All posts by Greg Wiseman

Patch Tuesday – January 2023

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2023/01/10/patch-tuesday-january-2023/

Patch Tuesday - January 2023

Microsoft is starting the new year with a bang! Today’s Patch Tuesday release addresses almost 100 CVEs. After a relatively mild holiday season, defenders and admins now have a wide range of exciting new vulnerabilities to consider.

Two zero-day vulnerabilities emerged today, both affecting a wide range of current Windows operating systems.

CVE-2023-21674 allows Local Privilege Escalation (LPE) to SYSTEM via a vulnerability in Windows Advanced Local Procedure Call (ALPC), which Microsoft has already seen exploited in the wild. Given its low attack complexity, the existence of functional proof-of-concept code, and the potential for sandbox escape, this may be a vulnerability to keep a close eye on. An ALPC zero-day back in 2018 swiftly found its way into a malware campaign.

CVE-2023-21549 is Windows SMB elevation for which Microsoft has not yet seen in-the-wild exploitation or a solid proof-of-concept, although Microsoft has marked it as publicly disclosed.

This Patch Tuesday also includes a batch of seven Critical Remote Code Execution (RCE) vulnerabilities. These are split between Windows Secure Socket Tunneling Protocol (SSTP) – source of another Critical RCE last month – and Windows Layer 2 Tunneling Protocol (L2TP). Happily, none of these has yet been seen exploited in the wild, and Microsoft has assessed all seven as “exploitation less likely” (though time will tell).

Today’s haul includes two Office Remote Code Execution vulnerabilities. Both CVE-2023-21734 and CVE-2023-21735 sound broadly familiar: a user needs to be tricked into running malicious files. Unfortunately, the security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available, so admins with affected assets will need to check back later and rely on other defenses for now.

On the server side, five CVEs affecting Microsoft Exchange Server were addressed today: two Spoofing vulnerabilities, two Elevation of Privilege, and an Information Disclosure. Any admins who no longer wish to run on-prem Exchange may wish to add these to the evidence pile.

Anyone responsible for a SharePoint Server instance has three new vulnerabilities to consider. Perhaps the most noteworthy is CVE-2023-21743, a remote authentication bypass. Remediation requires additional admin action after the installation of the SharePoint Server security update; however, exploitation requires no user interaction, and Microsoft already assesses it as “Exploitation More Likely”. This regrettable combination of properties explains the Critical severity assigned by Microsoft despite the relatively low CVSS score.

Another step further away from the Ballmer era: Microsoft recently announced the potential inclusion of CBL-Mariner CVEs as part of Security Update Guide guidance starting as early as tomorrow (Jan 11). First released on the carefully-selected date of April 1, 2020, CBL-Mariner is the Microsoft-developed Linux distro which acts as the base container OS for Azure services, and also underpins elements of WSL2.

Farewell Windows 8.1, we hardly knew ye: today’s security patches include fixes for Windows 8.1 for the final time, since Extended Support for most editions of Windows 8.1 ends today.

Summary charts

Patch Tuesday - January 2023
Patch Tuesday - January 2023
Patch Tuesday - January 2023
Patch Tuesday - January 2023

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21780 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21781 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21782 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21784 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21786 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21791 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21793 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21783 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21785 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21787 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21788 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21789 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21790 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21792 3D Builder Remote Code Execution Vulnerability No No 7.8

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21531 Azure Service Fabric Container Elevation of Privilege Vulnerability No No 7

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21538 .NET Denial of Service Vulnerability No No 7.5
CVE-2023-21779 Visual Studio Code Remote Code Execution No No 7.3

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21762 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-21745 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-21763 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21764 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21761 Microsoft Exchange Server Information Disclosure Vulnerability No No 7.5

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21742 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-21744 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-21736 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-21737 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-21734 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2023-21735 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2023-21738 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.1
CVE-2023-21741 Microsoft Office Visio Information Disclosure Vulnerability No No 7.1
CVE-2023-21743 Microsoft SharePoint Server Security Feature Bypass Vulnerability No No 5.3

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21725 Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability No No 6.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21676 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.8
CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Yes No 8.8
CVE-2023-21767 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21755 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21558 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21724 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21551 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21677 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-21683 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-21758 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-21539 Windows Authentication Remote Code Execution Vulnerability No No 7.5
CVE-2023-21547 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability No No 7.5
CVE-2023-21771 Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability No No 7
CVE-2023-21739 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7
CVE-2023-21733 Windows Bind Filter Driver Elevation of Privilege Vulnerability No No 7
CVE-2023-21540 Windows Cryptographic Information Disclosure Vulnerability No No 5.5
CVE-2023-21550 Windows Cryptographic Information Disclosure Vulnerability No No 5.5
CVE-2023-21559 Windows Cryptographic Information Disclosure Vulnerability No No 5.5
CVE-2023-21753 Event Tracing for Windows Information Disclosure Vulnerability No No 5.5
CVE-2023-21766 Windows Overlay Filter Information Disclosure Vulnerability No No 4.7
CVE-2023-21536 Event Tracing for Windows Information Disclosure Vulnerability No No 4.7
CVE-2023-21759 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability No No 3.3

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21549 Windows SMB Witness Service Elevation of Privilege Vulnerability No Yes 8.8
CVE-2023-21681 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-21732 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-21561 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 8.8
CVE-2023-21535 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21548 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21555 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21556 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21679 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21680 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21678 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21765 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21746 Windows NTLM Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21524 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21747 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21748 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21749 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21754 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21772 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21773 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21774 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21675 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21730 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21527 Windows iSCSI Service Denial of Service Vulnerability No No 7.5
CVE-2023-21728 Windows Netlogon Denial of Service Vulnerability No No 7.5
CVE-2023-21557 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability No No 7.5
CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability No No 7.5
CVE-2023-21760 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1
CVE-2023-21750 Windows Kernel Elevation of Privilege Vulnerability No No 7.1
CVE-2023-21752 Windows Backup Service Elevation of Privilege Vulnerability No No 7.1
CVE-2023-21542 Windows Installer Elevation of Privilege Vulnerability No No 7
CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability No No 7
CVE-2023-21563 BitLocker Security Feature Bypass Vulnerability No No 6.8
CVE-2023-21560 Windows Boot Manager Security Feature Bypass Vulnerability No No 6.6
CVE-2023-21776 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-21682 Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability No No 5.3
CVE-2023-21525 Remote Procedure Call Runtime Denial of Service Vulnerability No No 5.3

Patch Tuesday – December 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/12/13/patch-tuesday-december-2022/

Patch Tuesday - December 2022

As far as Patch Tuesdays go, defenders have a relatively light month to close out the year with only 48 CVEs being published by Microsoft today. (This does not include the 24 previously disclosed vulnerabilities affecting their Chromium-based Edge browser.)

There are two zero-days in the mix today. CVE-2022-44698 is a bypass of the Windows SmartScreen security feature, and has been seen exploited in the wild. It allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web” despite being downloaded from untrusted sites. This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros. Publicly disclosed, but not seen actively exploited, is CVE-2022-44710. It’s a classic elevation of privilege vulnerability affecting the DirectX graphics kernel on Windows 11 22H2 systems.

Administrators for SharePoint and Microsoft Dynamics deployments should be aware of Critical Remote Code Execution (RCE) vulnerabilities that need to be patched. Other Critical RCEs this month affect the Windows Secure Socket Tunneling Protocol (CVE-2022-44676 and CVE-2022-44670), .NET Framework (CVE-2022-41089), and PowerShell (CVE-2022-41076).

Happy holidays, and may your patching be merry and bright!

Summary charts

Patch Tuesday - December 2022
Patch Tuesday - December 2022
Patch Tuesday - December 2022
Patch Tuesday - December 2022

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44702 Windows Terminal Remote Code Execution Vulnerability No No 7.8
CVE-2022-24480 Outlook for Android Elevation of Privilege Vulnerability No No 6.3

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44699 Azure Network Watcher Agent Security Feature Bypass Vulnerability No No 5.5

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44708 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3
CVE-2022-41115 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability No No 6.6
CVE-2022-44688 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2022-4195 Chromium: CVE-2022-4195 Insufficient policy enforcement in Safe Browsing No No N/A
CVE-2022-4194 Chromium: CVE-2022-4194 Use after free in Accessibility No No N/A
CVE-2022-4193 Chromium: CVE-2022-4193 Insufficient policy enforcement in File System API No No N/A
CVE-2022-4192 Chromium: CVE-2022-4192 Use after free in Live Caption No No N/A
CVE-2022-4191 Chromium: CVE-2022-4191 Use after free in Sign-In No No N/A
CVE-2022-4190 Chromium: CVE-2022-4190 Insufficient data validation in Directory No No N/A
CVE-2022-4189 Chromium: CVE-2022-4189 Insufficient policy enforcement in DevTools No No N/A
CVE-2022-4188 Chromium: CVE-2022-4188 Insufficient validation of untrusted input in CORS No No N/A
CVE-2022-4187 Chromium: CVE-2022-4187 Insufficient policy enforcement in DevTools No No N/A
CVE-2022-4186 Chromium: CVE-2022-4186 Insufficient validation of untrusted input in Downloads No No N/A
CVE-2022-4185 Chromium: CVE-2022-4185 Inappropriate implementation in Navigation No No N/A
CVE-2022-4184 Chromium: CVE-2022-4184 Insufficient policy enforcement in Autofill No No N/A
CVE-2022-4183 Chromium: CVE-2022-4183 Insufficient policy enforcement in Popup Blocker No No N/A
CVE-2022-4182 Chromium: CVE-2022-4182 Inappropriate implementation in Fenced Frames No No N/A
CVE-2022-4181 Chromium: CVE-2022-4181 Use after free in Forms No No N/A
CVE-2022-4180 Chromium: CVE-2022-4180 Use after free in Mojo No No N/A
CVE-2022-4179 Chromium: CVE-2022-4179 Use after free in Audio No No N/A
CVE-2022-4178 Chromium: CVE-2022-4178 Use after free in Mojo No No N/A
CVE-2022-4177 Chromium: CVE-2022-4177 Use after free in Extensions No No N/A
CVE-2022-4175 Chromium: CVE-2022-4175 Use after free in Camera Capture No No N/A
CVE-2022-4174 Chromium: CVE-2022-4174 Type Confusion in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41089 .NET Framework Remote Code Execution Vulnerability No No 8.8
CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability No No 7.8

Developer Tools Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41076 PowerShell Remote Code Execution Vulnerability No No 8.5

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability No No 8.5

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2022-44694 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2022-44695 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2022-44696 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2022-44691 Microsoft Office OneNote Remote Code Execution Vulnerability No No 7.8
CVE-2022-44692 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-26804 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-26805 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-26806 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-47211 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-47212 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-47213 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability No No 7.5

