Here’s a quick update on the Microsoft patches for this month and a vulnerability which was found in Fortinet’s FortiOS SSL-VPN.
Microsoft Patch Tuesday – December 2022
Microsoft released patches for 49 vulnerabilities on the 13th of December – including 2 zero-day vulnerabilities, one of which is being actively exploited.
The most important patch is for CVE-2022-44698 which is a Windows SmartScreen Security Feature Bypass allowing an attacker to craft a malicious file that evades Mark of the Web (MOTW) protections. Attackers are exploiting this vulnerability by crafting malicious JavaScript files that are signed using a malformed signature. Bleeping Computer has a nice breakdown of the payload here.
The 49 vulnerabilities patched this month break down as follows:
- 23 Remote Code Execution
- 19 Privilege Escalation
- 3 Denial of Service
- 3 Information Disclosure
- 2 Security Feature Bypass
- 1 Spoofing
Affected Products
This month’s patches are for the following products, features, and roles:
- .NET Framework
- Azure
- Client Server Run-time Subsystem (CSRSS)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Windows Codecs Library
- Role: Windows Hyper-V
- SysInternals
- Windows Certificates
- Windows Contacts
- Windows DirectX
- Windows Error Reporting
- Windows Fax Compose Form
- Windows HTTP Print Provider
- Windows Kernel
- Windows PowerShell
- Windows Print Spooler Components
- Windows Projected File System
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows SmartScreen
- Windows Subsystem for Linux
- Windows Terminal
FortiOS SSL-VPN Vulnerability
Fortinet released a PSIRT Advisory on the 12th of December 2022 about a Critical severity buffer overflow vulnerability in FortiOS SSL-VPN which would allow a remote unauthenticated attacker to execute arbitrary code via specially crafted payloads. Fortinet confirmed that the vulnerability was exploited in-the-wild.
Affected Products
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Updates
Fortinet has released updates to patch this vulnerability. It seems that FortiOS below version 6.0 will not be patched.
- FortiOS version 7.2.x should be updated to 7.2.3 or above
- FortiOS version 7.0.x should be updated to 7.0.9 or above
- FortiOS version 6.4.x should be updated to 6.4.11 or above
- FortiOS version 6.2.x should be updated to 6.2.12 or above
- FortiOS version 6.0.x should be updated to 6.0.16
- FortiOS-6K7K version 7.0.x should be updated to 7.0.8 (when released) or above
- FortiOS-6K7K version 6.4.x should be updated to 6.4.10 or above
- FortiOS-6K7K version 6.2.x should be updated to 6.2.12 (when released) or above
- FortiOS-6K7K version 6.0.x should be updated to 6.0.15 or above
Thanks for reading this update and sorry it’s a few days late!
Merry Christmas!
James