Patch Tuesday – February 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/02/08/patch-tuesday-february-2022/

Patch Tuesday - February 2022

Today’s fixes from Microsoft are relatively light as far as Patch Tuesdays go. This is the first month in possibly forever where no vulnerabilities are considered Critical. A total of 70 CVEs were fixed today (including 22 that affect the Chromium browser engine, which is used by Edge).

Although 16 of this month’s vulnerabilities allow remote code execution (RCE), none carry a CVSS base score higher than 8.8. Only one vulnerability was publicly disclosed before today: CVE-2022-21989, an elevation of privilege vulnerability in the Windows Kernel. None of this month’s vulnerabilities have yet been seen exploited in the wild.

Despite the lack of Critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month. RCE vulnerabilities are also important to patch, even if they may not be considered “wormable.” In terms of prioritization, defenders should first focus on patching server systems. SharePoint has RCE (CVE-2022-22005), Security Feature Bypass (CVE-2022-21968), and Spoofing (CVE-2022-21987) vulnerabilities getting fixed today. CVE-2022-21984 is an RCE affecting DNS Server. Microsoft Dynamics administrators should also be aware that there are six CVEs being patched, including 2 RCEs, 3 allowing elevation of privilege, and a spoofing vulnerability.

On the client side, CVE-2022-22003 and CVE-2022-22004 are RCEs affecting Microsoft Office. Although this requires a local user to open a malicious file, these sorts of social engineering attacks are common and can be very effective. Updates should be rolled out to end users as soon as reasonably practicable.

Summary charts

Patch Tuesday - February 2022
Patch Tuesday - February 2022
Patch Tuesday - February 2022
Patch Tuesday - February 2022

Summary tables

Azure Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability No No 8.1 Yes

Browser Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability No No 5.3 Yes
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.7 Yes
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 6.3 Yes
CVE-2022-0470 Chromium: CVE-2022-0470 Out of bounds memory access in V8 No No N/A Yes
CVE-2022-0469 Chromium: CVE-2022-0469 Use after free in Cast No No N/A Yes
CVE-2022-0468 Chromium: CVE-2022-0468 Use after free in Payments No No N/A Yes
CVE-2022-0467 Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock No No N/A Yes
CVE-2022-0466 Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform No No N/A Yes
CVE-2022-0465 Chromium: CVE-2022-0465 Use after free in Extensions No No N/A Yes
CVE-2022-0464 Chromium: CVE-2022-0464 Use after free in Accessibility No No N/A Yes
CVE-2022-0463 Chromium: CVE-2022-0463 Use after free in Accessibility No No N/A Yes
CVE-2022-0462 Chromium: CVE-2022-0462 Inappropriate implementation in Scroll No No N/A Yes
CVE-2022-0461 Chromium: CVE-2022-0461 Policy bypass in COOP No No N/A Yes
CVE-2022-0460 Chromium: CVE-2022-0460 Use after free in Window Dialog No No N/A Yes
CVE-2022-0459 Chromium: CVE-2022-0459 Use after free in Screen Capture No No N/A Yes
CVE-2022-0458 Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip No No N/A Yes
CVE-2022-0457 Chromium: CVE-2022-0457 Type Confusion in V8 No No N/A Yes
CVE-2022-0456 Chromium: CVE-2022-0456 Use after free in Web Search No No N/A Yes
CVE-2022-0455 Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode No No N/A Yes
CVE-2022-0454 Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE No No N/A Yes
CVE-2022-0453 Chromium: CVE-2022-0453 Use after free in Reader Mode No No N/A Yes
CVE-2022-0452 Chromium: CVE-2022-0452 Use after free in Safe Browsing No No N/A Yes

Developer Tools Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-21986 .NET Denial of Service Vulnerability No No 7.5 Yes

ESU Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability No Yes 7.8 Yes
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability No No 5.5 No

Microsoft Dynamics Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability No No 6.9 Yes
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability No No 8.1 Yes
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability No No 7.1 No
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability No No 6.5 No
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability No No 7.2 No

Microsoft Office Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability No No 8 Yes
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability No No 4.3 Yes
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability No No 5.3 Yes
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability No No 5.9 Yes
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability No No 5.5 Yes

SQL Server Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability No No 4.9 Yes

Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability No No 5.5 No
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability No No 7.9 Yes
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability No No 5.6 Yes
CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability No No 8.8 No
CVE-2022-21996 Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.