Open Source Software Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44689 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44677 Windows Projected File System Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44680 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44671 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44687 Raw Image Extension Remote Code Execution Vulnerability No No 7.8
CVE-2022-44710 DirectX Graphics Kernel Elevation of Privilege Vulnerability No Yes 7.8
CVE-2022-44669 Windows Error Reporting Elevation of Privilege Vulnerability No No 7
CVE-2022-44682 Windows Hyper-V Denial of Service Vulnerability No No 6.8
CVE-2022-44707 Windows Kernel Denial of Service Vulnerability No No 6.5
CVE-2022-44679 Windows Graphics Component Information Disclosure Vulnerability No No 6.5
CVE-2022-44674 Windows Bluetooth Driver Information Disclosure Vulnerability No No 5.5
CVE-2022-44698 Windows SmartScreen Security Feature Bypass Vulnerability Yes No 5.4

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44667 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2022-44668 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2022-41094 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44697 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41121 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41077 Windows Fax Compose Form Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44666 Windows Contacts Remote Code Execution Vulnerability No No 7.8
CVE-2022-44675 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44673 Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7
CVE-2022-41074 Windows Graphics Component Information Disclosure Vulnerability No No 5.5

Patch Tuesday – November 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/11/08/patch-tuesday-november-2022-2/

Patch Tuesday - November 2022

It’s a relatively light Patch Tuesday this month by the numbers – Microsoft has only published 67 new CVEs, most of which affect their flagship Windows operating system. However, four of these are zero-days, having been observed as exploited in the wild.

The big news is that two older zero-day CVEs affecting Exchange Server, made public at the end of September, have finally been fixed. CVE-2022-41040 is a “Critical” elevation of privilege vulnerability, and CVE-2022-41082 is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Both vulnerabilities have been exploited in the wild. Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and CVE-2022-41080 is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.

Three of the new zero-day vulnerabilities are:

  • CVE-2022-41128, a Critical RCE affecting the JScript9 scripting language (Microsoft’s legacy JavaScript dialect, used by their Internet Explorer browser).
  • CVE-2022-41073 is the latest in a storied history of vulnerabilities affecting the Windows Print Spooler, allowing privilege escalation and considered Important.
  • CVE-2022-41125 is also an Important privilege escalation vulnerability, affecting the Windows Next-generation Cryptography (CNG) Key Isolation service.

The fourth zero-day, CVE-2022-41091, was previously disclosed and widely reported on in October. It is a Security Feature Bypass of “Windows Mark of the Web” – a mechanism meant to flag files that have come from an untrusted source.

Exchange Server admins are not the only ones on the hook this month: SharePoint Server is affected by CVE-2022-41062, an Important RCE that could allow an attacker who has Site Member privileges to execute code remotely on the server. CVE-2022-41122, a Spoofing vulnerability that Microsoft rates as “Exploitation more likely” than not, was actually addressed in September’s SharePoint patches but not included in their Security Update Guide at the time.

This month also sees Microsoft’s third non-CVE security advisory of the year, ADV220003, which is a “defense-in-depth” update for older versions of Microsoft Office (2013 and 2016) that improves validation of documents protected via Microsoft’s Information Rights Management (IRM) technology – a feature of somewhat dubious value, meant to help prevent sensitive information from being printed, forwarded, or copied without authorization.

Summary charts

Patch Tuesday - November 2022

Patch Tuesday - November 2022

Patch Tuesday - November 2022

Patch Tuesday - November 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41051 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8
CVE-2022-41085 Azure CycleCloud Elevation of Privilege Vulnerability No No 7.5
CVE-2022-39327 GitHub: CVE-2022-39327 Improper Control of Generation of Code (‘Code Injection’) in Azure CLI No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41119 Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2022-41120 Microsoft Windows Sysmon Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41064 .NET Framework Information Disclosure Vulnerability No No 5.8
CVE-2022-39253 GitHub: CVE-2022-39253 Local clone optimization dereferences symbolic links by default No No N/A

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41044 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2022-41116 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 5.9

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41128 Windows Scripting Languages Remote Code Execution Vulnerability Yes No 8.8
CVE-2022-41047 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2022-41048 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2022-41039 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability No No 8.1
CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability No No 8.1
CVE-2022-41109 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41073 Windows Print Spooler Elevation of Privilege Vulnerability Yes No 7.8
CVE-2022-41057 Windows HTTP.sys Elevation of Privilege Vulnerability No No 7.8
CVE-2022-37992 Windows Group Policy Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41095 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41045 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41118 Windows Scripting Languages Remote Code Execution Vulnerability No No 7.5
CVE-2022-41058 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 7.5
CVE-2022-41053 Windows Kerberos Denial of Service Vulnerability No No 7.5
CVE-2022-41056 Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability No No 7.5
CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability No No 7.2
CVE-2022-41097 Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability No No 6.5
CVE-2022-41086 Windows Group Policy Elevation of Privilege Vulnerability No No 6.4
CVE-2022-41090 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 5.9
CVE-2022-41098 Windows GDI+ Information Disclosure Vulnerability No No 5.5
CVE-2022-23824 AMD: CVE-2022-23824 IBPB and Return Address Predictor Interactions No No N/A

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41080 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8.8
CVE-2022-41078 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2022-41079 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2022-41123 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 7.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41066 Microsoft Business Central Information Disclosure Vulnerability No No 4.4

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41062 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2022-41061 Microsoft Word Remote Code Execution Vulnerability No No 7.8
CVE-2022-41107 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-41106 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2022-41063 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2022-41122 Microsoft SharePoint Server Spoofing Vulnerability No No 6.5
CVE-2022-41060 Microsoft Word Information Disclosure Vulnerability No No 5.5
CVE-2022-41103 Microsoft Word Information Disclosure Vulnerability No No 5.5
CVE-2022-41104 Microsoft Excel Security Feature Bypass Vulnerability No No 5.5
CVE-2022-41105 Microsoft Excel Information Disclosure Vulnerability No No 5.5

Open Source Software Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-38014 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability No No 7
CVE-2022-3786 OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun No No N/A
CVE-2022-3602 OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun No No N/A

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41088 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2022-41092 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41113 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41054 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41101 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41102 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41052 Windows Graphics Component Remote Code Execution Vulnerability No No 7.8
CVE-2022-41050 Windows Extensible File Allocation Table Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41125 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Yes No 7.8
CVE-2022-41100 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41093 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41096 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41114 Windows Bind Filter Driver Elevation of Privilege Vulnerability No No 7
CVE-2022-38015 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2022-41055 Windows Human Interface Device Information Disclosure Vulnerability No No 5.5
CVE-2022-41091 Windows Mark of the Web Security Feature Bypass Vulnerability Yes Yes 5.4
CVE-2022-41049 Windows Mark of the Web Security Feature Bypass Vulnerability No No 5.4
CVE-2022-41099 BitLocker Security Feature Bypass Vulnerability No No 4.6

Patch Tuesday – October 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/10/11/patch-tuesday-october-2022/

Patch Tuesday - October 2022

The October batch of CVEs published by Microsoft includes 96 vulnerabilities, including 12 fixed earlier this month that affect the Chromium project used by their Edge browser.

Top of mind for many this month is whether Microsoft would patch the two Exchange Server zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. This whack-a-mole approach seems likely to continue until a proper patch addressing the root causes is available; unfortunately, it doesn’t look like that will be happening today. Thankfully, the impact should be more limited than 2021’s ProxyShell and ProxyLogon vulnerabilities due to attackers needing to be authenticated to the server for successful exploitation. Reports are also surfacing about an additional zero-day distinct from these being used in ransomware attacks; however, these have not yet been substantiated.

Microsoft did address two other zero-day vulnerabilities with today’s patches. CVE-2022-41033, an Elevation of Privilege vulnerability affecting the COM+ Event System Service in all supported versions of Windows, has been seen exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability affecting Office for Mac that was publicly disclosed but not (yet) seen exploited in the wild.

Nine CVEs categorized as Remote Code Execution (RCE) with Critical severity were also patched today – seven of them affect the Point-to-Point Tunneling Protocol, and like those fixed last month, require an attacker to win a race condition to exploit them. CVE-2022-38048 affects all supported versions of Office, and CVE-2022-41038 could allow an attacker authenticated to SharePoint to execute arbitrary code on the server, provided the account has “Manage List” permissions.

Maxing out the CVSS base score with a 10.0 this month is CVE-2022-37968, an Elevation of Privilege vulnerability in the Azure Arc-enabled Kubernetes cluster Connect component. It’s unclear why Microsoft has assigned such a high score, given that an attacker would need to know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster (arguably making the Attack Complexity “High”). That said, if this condition is met then an unauthenticated user could become a cluster admin and potentially gain control over the Kubernetes cluster. Users of Azure Arc and Azure Stack Edge should check whether auto-updates are turned on, and if not, upgrade manually as soon as possible.

Summary charts

Patch Tuesday - October 2022
Patch Tuesday - October 2022
Patch Tuesday - October 2022
Patch Tuesday - October 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability No No 10 Yes
CVE-2022-38017 StorSimple 8000 Series Elevation of Privilege Vulnerability No No 6.8 Yes
CVE-2022-35829 Service Fabric Explorer Spoofing Vulnerability No No 6.2 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-41035 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 8.3 Yes
CVE-2022-3373 Chromium: CVE-2022-3373 Out of bounds write in V8 No No N/A Yes
CVE-2022-3370 Chromium: CVE-2022-3370 Use after free in Custom Elements No No N/A Yes
CVE-2022-3317 Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents No No N/A Yes
CVE-2022-3316 Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing No No N/A Yes
CVE-2022-3315 Chromium: CVE-2022-3315 Type confusion in Blink No No N/A Yes
CVE-2022-3313 Chromium: CVE-2022-3313 Incorrect security UI in Full Screen No No N/A Yes
CVE-2022-3311 Chromium: CVE-2022-3311 Use after free in Import No No N/A Yes
CVE-2022-3310 Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs No No N/A Yes
CVE-2022-3308 Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools No No N/A Yes
CVE-2022-3307 Chromium: CVE-2022-3307 Use after free in Media No No N/A Yes
CVE-2022-3304 Chromium: CVE-2022-3304 Use after free in CSS No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-41034 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-41083 Visual Studio Code Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-41032 NuGet Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-41042 Visual Studio Code Information Disclosure Vulnerability No No 7.4 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-41038 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-41036 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-41037 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38053 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-41031 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38048 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38049 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38001 Microsoft Office Spoofing Vulnerability No No 6.5 Yes
CVE-2022-41043 Microsoft Office Information Disclosure Vulnerability No Yes 3.3 Yes

