recommendations
Microsoft points out that the vulnerability can be exploited remotely and without the need for authentication. Since Microsoft CryptoAPI is widely used in Windows and is present on every Windows endpoint, it is our recommendation to install the patch. It is also worth noting that this vulnerability was patched on August’s Patch Tuesday. Therefore, machines that contain updates from August onward are protected from this vulnerability.
CVEs
CVE Number |
Effect |
Required Access |
Spoofing |
Network |
Windows Point-to-Point Tunneling Protocol
The Point-to-Point Protocol (PPP) is integrated in the remote access server (RAS) and provides framing and authentication capabilities for remote connections.
Seven vulnerabilities were patched in PPP this month — all of them are critical remote code execution (RCE) vulnerabilities with a CVSS score of 8.1. Last August, the same researcher – Yuki Chen – found two RCE vulnerabilities in the same protocol with a CVSS score of 9.8.
According to Microsoft’s advisories, a remote unauthenticated attacker could gain code execution on a Point-to-Point Tunneling Protocol (PPTP) server by sending a crafted malicious PPTP packet. However, the exploitation of all seven vulnerabilities is thought to be unlikely because of the complexity of the attack — it requires winning a race condition, which is nondeterministic and may require time.
How prominent is PPTP? Of all the Windows Servers we queried in our monitored environments, 40% of the servers receive connections over port 1723, which is the standard port for the PPTP. As for internet-exposed servers, Shodan reports 3.3 million servers that listen on 1723; however, nearly none of them run Windows.
Where is the bug? We suspect that the vulnerabilities lie in raspptp.sys, the driver that implements the PPTP.
General recommendations
Microsoft points out that the vulnerability can only be exploited by communicating over port 1723. So besides patching, exploitation can be prevented by segmenting RAS servers in the network and blocking connections on this port. However, it should be noted that blocking the port may disrupt regular communication.
CVEs
CVE Number |
Effect |
Required Access |
CVE-2022-38047 |
RCE |
Network |
CVE-2022-24504 |
||
CVE-2022-38000 |
||
CVE-2022-22035 |
||
CVE-2022-30198 |
||
CVE-2022-33634 |
||
CVE-2022-41081 |
Microsoft Office
Microsoft Office is a suite of client software. October’s Patch Tuesday fixed several important vulnerabilities in Office applications. Three of the vulnerabilities could lead to arbitrary code execution if successfully exploited by a malicious actor. Another vulnerability (CVE-2022-38001) is a spoofing vulnerability, which we assume leads to authentication coercion. Since Microsoft describes the issues as non-triggerable from the Preview Pane, we assume these vulnerabilities to be related to macros, as those require user interaction before they are shown/run.
General recommendations
The vulnerabilities relate to Microsoft Office suite of applications, and not Office 365. Therefore, customers using Microsoft Office should update their machines. Since Microsoft Office’s various applications expose a large attack surface, and have recurring vulnerabilities, we recommend the use of Application Guard for Office, if possible. Application Guard will sandbox the process that opens the attachments and, therefore, prevent harm to the host machine in case of successful exploitation.
CVEs
CVE Number |
Effect |
Required Access |
Arbitrary code execution |
Local/Remote. The vulnerability requires user interaction (such as opening a document, allowing macros). |
|
Spoofing |
Active Directory Certificate Services
Active Directory Domain Services (AD DS) is one of the core components of Active Directory. Servers running this role are the domain controllers of the Windows domain.
Scope analysis
There is at least one Windows Server running AD DS in every Windows domain network — the domain controller.
This month’s vulnerability is actually in the Active Directory Certificate Services (AD CS), which isn’t available by default; it requires an additional role installation. In our monitored Windows Servers in customer environments, we can see that 66% of our monitored networks have a server with the AD CS role.
The AD CS is known to be abused by attackers. In the most notorious recent example, PetitPotam, it was used in the attack flow as the target for the NTLM relay (using an excellent research by SpecterOps) .
General recommendations
Since AD CS servers are few and far between, it should be possible to use network segmentation to limit or have visibility into anomalous connections. Since AD CS authentication occurs over RPC, it might be hard to detect with just connection metadata (since it occurs on a random ephemeral port), which is what most segmentation solutions provide. In that case, it should still be possible to segment outgoing RPC connections from Windows servers (using the RPC endpoint mapper port 135), especially to desktop machines that shouldn’t receive RPC connections.
CVE analysis
With CVE-2022-37976, the attack isn’t necessarily directed at the AD CS servers, but rather relies on them as the only requirement. The attack is rather an authentication coercion attack on DCOM servers. According to Microsoft, a malicious DCOM client can use the vulnerability to cause a DCOM server to authenticate itself to the client using AD CS and relay that authentication to eventually reach a domain administrator token.
On the other hand, CVE-2022-37978 revolves around NTLM authentication. Since the vulnerability’s FAQ specify that the attack requires machine in the middle (MITM) and is related to NTLM authentication, we believe that this vulnerability revolves around bypassing NTLM relay mitigations that exist on AD CS servers.
CVE Number |
Effect |
Required Access |
An attacker can get domain admin privileges by coercing authentication with AD CS from a DCOM server and doing a cross protocol attack |
Network |
|
An attacker using a MITM attack can bypass a security feature around NTLM authentication |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change.