CVE-2022-37971: Microsoft Windows Defender Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.1)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Oct

Released

2022-10-11

Last Updated

2022-10-17

EPSS Score

0.39% (percentile: 60.1%)

FAQ

Where can I find more information about NTLM relay attacks? Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks. According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) but have major impact on integrity (I:H) and on availability (A:H). What does that mean for this vulnerability? This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain specific limited SYSTEM privileges. References Identification Last version of the Microsoft Malware Protection Engine affected by this vulnerability 1.1.19600.3 First version of the Microsoft Malware Protection Engine with this vulnerability addressed Version 1.1.19700.2 See Manage Updates Baselines Microsoft Defender Antivirus for more information. Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue? Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state. Why is no action required to install this update? In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, a

Affected Products (1)

System Center

• Microsoft Malware Protection Engine

Acknowledgments

<a href="https://www.linkedin.com/in/or-yair">Or Yair</a> (<a href="https://twitter.com/oryair1999">@oryair1999</a>) with <a href="https://www.safebreach.com/safebreach-labs/">SafeBreach Labs</a>

Revision History

• 2022-10-11: Information published.
• 2022-10-17: Updated FAQ information. This is an informational change only.