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37971 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.1 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-38045 Server Service Remote Protocol Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-37984 Windows WLAN Service Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38003 Windows Resilient File System Elevation of Privilege No No 7.8 Yes
CVE-2022-38028 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38039 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37995 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37979 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37970 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37980 Windows DHCP Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38050 Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37983 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37998 Windows Local Session Manager (LSM) Denial of Service Vulnerability No No 7.7 Yes
CVE-2022-37973 Windows Local Session Manager (LSM) Denial of Service Vulnerability No No 7.7 Yes
CVE-2022-38036 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability No No 7.5 No
CVE-2022-38027 Windows Storage Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-38021 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-37974 Windows Mixed Reality Developer Tools Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-38046 Web Account Manager Information Disclosure Vulnerability No No 6.2 Yes
CVE-2022-37965 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 5.9 Yes
CVE-2022-37996 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38025 Windows Distributed File System (DFS) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38030 Windows USB Serial Driver Information Disclosure Vulnerability No No 4.3 Yes

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37982 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38031 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38040 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-37976 Active Directory Certificate Services Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-30198 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-22035 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-24504 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-33634 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-38047 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-38000 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-41081 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-37986 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37988 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38037 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38038 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37990 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37991 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37999 Windows Group Policy Preference Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37993 Windows Group Policy Preference Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37994 Windows Group Policy Preference Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37975 Windows Group Policy Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38051 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37997 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-33635 Windows GDI+ Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-37987 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37989 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability Yes No 7.8 Yes
CVE-2022-38044 Windows CD-ROM File System Driver Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-33645 Windows TCP/IP Driver Denial of Service Vulnerability No No 7.5 No
CVE-2022-38041 Windows Secure Channel Denial of Service Vulnerability No No 7.5 No
CVE-2022-34689 Windows CryptoAPI Spoofing Vulnerability No No 7.5 Yes
CVE-2022-37978 Windows Active Directory Certificate Services Security Feature Bypass No No 7.5 Yes
CVE-2022-38042 Active Directory Domain Services Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-38029 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-38033 Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-35770 Windows NTLM Spoofing Vulnerability No No 6.5 Yes
CVE-2022-37977 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability No No 6.5 No
CVE-2022-38032 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability No No 5.9 Yes
CVE-2022-38043 Windows Security Support Provider Interface Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-37985 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38026 Windows DHCP Client Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38034 Windows Workstation Service Elevation of Privilege Vulnerability No No 4.3 Yes
CVE-2022-37981 Windows Event Logging Service Denial of Service Vulnerability No No 4.3 Yes
CVE-2022-38022 Windows Kernel Elevation of Privilege Vulnerability No No 2.5 Yes

Patch Tuesday – September 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/09/13/patch-tuesday-september-2022/

Patch Tuesday - September 2022

This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they’ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for CVE-2022-23960 (aka Spectre-BHB) for Windows 11 on ARM64.

Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

SharePoint administrators should also be aware of four separate RCEs being addressed this month. They’re ranked Important, meaning Microsoft recommends applying the updates at the earliest opportunity. Finally, a large swath of CVEs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver were also fixed. These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file.

Summary charts

Patch Tuesday - September 2022
Patch Tuesday - September 2022
Patch Tuesday - September 2022
Patch Tuesday - September 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38007 Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability No No 7.8 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38012 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 7.7 Yes
CVE-2022-3075 Chromium: CVE-2022-3075 Insufficient data validation in Mojo No No N/A Yes
CVE-2022-3058 Chromium: CVE-2022-3058 Use after free in Sign-In Flow No No N/A Yes
CVE-2022-3057 Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox No No N/A Yes
CVE-2022-3056 Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy No No N/A Yes
CVE-2022-3055 Chromium: CVE-2022-3055 Use after free in Passwords No No N/A Yes
CVE-2022-3054 Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools No No N/A Yes
CVE-2022-3053 Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock No No N/A Yes
CVE-2022-3047 Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API No No N/A Yes
CVE-2022-3046 Chromium: CVE-2022-3046 Use after free in Browser Tag No No N/A Yes
CVE-2022-3045 Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8 No No N/A Yes
CVE-2022-3044 Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation No No N/A Yes
CVE-2022-3041 Chromium: CVE-2022-3041 Use after free in WebSQL No No N/A Yes
CVE-2022-3040 Chromium: CVE-2022-3040 Use after free in Layout No No N/A Yes
CVE-2022-3039 Chromium: CVE-2022-3039 Use after free in WebSQL No No N/A Yes
CVE-2022-3038 Chromium: CVE-2022-3038 Use after free in Network Service No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26929 .NET Framework Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38013 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5 No
CVE-2022-38020 Visual Studio Code Elevation of Privilege Vulnerability No No 7.3 Yes

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37964 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 No

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35805 Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34700 Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability No No 8.8 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38008 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38009 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-37961 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35823 Microsoft SharePoint Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-37962 Microsoft PowerPoint Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38010 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-37963 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35828 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35841 Windows Enterprise App Management Service Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-30196 Windows Secure Channel Denial of Service Vulnerability No No 8.2 Yes
CVE-2022-37957 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37954 DirectX Graphics Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38019 AV1 Video Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35838 HTTP V3 Denial of Service Vulnerability No No 7.5 No
CVE-2022-38011 Raw Image Extension Remote Code Execution Vulnerability No No 7.3 Yes
CVE-2022-26928 Windows Photo Import API Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-34725 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-37959 Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability No No 6.5 Yes
CVE-2022-35831 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34723 Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-23960 Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability No Yes N/A Yes

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-34718 Windows TCP/IP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-34721 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-34722 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-35834 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35835 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35836 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35840 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34731 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34733 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34726 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34727 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34730 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34732 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34734 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-33679 Windows Kerberos Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-33647 Windows Kerberos Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-35830 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-38005 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30200 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-37956 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37955 Windows Group Policy Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34729 Windows GDI Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38004 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-34719 Windows Distributed File System (DFS) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37969 Windows Common Log File System Driver Elevation of Privilege Vulnerability Yes Yes 7.8 Yes
CVE-2022-35803 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35833 Windows Secure Channel Denial of Service Vulnerability No No 7.5 No
CVE-2022-34720 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5 No
CVE-2022-34724 Windows DNS Server Denial of Service Vulnerability No No 7.5 No
CVE-2022-37958 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-30170 Windows Credential Roaming Service Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-38006 Windows Graphics Component Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-34728 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-35832 Windows Event Tracing Denial of Service Vulnerability No No 5.5 No
CVE-2022-35837 Windows Graphics Component Information Disclosure Vulnerability No No 5 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – August 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/08/09/patch-tuesday-august-2022/

Patch Tuesday - August 2022

It’s the week of Hacker Summer Camp in Las Vegas, and Microsoft has published fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their Chromium-based Edge browser, and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month). As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.

There is one 0-day being patched this month. CVE-2022-34713 is a remote code execution (RCE) vulnerability affecting the Microsoft Windows Support Diagnostic Tool (MSDT) – it carries a CVSSv3 base score of 7.8, as it requires convincing a potential victim to open a malicious file. The advisory indicates that this CVE is a variant of the “Dogwalk” vulnerability, which made news alongside Follina (CVE-2022-30190) back in May.

Publicly disclosed, but not (yet) exploited is CVE-2022-30134, an Information Disclosure vulnerability affecting Exchange Server. In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages. Administrators should enable Extended Protection in order to fully remediate this vulnerability, as well as the five other vulnerabilities affecting Exchange this month. Details about how to accomplish this are available via the Exchange Blog.

Microsoft also patched several flaws affecting Remote Access Server (RAS). The most severe of these (CVE-2022-30133 and CVE-2022-35744) are related to Windows Point-to-Point Tunneling Protocol and could allow RCE simply by sending a malicious connection request to a server. Seven CVEs affecting the Windows Secure Socket Tunneling Protocol (SSTP) on RAS were also fixed this month: six RCEs and one Denial of Service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network.

Vulnerabilities affecting Windows Network File System (NFS) have been trending in recent months, and today sees Microsoft patching CVE-2022-34715 (RCE, CVSS 9.8) affecting NFSv4.1 on Windows Server 2022.

This is the worst of it. One last vulnerability to highlight: CVE-2022-35797 is a Security Feature Bypass in Windows Hello – Microsoft’s biometric authentication mechanism for Windows 10. Successful exploitation requires physical access to a system, but would allow an attacker to bypass a facial recognition check.

Summary charts

Patch Tuesday - August 2022
Patch Tuesday - August 2022
Patch Tuesday - August 2022
Patch Tuesday - August 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35802 Azure Site Recovery Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-30175 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30176 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-34687 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35773 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35779 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35806 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35772 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-35824 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33646 Azure Batch Node Agent Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-35780 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35781 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35799 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35775 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35801 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35807 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35808 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35782 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35809 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35784 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35810 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35811 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35785 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35786 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35813 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35788 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35814 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35789 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35815 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35790 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35816 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35817 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35791 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35818 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35819 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35776 Azure Site Recovery Denial of Service Vulnerability No No 6.2 Yes
CVE-2022-34685 Azure RTOS GUIX Studio Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34686 Azure RTOS GUIX Studio Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-35774 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-35800 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-35787 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-35821 Azure Sphere Information Disclosure Vulnerability No No 4.4 Yes
CVE-2022-35783 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes
CVE-2022-35812 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33649 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 9.6 Yes
CVE-2022-33636 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-35796 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2022-2624 Chromium: CVE-2022-2624 Heap buffer overflow in PDF No No N/A Yes
CVE-2022-2623 Chromium: CVE-2022-2623 Use after free in Offline No No N/A Yes
CVE-2022-2622 Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing No No N/A Yes
CVE-2022-2621 Chromium: CVE-2022-2621 Use after free in Extensions No No N/A Yes
CVE-2022-2619 Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings No No N/A Yes
CVE-2022-2618 Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals No No N/A Yes
CVE-2022-2617 Chromium: CVE-2022-2617 Use after free in Extensions API No No N/A Yes
CVE-2022-2616 Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API No No N/A Yes
CVE-2022-2615 Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies No No N/A Yes
CVE-2022-2614 Chromium: CVE-2022-2614 Use after free in Sign-In Flow No No N/A Yes
CVE-2022-2612 Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input No No N/A Yes
CVE-2022-2611 Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API No No N/A Yes
CVE-2022-2610 Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch No No N/A Yes
CVE-2022-2606 Chromium: CVE-2022-2606 Use after free in Managed devices API No No N/A Yes
CVE-2022-2605 Chromium: CVE-2022-2605 Out of bounds read in Dawn No No N/A Yes
CVE-2022-2604 Chromium: CVE-2022-2604 Use after free in Safe Browsing No No N/A Yes
CVE-2022-2603 Chromium: CVE-2022-2603 Use after free in Omnibox No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35777 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35825 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35826 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35827 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34716 .NET Spoofing Vulnerability No No 5.9 Yes

