DECEMBER Vuln of the Month: CVE-2022-41128

A serious Windows vulnerability is the star of December’s Vuln of the Month. This remote code execution (RCE) scripting vuln can do a lot of damage, and it’s already being exploited.  

CVE-2022-41128 is a critical scripting vulnerability present in a wide range of Windows versions, from Windows 7 to current Windows 11 releases. To steal or corrupt data—or possibly take control of systems—attackers will trick users into visiting malware-infected sites, whose code then takes advantage of the vulnerability.  

Our research shows that CVE-2022-41128 meets many of the criteria we look for in a vulnerability that could be exploited, including: 

• Access complexity: Low 
• Potential attack surface: Massive 
• Exploitable remotely: Yes 
• Authentication/privilege requirements: None 
• Potential impact on availability: High 
• Exploit code published: Yes 
• Active exploits observed: Yes 

CVE-2022-41128 earns a Kenna Risk Score of 96.6, which means it represents a greater risk than 99.72% of all the CVEs we’ve scored to date. CVSS 3 also recognizes the risk and has assigned a base score of 8.8 (High). So at the risk of pummeling you with the point: CVE-2022-41128 is a high-risk vuln. 

Why CVE-2022-41128 matters 

Any Windows vulnerability warrants a close look, but a high-risk RCE that impacts several years’ worth of Windows releases is uniquely concerning. In this case, users can be phished into visiting a hacked or malicious site that exploits the vuln. Once the exploit is successful, attackers can engage in all kinds of mischief, with the potential of significant impacts on the availability of systems and services. Microsoft credits two researchers at Google for discovering and reporting the vuln. 

In response to this and other vulnerability disclosures, Cisco Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60815-60816, 60818-60819, 60820-60821, 60822-60823, 60831-60832, 60833-60834. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300309, 300310, 300311, 300312, 300315, 300316. 

Bottom line 

This vuln requires no authentication, can be exploited remotely, holds the potential for doing serious damage, represents a huge global attack surface, and is already being actively exploited. This one is worth fixing. 

Mitigation status 

On Nov. 8, Microsoft released 34 patches to cover all affected Windows versions. We recommend visiting Microsoft’s security guide to determine if your Windows version is listed and, if so, to download the fix. 

Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.