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30133 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-35744 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-34691 Active Directory Domain Services Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-34714 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35745 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35752 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35753 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-34702 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35767 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-34706 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34707 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35768 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35756 Windows Kerberos Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35751 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35795 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35820 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35750 Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34713 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability Yes Yes 7.8 Yes
CVE-2022-35743 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35760 Microsoft ATA Port Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30194 Windows WebBrowser Control Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-35769 Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability No No 7.5 No
CVE-2022-35793 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-34690 Windows Fax Service Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-35759 Windows Local Security Authority (LSA) Denial of Service Vulnerability No No 6.5 No
CVE-2022-35747 Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability No No 5.9 Yes
CVE-2022-35758 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34708 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34701 Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability No No 5.3 No

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-21980 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2022-24516 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2022-24477 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2022-30134 Microsoft Exchange Information Disclosure Vulnerability No Yes 7.6 Yes
CVE-2022-34692 Microsoft Exchange Information Disclosure Vulnerability No No 5.3 Yes
CVE-2022-21979 Microsoft Exchange Information Disclosure Vulnerability No No 4.8 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-34717 Microsoft Office Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-33648 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35742 Microsoft Outlook Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-33631 Microsoft Excel Security Feature Bypass Vulnerability No No 7.3 Yes

System Center Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33640 System Center Operations Manager: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-34715 Windows Network File System Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-35804 SMB Client and Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35761 Windows Kernel Elevation of Privilege Vulnerability No No 8.4 Yes
CVE-2022-35766 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35794 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-34699 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-33670 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34703 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34696 Windows Hyper-V Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35746 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35749 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34705 Windows Defender Credential Guard Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35771 Windows Defender Credential Guard Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35762 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35763 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35764 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35765 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35792 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30144 Windows Bluetooth Service Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-35748 HTTP.sys Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-35755 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-35757 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-35754 Unified Write Filter Elevation of Privilege Vulnerability No No 6.7 Yes
CVE-2022-35797 Windows Hello Security Feature Bypass Vulnerability No No 6.1 Yes
CVE-2022-34709 Windows Defender Credential Guard Security Feature Bypass Vulnerability No No 6 Yes
CVE-2022-30197 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34710 Windows Defender Credential Guard Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34712 Windows Defender Credential Guard Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34704 Windows Defender Credential Guard Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34303 CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass No No N/A Yes
CVE-2022-34302 CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass No No N/A Yes
CVE-2022-34301 CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass No No N/A Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – July 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/07/12/patch-tuesday-july-2022/

Patch Tuesday - July 2022

Microsoft’s updates for July’s Patch Tuesday fix 86 CVEs, including two vulnerabilities in their Chromium-based Edge browser that were patched earlier in the month.

One 0-day vulnerability has been patched: CVE-2022-22047 affects all currently supported versions of Microsoft’s pervasive operating system. This is an elevation-of-privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS), a critical service that is often impersonated by malware. An attacker with an already-existing foothold can exploit this vulnerability to gain SYSTEM-level privileges. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft’s investigation into the in-the-wild exploitation of CVE-2022-22047.

Four critical remote code execution (RCE) vulnerabilities were fixed today. CVE-2022-22029 and CVE-2022-22039 affect network file system (NFS) servers, and CVE-2022-22038 affects the remote procedure call (RPC) runtime. Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later. CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.

Over a third of today’s vulnerabilities (a whopping 32 CVEs) affect their Azure Site Recovery offering. Anyone making use of this VMWare-to-Azure backup solution should be sure to upgrade to version 9.49 of the Microsoft Azure Site Recovery Unified Setup, available in Update rollup 62.

Summary charts

Patch Tuesday - July 2022
Patch Tuesday - July 2022
Patch Tuesday - July 2022
Patch Tuesday - July 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33676 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33678 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33674 Azure Site Recovery Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-33675 Azure Site Recovery Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-33677 Azure Site Recovery Elevation of Privilege Vulnerability No No 7.2 Yes
CVE-2022-30181 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33641 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33643 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33655 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33656 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33657 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33661 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33662 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33663 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33665 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33666 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33667 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33672 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33673 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33642 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33650 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33651 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33653 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33654 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33659 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33660 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33664 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33668 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33669 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33671 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33652 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes
CVE-2022-33658 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes

Azure Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30187 Azure Storage Library Information Disclosure Vulnerability No No 4.7 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-2295 Chromium: CVE-2022-2295 Type Confusion in V8 No No N/A Yes
CVE-2022-2294 Chromium: CVE-2022-2294 Heap buffer overflow in WebRTC No No N/A Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33633 Skype for Business and Lync Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33632 Microsoft Office Security Feature Bypass Vulnerability No No 4.7 Yes

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33637 Microsoft Defender for Endpoint Tampering Vulnerability No No 6.5 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33644 Xbox Live Save Service Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-22045 Windows.Devices.Picker.dll Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30222 Windows Shell Remote Code Execution Vulnerability No No 8.4 Yes
CVE-2022-30216 Windows Server Service Tampering Vulnerability No No 8.8 Yes
CVE-2022-22041 Windows Print Spooler Elevation of Privilege Vulnerability No No 6.8 Yes
CVE-2022-30214 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-22031 Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30212 Windows Connected Devices Platform Service Information Disclosure Vulnerability No No 4.7 Yes
CVE-2022-22711 Windows BitLocker Information Disclosure Vulnerability No No 6.7 Yes
CVE-2022-22038 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-27776 HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data No No N/A Yes
CVE-2022-30215 Active Directory Federation Services Elevation of Privilege Vulnerability No No 7.5 Yes

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30208 Windows Security Account Manager (SAM) Denial of Service Vulnerability No No 6.5 No
CVE-2022-30206 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30226 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-22022 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-22023 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability No No 6.6 Yes
CVE-2022-22029 Windows Network File System Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-22039 Windows Network File System Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-22028 Windows Network File System Information Disclosure Vulnerability No No 5.9 Yes
CVE-2022-30225 Windows Media Player Network Sharing Service Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-30211 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-21845 Windows Kernel Information Disclosure Vulnerability No No 4.7 Yes
CVE-2022-22025 Windows Internet Information Services Cachuri Module Denial of Service Vulnerability No No 7.5 No
CVE-2022-30209 Windows IIS Server Elevation of Privilege Vulnerability No No 7.4 Yes
CVE-2022-22042 Windows Hyper-V Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-30223 Windows Hyper-V Information Disclosure Vulnerability No No 5.7 Yes
CVE-2022-30205 Windows Group Policy Elevation of Privilege Vulnerability No No 6.6 Yes
CVE-2022-30221 Windows Graphics Component Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-22034 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30213 Windows GDI+ Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-22024 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22027 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22050 Windows Fax Service Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-22043 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30220 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-22026 Windows CSRSS Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-22047 Windows CSRSS Elevation of Privilege Vulnerability Yes No 7.8 Yes
CVE-2022-22049 Windows CSRSS Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30203 Windows Boot Manager Security Feature Bypass Vulnerability No No 7.4 Yes
CVE-2022-22037 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2022-30202 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-30224 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-22036 Performance Counters for Windows Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-22040 Internet Information Services Dynamic Compression Module Denial of Service Vulnerability No No 7.3 Yes
CVE-2022-22048 BitLocker Security Feature Bypass Vulnerability No No 6.1 Yes
CVE-2022-23825 AMD: CVE-2022-23825 AMD CPU Branch Type Confusion No No N/A Yes
CVE-2022-23816 AMD: CVE-2022-23816 AMD CPU Branch Type Confusion No No N/A Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – June 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/06/14/patch-tuesday-june-2022/

Patch Tuesday - June 2022

July’s Patch Tuesday sees Microsoft releasing fixes for over 60 CVEs. Top of mind for many administrators this month is CVE-2022-30190, also known as Follina, which was observed being exploited in the wild at the end of May. Microsoft provided mitigation instructions (disabling the MSDT URL protocol via the registry), but actual patches were not available until today’s cumulative Windows Updates. Even if the mitigation was previously applied, installing the updates is highly recommended.

None of the other CVEs being addressed this month have been previously disclosed or seen exploited yet. However, it won’t be long before attackers start looking at CVE-2022-30136, a critical remote code execution (RCE) vulnerability affecting the Windows Network File System (NFS). Last month, Microsoft fixed a similar vulnerability (CVE-2022-26937) affecting NFS v2.0 and v3.0. CVE-2022-30136, on the other hand, is only exploitable in NFS v4.1. Microsoft has provided mitigation guidance to disable NFS v4.1, which should only be done if the May updates fixing previous NFS versions have been applied. Again, even if the mitigation has been put into place, best to patch sooner rather than later.

Also reminiscent of last month is CVE-2022-30139, a critical RCE in LDAP carrying a CVSSv3 base score of 7.1, which again is only exploitable if the MaxReceiveBuffer LDAP policy value is set higher than the default. Rounding out the critical RCEs for July is CVE-2022-30163, which could allow a malicious application running on a Hyper-V guest to execute code on the host OS.

The other big news this month is the end of support for Internet Explorer 11 (IE11) on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels, as Microsoft encourages users to adopt the Chromium-based Edge browser (which saw fixes for 5 CVEs this month). Internet Explorer 11 on other versions of Windows should continue receiving security updates and technical support based on the OS support lifecycle, so this is only the beginning of the end for the legacy browser.

Summary charts

Patch Tuesday - June 2022
Patch Tuesday - June 2022
Patch Tuesday - June 2022
Patch Tuesday - June 2022

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30168 Microsoft Photos App Remote Code Execution Vulnerability No No 7.8 Yes

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30137 Azure Service Fabric Container Elevation of Privilege Vulnerability No No 6.7 Yes
CVE-2022-30177 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30178 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30179 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30180 Azure RTOS GUIX Studio Information Disclosure Vulnerability No No 7.8 Yes

Azure System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-29149 Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability No No 7.8 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-22021 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-2011 Chromium: CVE-2022-2011 Use after free in ANGLE No No N/A Yes
CVE-2022-2010 Chromium: CVE-2022-2010 Out of bounds read in compositing No No N/A Yes
CVE-2022-2008 Chromium: CVE-2022-2008 Out of bounds memory access in WebGL No No N/A Yes
CVE-2022-2007 Chromium: CVE-2022-2007 Use after free in WebGPU No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30184 .NET and Visual Studio Information Disclosure Vulnerability No No 5.5 Yes

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30140 Windows iSCSI Discovery Service Remote Code Execution Vulnerability No No 7.1 Yes
CVE-2022-30152 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 7.5 No
CVE-2022-30135 Windows Media Center Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-30153 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-30161 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-30141 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-30143 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-30149 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-30146 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-30155 Windows Kernel Denial of Service Vulnerability No No 5.5 Yes
CVE-2022-30147 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability No No 8.5 Yes
CVE-2022-30142 Windows File History Remote Code Execution Vulnerability No No 7.1 Yes
CVE-2022-30151 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-30160 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-30166 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21166 Intel: CVE-2022-21166 Device Register Partial Write (DRPW) No No N/A Yes
CVE-2022-21127 Intel: CVE-2022-21127 Special Register Buffer Data Sampling Update (SRBDS Update) No No N/A Yes
CVE-2022-21125 Intel: CVE-2022-21125 Shared Buffers Data Sampling (SBDS) No No N/A Yes
CVE-2022-21123 Intel: CVE-2022-21123 Shared Buffers Data Read (SBDR) No No N/A Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30157 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-30158 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-30174 Microsoft Office Remote Code Execution Vulnerability No No 7.4 Yes
CVE-2022-30159 Microsoft Office Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-30171 Microsoft Office Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-30172 Microsoft Office Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-30173 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-29143 Microsoft SQL Server Remote Code Execution Vulnerability No No 7.5 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-32230 Windows SMB Denial of Service Vulnerability No No N/A Yes
CVE-2022-30136 Windows Network File System Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-30162 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-30165 Windows Kerberos Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-30145 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-30148 Windows Desired State Configuration (DSC) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-30150 Windows Defender Remote Credential Guard Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2022-30132 Windows Container Manager Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-30131 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-30189 Windows Autopilot Device Management and Enrollment Client Spoofing Vulnerability No No 6.5 Yes
CVE-2022-30154 Microsoft File Server Shadow Copy Agent Service (RVSS) Elevation of Privilege Vulnerability No No 5.3 Yes
CVE-2022-30164 Kerberos AppContainer Security Feature Bypass Vulnerability No No 8.4 Yes
CVE-2022-29111 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22018 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30188 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-29119 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30167 AV1 Video Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30193 AV1 Video Extension Remote Code Execution Vulnerability No No 7.8 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

Patch Tuesday – May 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/05/10/patch-tuesday-may-2022/

Patch Tuesday - May 2022

This month is par for the course in terms of both number and severity of vulnerabilities being patched by Microsoft. That means there’s plenty of work to be done by system and network administrators, as usual.

There is one 0-day this month: CVE-2022-26925, a Spoofing vulnerability in the Windows Local Security Authority (LSA) subsystem, which allows attackers able to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication. This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution (RCE). This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.

Two other CVEs were also publicly disclosed before today’s releases, though they have not yet been seen exploited in the wild. CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later). CVE-2022-29972 is a Critical RCE that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime (a client agent that enables on-premises data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines). This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.

All told, 74 CVEs were fixed this month, the vast majority of which affect functionality within the Windows operating system. Other notable vulnerabilities include CVE-2022-21972 and CVE-2022-23270, critical RCEs in the Point-to-Point Tunneling Protocol. Exploitation requires attackers to win a race condition, which increases the complexity, but if you have any RAS servers in your environment, patch sooner rather than later.

CVE-2022-26937 carries a CVSSv3 score of 9.8 and affects services using the Windows Network File System (NFS). This can be mitigated by disabling NFSV2 and NFSV3 on the server; however, this may cause compatibility issues, and upgrading is highly recommended.

CVE-2022-22017 is yet another client-side Remote Desktop Protocol (RDP) vulnerability. While not as worrisome as when an RCE affects RDP servers, if a user can be enticed to connect to a malicious RDP server via social engineering tactics, an attacker will gain RCE on their system.

Sharepoint Server administrators should be aware of CVE-2022-29108, a post-authentication RCE fixed today. Exchange admins have CVE-2022-21978 to worry about, which could allow an attacker with elevated privileges on an Exchange server to gain the rights of a Domain Administrator.

A host of Lightweight Directory Access Protocol (LDAP) vulnerabilities were also addressed this month, including CVE-2022-22012 and CVE-2022-29130 – both RCEs that, thankfully, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.

Although there are no browser vulnerabilities this month, two RCEs affecting Excel (CVE-2022-29109 and CVE-2022-29110) and one Security Feature Bypass affecting Office (CVE-2022-29107) mean there is still some endpoint application patching to do.

Summary charts

Patch Tuesday - May 2022
Patch Tuesday - May 2022
Patch Tuesday - May 2022
Patch Tuesday - May 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-29972 Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver No Yes N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-29148 Visual Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30129 Visual Studio Code Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-23267 .NET and Visual Studio Denial of Service Vulnerability No No 7.5 No
CVE-2022-29117 .NET and Visual Studio Denial of Service Vulnerability No No 7.5 No
CVE-2022-29145 .NET and Visual Studio Denial of Service Vulnerability No No 7.5 No
CVE-2022-30130 .NET Framework Denial of Service Vulnerability No No 3.3 No

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26935 Windows WLAN AutoConfig Service Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29121 Windows WLAN AutoConfig Service Denial of Service Vulnerability No No 6.5 Yes
CVE-2022-26936 Windows Server Service Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-22015 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29103 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-29132 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26937 Windows Network File System Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-26925 Windows LSA Spoofing Vulnerability Yes Yes 8.1 Yes
CVE-2022-22012 Windows LDAP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-29130 Windows LDAP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-22013 Windows LDAP Remote Code Execution Vulnerability No No 8.8 No
CVE-2022-22014 Windows LDAP Remote Code Execution Vulnerability No No 8.8 No
CVE-2022-29128 Windows LDAP Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-29129 Windows LDAP Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-29137 Windows LDAP Remote Code Execution Vulnerability No No 8.8 No
CVE-2022-29139 Windows LDAP Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-29141 Windows LDAP Remote Code Execution Vulnerability No No 8.8 No
CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2022-26934 Windows Graphics Component Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29112 Windows Graphics Component Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-22011 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-29115 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-26926 Windows Address Book Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22019 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21972 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-23270 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-29105 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-29127 BitLocker Security Feature Bypass Vulnerability No No 4.2 Yes

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-21978 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8.2 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-29108 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-29107 Microsoft Office Security Feature Bypass Vulnerability No No 5.5 Yes
CVE-2022-29109 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-29110 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26930 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-29125 Windows Push Notifications Apps Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-29114 Windows Print Spooler Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-29140 Windows Print Spooler Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-29104 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22016 Windows PlayToManager Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26933 Windows NTFS Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-29131 Windows LDAP Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-29116 Windows Kernel Information Disclosure Vulnerability No No 4.7 Yes
CVE-2022-29133 Windows Kernel Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-29142 Windows Kernel Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-29106 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24466 Windows Hyper-V Security Feature Bypass Vulnerability No No 4.1 Yes
CVE-2022-22713 Windows Hyper-V Denial of Service Vulnerability No Yes 5.6 Yes
CVE-2022-26927 Windows Graphics Component Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-29102 Windows Failover Cluster Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-29113 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-29134 Windows Clustered Shared Volume Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29120 Windows Clustered Shared Volume Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29122 Windows Clustered Shared Volume Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29123 Windows Clustered Shared Volume Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-29138 Windows Clustered Shared Volume Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-29135 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-29150 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-29151 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26913 Windows Authentication Security Feature Bypass Vulnerability No No 7.4 Yes
CVE-2022-23279 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-29126 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26932 Storage Spaces Direct Elevation of Privilege Vulnerability No No 8.2 Yes
CVE-2022-26938 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26939 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26940 Remote Desktop Protocol Client Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-22017 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability No No 8.8 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – April 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/04/12/patch-tuesday-april-2022/

Patch Tuesday - April 2022

From Defender to Windows, Office to Azure, this month’s Patch Tuesday has a large swath of Microsoft’s portfolio getting vulnerabilities fixed. 119 CVEs were addressed today, not including the 26 Chromium vulnerabilities that were fixed in the Edge browser.

One of these has been observed being exploited in the wild: CVE-2022-24521, reported to Microsoft by the National Security Agency, affects the Common Log File System Driver in all supported versions of Windows and allows attackers to gain additional privileges on a system they already have local access to. Another local privilege escalation (LPE), CVE-2022-26904 affecting the Windows User Profile Service, had been publicly disclosed but not reported as already being exploited – it’s harder for attackers to leverage as it relies on winning a race condition, which can be tricky to reliably achieve.

LPEs don’t always get the same attention that remote code execution (RCE) vulnerabilities do, but they can be a great help to attackers after they gain an initial foothold. These two categories dominate this month’s vulnerabilities, with 55 LPEs and 47 RCEs getting patched. 10 of the RCEs are considered “Critical,” affecting Windows Hyper-V (CVE-2022-22008, CVE-2022-23257, CVE-2022-24537); Windows SMB Client (CVE-2022-24500, CVE-2022-24541); Windows Network File System (CVE-2022-24491 and CVE-2022-24497); LDAP (CVE-2022-26919); Microsoft Dynamics (CVE-2022-23259); and the Windows RPC Runtime (CVE-2022-26809).

On the Office side of the house, Skype for Business Server was patched for spoofing (CVE-2022-26910) and information disclosure (CVE-2022-26911) vulnerabilities. Two RCEs affecting Excel (CVE-2022-24473 and CVE-2022-26901) were fixed, as well as a spoofing vulnerability in SharePoint Server (CVE-2022-24472).

With so many vulnerabilities to manage, it can be difficult to prioritize. Thankfully, most of this month’s CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.

For any readers who enjoy deeper dives into vulnerabilities and exploits, Rapid7’s Jake Baines has a technical writeup of CVE-2022-24527, an LPE he discovered in the Connected Cache component of Microsoft Endpoint Manager that got fixed today. Check it out!

Summary charts

Patch Tuesday - April 2022
Patch Tuesday - April 2022
Patch Tuesday - April 2022
Patch Tuesday - April 2022

Summary tables

Azure Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26898 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26896 Azure Site Recovery Information Disclosure Vulnerability No No 4.9 Yes
CVE-2022-26897 Azure Site Recovery Information Disclosure Vulnerability No No 4.9 Yes
CVE-2022-26907 Azure SDK for .NET Information Disclosure Vulnerability No No 5.3 Yes

Browser Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24523 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3 Yes
CVE-2022-24475 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26891 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26894 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26895 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26900 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26908 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26909 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-26912 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-1232 Chromium: CVE-2022-1232 Type Confusion in V8 No No N/A Yes
CVE-2022-1146 Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing No No N/A Yes
CVE-2022-1145 Chromium: CVE-2022-1145 Use after free in Extensions No No N/A Yes
CVE-2022-1143 Chromium: CVE-2022-1143 Heap buffer overflow in WebUI No No N/A Yes
CVE-2022-1139 Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API No No N/A Yes
CVE-2022-1138 Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor No No N/A Yes
CVE-2022-1137 Chromium: CVE-2022-1137 Inappropriate implementation in Extensions No No N/A Yes
CVE-2022-1136 Chromium: CVE-2022-1136 Use after free in Tab Strip No No N/A Yes
CVE-2022-1135 Chromium: CVE-2022-1135 Use after free in Shopping Cart No No N/A Yes
CVE-2022-1134 Chromium: CVE-2022-1134 Type Confusion in V8 No No N/A Yes
CVE-2022-1133 Chromium: CVE-2022-1133 Use after free in WebRTC No No N/A Yes
CVE-2022-1131 Chromium: CVE-2022-1131 Use after free in Cast UI No No N/A Yes
CVE-2022-1130 Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP No No N/A Yes
CVE-2022-1129 Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen Mode No No N/A Yes
CVE-2022-1128 Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API No No N/A Yes
CVE-2022-1127 Chromium: CVE-2022-1127 Use after free in QR Code Generator No No N/A Yes
CVE-2022-1125 Chromium: CVE-2022-1125 Use after free in Portals No No N/A Yes

Developer Tools Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26924 YARP Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-24513 Visual Studio Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26921 Visual Studio Code Elevation of Privilege Vulnerability No No 7.3 No
CVE-2022-24765 GitHub: Uncontrolled search for the Git directory in Git for Windows No No N/A Yes
CVE-2022-24767 GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account No No N/A Yes
CVE-2022-26832 .NET Framework Denial of Service Vulnerability No No 7.5 No

Microsoft Dynamics Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability No No 8.8 Yes

Microsoft Office Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26910 Skype for Business and Lync Spoofing Vulnerability No No 5.3 Yes
CVE-2022-26911 Skype for Business Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-24472 Microsoft SharePoint Server Spoofing Vulnerability No No 8 Yes
CVE-2022-24473 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-26901 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

SQL Server Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-23292 Microsoft Power BI Spoofing Vulnerability No No 5.9 Yes

System Center Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24548 Microsoft Defender Denial of Service Vulnerability No No 5.5 Yes

Windows Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24543 Windows Upgrade Assistant Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24550 Windows Telephony Server Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26786 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26789 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26791 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26793 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26795 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-24487 Windows Local Security Authority (LSA) Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-24483 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-24545 Windows Kerberos Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-24486 Windows Kerberos Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24490 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability No No 8.1 Yes
CVE-2022-24539 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability No No 8.1 Yes
CVE-2022-26783 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-26785 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22009 Windows Hyper-V Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-23268 Windows Hyper-V Denial of Service Vulnerability No No 6.5 Yes
CVE-2022-26920 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-26808 Windows File Explorer Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24495 Windows Direct Show – Remote Code Execution Vulnerability No No 7 Yes
CVE-2022-24547 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24488 Windows Desktop Bridge Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24546 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26811 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26823 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26825 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26826 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26814 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26817 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26818 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26816 Windows DNS Server Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-24538 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability No No 6.5 No
CVE-2022-26784 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability No No 6.5 No
CVE-2022-24484 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability No No 5.5 No
CVE-2022-26828 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24549 Windows AppX Package Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24482 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26914 Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26788 PowerShell Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24496 Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24532 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-24479 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24489 Cluster Client Failover (CCF) Elevation of Privilege Vulnerability No No 7.8 No

Windows ESU Vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24498 Windows iSCSI Target Service Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-26807 Windows Work Folder Service Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24474 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24542 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26904 Windows User Profile Service Elevation of Privilege Vulnerability No Yes 7 Yes
CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-26915 Windows Secure Channel Denial of Service Vulnerability No No 7.5 No
CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-26787 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26790 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26792 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26794 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26796 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26797 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26798 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26801 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26802 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26803 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-26831 Windows LDAP Denial of Service Vulnerability No No 7.5 No
CVE-2022-24544 Windows Kerberos Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24530 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24499 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26903 Windows Graphics Component Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-26810 Windows File Server Resource Management Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-26827 Windows File Server Resource Management Service Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-26916 Windows Fax Compose Form Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-26917 Windows Fax Compose Form Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-26918 Windows Fax Compose Form Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24527 Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-26812 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26813 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24536 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26815 Windows DNS Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-26819 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26820 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26821 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26822 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-26829 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability Yes No 7.8 No
CVE-2022-24481 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24494 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24540 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21983 Win32 Stream Enumeration Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-24534 Win32 Stream Enumeration Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-24485 Win32 File Enumeration Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-26809 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-24528 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-24492 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-24533 Remote Desktop Protocol Remote Code Execution Vulnerability No No 8 Yes
CVE-2022-24493 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability No No 5.5 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – March 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/03/08/patch-tuesday-march-2022/

Patch Tuesday - March 2022

Microsoft’s March 2022 updates include fixes for 92 CVEs (including 21 from the Chromium project, which is used by their Edge web browser). None of them have been seen exploited in the wild, but three have been previously disclosed. CVE-2022-24512, affecting .NET and Visual Studio, and CVE-2022-21990, affecting Remote Desktop Client, both allow RCE (Remote Code Execution). CVE-2022-24459 is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated Important – organizations should remediate at their regular patch cadence.

Three CVEs this month are rated Critical. CVE-2022-22006 and CVE-2022-24501 both affect video codecs. In most cases, these will update automatically via the Microsoft Store. However, any organizations with automatic updates disabled should be sure to push out updates. The vulnerability most likely to raise eyebrows this month is CVE-2022-23277, a Critical RCE affecting Exchange Server. Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.

SharePoint administrators get a break this month, though on the client side, a handful of Office vulnerabilities were fixed. Three separate RCEs in Visio, Tampering and Security Feature Bypass vulnerabilities in Word, and Information Disclosure in the Skype Extension for Chrome all got patched.

CVE-2022-24508 is an RCE affecting Windows SMBv3, which has potential for widespread exploitation, assuming an attacker can put together a suitable exploit. Luckily, like this month’s Exchange vulnerabilities, this too requires authentication.

Organizations using Microsoft’s Azure Site Recovery service should be aware that 11 CVEs were fixed with today’s updates, split between RCEs and LPEs. They are all specific to the scenario where an on-premise VMware deployment is set up to use Azure for disaster recovery.

Summary charts

Patch Tuesday - March 2022
Patch Tuesday - March 2022
Patch Tuesday - March 2022
Patch Tuesday - March 2022

Summary tables

Apps vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-23282 Paint 3D Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24465 Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability No No 3.3 Yes

Azure vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24467 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24468 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24517 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24470 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24471 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24520 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-24469 Azure Site Recovery Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-24506 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-24515 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-24518 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-24519 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes

Browser vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-0809 Chromium: CVE-2022-0809 Out of bounds memory access in WebXR No No N/A Yes
CVE-2022-0808 Chromium: CVE-2022-0808 Use after free in Chrome OS Shell No No N/A Yes
CVE-2022-0807 Chromium: CVE-2022-0807 Inappropriate implementation in Autofill No No N/A Yes
CVE-2022-0806 Chromium: CVE-2022-0806 Data leak in Canvas No No N/A Yes
CVE-2022-0805 Chromium: CVE-2022-0805 Use after free in Browser Switcher No No N/A Yes
CVE-2022-0804 Chromium: CVE-2022-0804 Inappropriate implementation in Full screen mode No No N/A Yes
CVE-2022-0803 Chromium: CVE-2022-0803 Inappropriate implementation in Permissions No No N/A Yes
CVE-2022-0802 Chromium: CVE-2022-0802 Inappropriate implementation in Full screen mode No No N/A Yes
CVE-2022-0801 Chromium: CVE-2022-0801 Inappropriate implementation in HTML parser No No N/A Yes
CVE-2022-0800 Chromium: CVE-2022-0800 Heap buffer overflow in Cast UI No No N/A Yes
CVE-2022-0799 Chromium: CVE-2022-0799 Insufficient policy enforcement in Installer No No N/A Yes
CVE-2022-0798 Chromium: CVE-2022-0798 Use after free in MediaStream No No N/A Yes
CVE-2022-0797 Chromium: CVE-2022-0797 Out of bounds memory access in Mojo No No N/A Yes
CVE-2022-0796 Chromium: CVE-2022-0796 Use after free in Media No No N/A Yes
CVE-2022-0795 Chromium: CVE-2022-0795 Type Confusion in Blink Layout No No N/A Yes
CVE-2022-0794 Chromium: CVE-2022-0794 Use after free in WebShare No No N/A Yes
CVE-2022-0793 Chromium: CVE-2022-0793 Use after free in Views No No N/A Yes
CVE-2022-0792 Chromium: CVE-2022-0792 Out of bounds read in ANGLE No No N/A Yes
CVE-2022-0791 Chromium: CVE-2022-0791 Use after free in Omnibox No No N/A Yes
CVE-2022-0790 Chromium: CVE-2022-0790 Use after free in Cast UI No No N/A Yes
CVE-2022-0789 Chromium: CVE-2022-0789 Heap buffer overflow in ANGLE No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24526 Visual Studio Code Spoofing Vulnerability No No 6.1 Yes
CVE-2020-8927 Brotli Library Buffer Overflow Vulnerability No No 6.5 Yes
CVE-2022-24512 .NET and Visual Studio Remote Code Execution Vulnerability No Yes 6.3 Yes
CVE-2022-24464 .NET and Visual Studio Denial of Service Vulnerability No No 7.5 No

Exchange Server vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24463 Microsoft Exchange Server Spoofing Vulnerability No No 6.5 Yes
CVE-2022-23277 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8.8 Yes

Microsoft Office vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24522 Skype Extension for Chrome Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-24462 Microsoft Word Security Feature Bypass Vulnerability No No 5.5 Yes
CVE-2022-24511 Microsoft Office Word Tampering Vulnerability No No 5.5 Yes
CVE-2022-24509 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24461 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24510 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes

System Center vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-23265 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-23266 Microsoft Defender for IoT Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-23278 Microsoft Defender for Endpoint Spoofing Vulnerability No No 5.9 Yes

Windows vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-21967 Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24525 Windows Update Stack Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24508 Windows SMBv3 Client/Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-23284 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.2 No
CVE-2022-21975 Windows Hyper-V Denial of Service Vulnerability No No 4.7 Yes
CVE-2022-23294 Windows Event Tracing Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-23291 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-23288 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-23286 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24455 Windows CD-ROM Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24507 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-23287 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24505 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24501 VP9 Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24451 VP9 Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24460 Tablet Windows User Interface Application Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-23295 Raw Image Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-23300 Raw Image Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22010 Media Foundation Information Disclosure Vulnerability No No 4.4 Yes
CVE-2022-21977 Media Foundation Information Disclosure Vulnerability No No 3.3 Yes
CVE-2022-22006 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-23301 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22007 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24452 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24453 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24456 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability No No 7.8 Yes

Windows ESU vulnerabilities

CVE Title Exploited Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-24454 Windows Security Support Provider Interface Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-23299 Windows PDEV Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-23298 Windows NT OS Kernel Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-23297 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21973 Windows Media Center Update Denial of Service Vulnerability No No 5.5 No
CVE-2022-23296 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-23290 Windows Inking COM Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-24502 Windows HTML Platforms Security Feature Bypass Vulnerability No No 4.3 Yes
CVE-2022-24459 Windows Fax and Scan Service Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2022-23293 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-23281 Windows Common Log File System Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-23283 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-24503 Remote Desktop Protocol Client Information Disclosure Vulnerability No No 5.4 Yes
CVE-2022-21990 Remote Desktop Client Remote Code Execution Vulnerability No Yes 8.8 Yes
CVE-2022-23285 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-23253 Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 6.5 No

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – February 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/02/08/patch-tuesday-february-2022/

Patch Tuesday - February 2022

Today’s fixes from Microsoft are relatively light as far as Patch Tuesdays go. This is the first month in possibly forever where no vulnerabilities are considered Critical. A total of 70 CVEs were fixed today (including 22 that affect the Chromium browser engine, which is used by Edge).

Although 16 of this month’s vulnerabilities allow remote code execution (RCE), none carry a CVSS base score higher than 8.8. Only one vulnerability was publicly disclosed before today: CVE-2022-21989, an elevation of privilege vulnerability in the Windows Kernel. None of this month’s vulnerabilities have yet been seen exploited in the wild.

Despite the lack of Critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month. RCE vulnerabilities are also important to patch, even if they may not be considered “wormable.” In terms of prioritization, defenders should first focus on patching server systems. SharePoint has RCE (CVE-2022-22005), Security Feature Bypass (CVE-2022-21968), and Spoofing (CVE-2022-21987) vulnerabilities getting fixed today. CVE-2022-21984 is an RCE affecting DNS Server. Microsoft Dynamics administrators should also be aware that there are six CVEs being patched, including 2 RCEs, 3 allowing elevation of privilege, and a spoofing vulnerability.

On the client side, CVE-2022-22003 and CVE-2022-22004 are RCEs affecting Microsoft Office. Although this requires a local user to open a malicious file, these sorts of social engineering attacks are common and can be very effective. Updates should be rolled out to end users as soon as reasonably practicable.

Summary charts

Patch Tuesday - February 2022
Patch Tuesday - February 2022
Patch Tuesday - February 2022
Patch Tuesday - February 2022

Summary tables

Azure Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability No No 8.1 Yes

Browser Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability No No 5.3 Yes
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.7 Yes
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 6.3 Yes
CVE-2022-0470 Chromium: CVE-2022-0470 Out of bounds memory access in V8 No No N/A Yes
CVE-2022-0469 Chromium: CVE-2022-0469 Use after free in Cast No No N/A Yes
CVE-2022-0468 Chromium: CVE-2022-0468 Use after free in Payments No No N/A Yes
CVE-2022-0467 Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock No No N/A Yes
CVE-2022-0466 Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform No No N/A Yes
CVE-2022-0465 Chromium: CVE-2022-0465 Use after free in Extensions No No N/A Yes
CVE-2022-0464 Chromium: CVE-2022-0464 Use after free in Accessibility No No N/A Yes
CVE-2022-0463 Chromium: CVE-2022-0463 Use after free in Accessibility No No N/A Yes
CVE-2022-0462 Chromium: CVE-2022-0462 Inappropriate implementation in Scroll No No N/A Yes
CVE-2022-0461 Chromium: CVE-2022-0461 Policy bypass in COOP No No N/A Yes
CVE-2022-0460 Chromium: CVE-2022-0460 Use after free in Window Dialog No No N/A Yes
CVE-2022-0459 Chromium: CVE-2022-0459 Use after free in Screen Capture No No N/A Yes
CVE-2022-0458 Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip No No N/A Yes
CVE-2022-0457 Chromium: CVE-2022-0457 Type Confusion in V8 No No N/A Yes
CVE-2022-0456 Chromium: CVE-2022-0456 Use after free in Web Search No No N/A Yes
CVE-2022-0455 Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode No No N/A Yes
CVE-2022-0454 Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE No No N/A Yes
CVE-2022-0453 Chromium: CVE-2022-0453 Use after free in Reader Mode No No N/A Yes
CVE-2022-0452 Chromium: CVE-2022-0452 Use after free in Safe Browsing No No N/A Yes

Developer Tools Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-21986 .NET Denial of Service Vulnerability No No 7.5 Yes

ESU Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability No Yes 7.8 Yes
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability No No 5.5 No

Microsoft Dynamics Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability No No 6.9 Yes
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability No No 8.1 Yes
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability No No 7.1 No
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability No No 6.5 No
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability No No 7.2 No

Microsoft Office Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability No No 8 Yes
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability No No 4.3 Yes
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability No No 5.3 Yes
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability No No 5.9 Yes
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability No No 5.5 Yes

SQL Server Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability No No 4.9 Yes

Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed CVSSv3 Base Score Has FAQ?
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability No No 5.5 No
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability No No 7.9 Yes
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability No No 5.6 Yes
CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability No No 8.8 No
CVE-2022-21996 Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – January 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/01/11/patch-tuesday-january-2022/

Patch Tuesday - January 2022

The first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.

The majority of this month’s patched vulnerabilities, such as CVE-2022-21857 (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in.

Critical RCEs

Besides CVE-2021-22947 (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is CVE-2021-21907, affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially “wormable” by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for CVE-2021-31166).

Not quite as bad is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website – thankfully the Windows preview pane is not a vector for this attack.

CVE-2022-21846 affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be “adjacent” to the target system in terms of network topology). This restriction also applies to CVE-2022-21855 and CVE-2022-21969, two less severe RCEs in Exchange this month.

CVE-2022-21912 and CVE-2022-21898 both affect DirectX Graphics and require local access. CVE-2022-21917 is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.

Defenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.

Summary charts

Patch Tuesday - January 2022
Patch Tuesday - January 2022
Patch Tuesday - January 2022
Patch Tuesday - January 2022

Summary tables

Browser vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 4.2 Yes
CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 4.2 Yes
CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 2.5 Yes
CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 6.1 Yes
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 6.1 Yes
CVE-2022-0120 Chromium: CVE-2022-0120 Inappropriate implementation in Passwords No No nan Yes
CVE-2022-0118 Chromium: CVE-2022-0118 Inappropriate implementation in WebShare No No nan Yes
CVE-2022-0117 Chromium: CVE-2022-0117 Policy bypass in Service Workers No No nan Yes
CVE-2022-0116 Chromium: CVE-2022-0116 Inappropriate implementation in Compositing No No nan Yes
CVE-2022-0115 Chromium: CVE-2022-0115 Uninitialized Use in File API No No nan Yes
CVE-2022-0114 Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial No No nan Yes
CVE-2022-0113 Chromium: CVE-2022-0113 Inappropriate implementation in Blink No No nan Yes
CVE-2022-0112 Chromium: CVE-2022-0112 Incorrect security UI in Browser UI No No nan Yes
CVE-2022-0111 Chromium: CVE-2022-0111 Inappropriate implementation in Navigation No No nan Yes
CVE-2022-0110 Chromium: CVE-2022-0110 Incorrect security UI in Autofill No No nan Yes
CVE-2022-0109 Chromium: CVE-2022-0109 Inappropriate implementation in Autofill No No nan Yes
CVE-2022-0108 Chromium: CVE-2022-0108 Inappropriate implementation in Navigation No No nan Yes
CVE-2022-0107 Chromium: CVE-2022-0107 Use after free in File Manager API No No nan Yes
CVE-2022-0106 Chromium: CVE-2022-0106 Use after free in Autofill No No nan Yes
CVE-2022-0105 Chromium: CVE-2022-0105 Use after free in PDF No No nan Yes
CVE-2022-0104 Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE No No nan Yes
CVE-2022-0103 Chromium: CVE-2022-0103 Use after free in SwiftShader No No nan Yes
CVE-2022-0102 Chromium: CVE-2022-0102 Type Confusion in V8 No No nan Yes
CVE-2022-0101 Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks No No nan Yes
CVE-2022-0100 Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API No No nan Yes
CVE-2022-0099 Chromium: CVE-2022-0099 Use after free in Sign-in No No nan Yes
CVE-2022-0098 Chromium: CVE-2022-0098 Use after free in Screen Capture No No nan Yes
CVE-2022-0097 Chromium: CVE-2022-0097 Inappropriate implementation in DevTools No No nan Yes
CVE-2022-0096 Chromium: CVE-2022-0096 Use after free in Storage No No nan Yes

Developer Tools vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21911 .NET Framework Denial of Service Vulnerability No No 7.5 No

ESU Windows vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability No No 5.3 No
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability No Yes 7 No
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability No No 4.6 Yes
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability No No 4.6 Yes
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability No No 5.5 No
CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability No No 5.5 Yes
CVE-2022-21836 Windows Certificate Spoofing Vulnerability No Yes 7.8 Yes
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability No No 5.3 No
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass No No 5.3 No
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability No No 8.8 Yes

Exchange Server vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes

Microsoft Dynamics vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability No No 7.6 No
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability No No 7.6 No

Microsoft Office vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability No Yes 7.8 No
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.4 Yes
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.3 Yes
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability No No 7 No
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability No No 5.5 No
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability No No 9 Yes
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability No No 6.5 No
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability No Yes 6.1 No
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability No No 4.4 No
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability No No 5.5 No
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21876 Win32k Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21882 Win32k Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21887 Win32k Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability No No 4.4 No
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-22947 Open Source Curl Remote Code Execution Vulnerability No Yes nan Yes
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-36976 Libarchive Remote Code Execution Vulnerability No Yes nan Yes
CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability No No 6.5 No
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability No No 7 No

Patch Tuesday – December 2021

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/12/14/patch-tuesday-december-2021/

Patch Tuesday - December 2021

This month’s Patch Tuesday comes in the middle of a global effort to mitigate Apache Log4j CVE-2021-44228. In today’s security release, Microsoft issued fixes for 83 vulnerabilities across an array of products — including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month’s release is CVE-2021-43890, a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.

Interestingly, this round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there’s no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for a zero-day vulnerability that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7’s vulnerability research team did a full root cause analysis of the bug as attacks ramped up in November.

As usual, RCE flaws figure prominently in the “Critical”-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we’d advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating.

Summary charts

Patch Tuesday - December 2021
Patch Tuesday - December 2021
Patch Tuesday - December 2021
Patch Tuesday - December 2021

Summary tables

Apps Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-43890 Windows AppX Installer Spoofing Vulnerability Yes Yes 7.1 Yes
CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability No No 9.6 Yes

Browser Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-4068 Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page No No N/A Yes
CVE-2021-4067 Chromium: CVE-2021-4067 Use after free in window manager No No N/A Yes
CVE-2021-4066 Chromium: CVE-2021-4066 Integer underflow in ANGLE No No N/A Yes
CVE-2021-4065 Chromium: CVE-2021-4065 Use after free in autofill No No N/A Yes
CVE-2021-4064 Chromium: CVE-2021-4064 Use after free in screen capture No No N/A Yes
CVE-2021-4063 Chromium: CVE-2021-4063 Use after free in developer tools No No N/A Yes
CVE-2021-4062 Chromium: CVE-2021-4062 Heap buffer overflow in BFCache No No N/A Yes
CVE-2021-4061 Chromium: CVE-2021-4061 Type Confusion in V8 No No N/A Yes
CVE-2021-4059 Chromium: CVE-2021-4059 Insufficient data validation in loader No No N/A Yes
CVE-2021-4058 Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE No No N/A Yes
CVE-2021-4057 Chromium: CVE-2021-4057 Use after free in file API No No N/A Yes
CVE-2021-4056 Chromium: CVE-2021-4056: Type Confusion in loader No No N/A Yes
CVE-2021-4055 Chromium: CVE-2021-4055 Heap buffer overflow in extensions No No N/A Yes
CVE-2021-4054 Chromium: CVE-2021-4054 Incorrect security UI in autofill No No N/A Yes
CVE-2021-4053 Chromium: CVE-2021-4053 Use after free in UI No No N/A Yes
CVE-2021-4052 Chromium: CVE-2021-4052 Use after free in web apps No No N/A Yes

Developer Tools Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability No No 9.8 No
CVE-2021-43908 Visual Studio Code Spoofing Vulnerability No No nan No
CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability No No 5.5 No
CVE-2021-43892 Microsoft BizTalk ESB Toolkit Spoofing Vulnerability No No 7.4 No
CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability No No 7.5 No
CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability No No 7.8 No

Device Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability No No 9.8 Yes

Microsoft Office Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability No No 8 Yes
CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability No No 7.6 No
CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability No No 5.5 Yes
CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

System Center Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 9 Yes
CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability No No 7.5 Yes
CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability No No 7.8 Yes

Windows Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability No No 7.1 No
CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability No Yes 5.5 Yes
CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability No No 6.5 Yes
CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability No No 5.6 No
CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-43228 SymCrypt Denial of Service Vulnerability No No 7.5 No
CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability No No 7.4 No

Windows ESU Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ?
CVE-2021-43215 iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution No No 9.8 Yes
CVE-2021-43238 Windows Remote Access Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43223 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-43229 Windows NTFS Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43230 Windows NTFS Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43883 Windows Installer Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-43234 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2021-43893 Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability No Yes 7.5 No
CVE-2021-43245 Windows Digital TV Tuner Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43224 Windows Common Log File System Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-43226 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43207 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-43233 Remote Desktop Client Remote Code Execution Vulnerability No No 7.5 No
CVE-2021-43222 Microsoft Message Queuing Information Disclosure Vulnerability No No 7.5 Yes
CVE-2021-43236 Microsoft Message Queuing Information Disclosure Vulnerability No No 7.5 Yes
CVE-2021-43216 Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability No No 6.5 Yes

Using InsightVM to Find Apache Log4j CVE-2021-44228

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/

Using InsightVM to Find Apache Log4j CVE-2021-44228

There are many methods InsightVM can use to identify vulnerable software. Which method is best depends on the software and specific vulnerability in question, not to mention variability that comes into play with differing network topologies and Scan Engine deployment strategies. When it comes to a vulnerability like CVE-2021-44228, affecting a software library (Log4j) that is used to build other software products and may not expose its presence in an obvious way, the situation gets even more complicated. For in-depth analysis on the vulnerability and its attack surface area, see AttackerKB.

The intent of this post is to walk InsightVM and Nexpose users through how to best approach detecting exposure to Log4Shell in your environment, while providing some additional detail about how the various checks work under the hood. This post assumes you already have an operational deployment of InsightVM or Nexpose. For additional documentation on scanning for Log4j CVE-2021-44228, take a look at our docs here.

Before (or while) you scan

Even before a vulnerability check has been made available, it can be possible to get a sense of your exposure using InsightVM features such as Query Builder, or Nexpose’s Dynamic Asset Groups. Because we use generic fingerprinting techniques such as querying Linux package managers and enumerating software found in Windows Registry uninstaller keys, the software inventory for assets may include products that are not explicitly supported. Using the search predicate software.product CONTAINS log4j will show packages on Linux systems that have been installed via package managers such as rpm or dpkg.

Using InsightVM to Find Apache Log4j CVE-2021-44228

An alternative approach to this is using an SQL Query Export using the following query:

SELECT
    da.sites AS "Site_Name",
    da.ip_address AS "IP_Address",
    da.mac_address AS "MAC_Address",
    da.host_name AS "DNS_Hostname",
    ds.vendor AS "Vendor",
    ds.name AS "Software_Name",
    ds.family AS "Software_Family",
    ds.version AS "Software_Version",
    ds.software_class AS "Software_Class"
FROM
    dim_asset_software das
JOIN
    dim_software ds USING(software_id)
JOIN
    dim_asset da ON da.asset_id = das.asset_id
WHERE
    ds.software_class like'%'
  AND
    ds.name ilike '%log4j%'
ORDER BY
    ds.name ASC

Authenticated and agent-based assessments

The most reliable way to find vulnerable instances of CVE-2021-44228 on non-Windows machines as of December 13, 2021 is via our authenticated check (check ID: apache-log4j-core-cve-2021-44228), which does a complete filesystem search for JAR files matching log4j-core.*.jar. At this time, the unzip command must be available on systems in order to extract the version from the JAR’s manifest file. An upcoming release (expected December 15) will add the capability to extract the version information from the filename if available.

For the find command to run and locate vulnerable JARs, scans must be configured with root credentials (either directly or via a privilege elevation mechanism) in the Site Configuration interface. There is currently no generic JAR detection available on Windows systems.

This functionality requires product version 6.6.118 or later. For Agent-based assessments, assets must be running version 3.1.2.36 of the Insight Agent or later. Use the Agent Management interface to determine the version of the Agent being used in your environment.

Remote scanning

A remote (unauthenticated) check for CVE-2021-44228 was published in a content release on December 12 9pm ET with Check ID apache-log4j-core-cve-2021-44228-remote. This check is platform-independent (and currently the only option for Windows systems) and works as follows:

  • IF any of the following TCP ports are found open: 80, 443, 8080, 8888 — or, alternatively, if: Nmap service fingerprinting detects HTTP or HTTPS running (note that enabling Nmap service fingerprinting may negatively impact scan times)
  • THEN the Scan Engine will attempt to exploit the vulnerability and make the scan target open a connection to the Engine on port 13456.
  • The Engine does not open a TCP listener but does a packet capture to identify connection attempts against 13456/TCP. If a connection attempt to the Engine is detected, this indicates that the target is vulnerable, and the check will fire accordingly.
  • This approach relies on bi-directional networking and requires the scan engine and scan target to be able to “talk” to each other. In some cases, such as scanning through a VPN, NAT, or firewall, that required bi-directional networking is not available.

Note: We have received some reports of the remote check not being installed correctly when taking a content update. Product version 6.6.119 was released on December 13, 2021 at 6 PM EST to ensure the remote check is available and functional.

Product-based checks

We know that many downstream vendors will issue security advisories of their own in the coming days and weeks. We continue to monitor several vendors for related security advisories. We will have checks for affected products included in our recurring coverage list as vendors provide details about affected and/or fixed versions. Users can also adapt the Query Builder or SQL Export queries provided above to find products of concern in the meantime, with the caveat that they may not be visible if they use non-standard installation mechanisms.

Container security

Customers who are worried about vulnerable images in their container repos have been able to scan for CVE-2021-44228 using InsightVM’s Container Security since December 10 at 2pm ET, thanks to our integration with the Snyk vulnerability database. It is also possible to rerun an assessment on any images that are particularly sensitive to be sure of up-to-date results.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

InsightVM Scan Diagnostics: Troubleshooting Credential Issues for Authenticated Scanning

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/11/03/insightvm-scan-diagnostics-troubleshooting-credential-issues-for-authenticated-scanning/

InsightVM Scan Diagnostics: Troubleshooting Credential Issues for Authenticated Scanning

Have you ever tried to figure out why a vulnerability or policy scan isn’t showing you the results you expect, even though you’ve provided credentials? If so, you’ll be pleased to hear that the November 3rd release of Nexpose and InsightVM (version 6.6.111) will introduce a new check category designed to help troubleshoot issues with credentialed scanning: Scan Diagnostics.

No more combing through scan logs to get answers! These checks will be disabled by default, but you can configure them to run by adjusting your scan templates. When enabled, Scan Diagnostics checks will report a “vulnerable” result against assets when the Scan Engine is supplied with credentials but unable to gather local information.

The challenge of finding the right fix

For complete and accurate coverage, the InsightVM Scan Engine requires local access to systems being scanned. Most Microsoft checks are based on values found in the Windows Registry. Checks for Linux distributions typically require access to the package manager, which is important for vulnerability correlation (cutting down on noise due to backported fixes).

This means that for many types of scans, you need to tell the engine how it should authenticate by configuring credentials. When things go smoothly, the engine will collect all the data it needs for vulnerability or policy assessments. But when results aren’t as expected, it can be challenging to understand what went wrong.

The way the Security Console currently indicates authentication status results is rather coarse-grained. Credential Success means it’s all good, but a Credential Failure (or the puzzling “Partial Credential Success”) can often leave a VM analyst scratching their head about how to fix things.

Bringing greater visibility to your scanning environment

Our new Scan Diagnostics checks provide more detailed visibility into where things fell apart. Because the results are written as vulnerability checks, you’ll be able to use a lot of familiar product functionality to work with them. They can be enabled or disabled via scan templates, and you can report on them like any other category. We’ll also be providing solution information to make it easier to resolve issues, and you can look at the proof the scanner provides to get additional context.

InsightVM Scan Diagnostics: Troubleshooting Credential Issues for Authenticated Scanning

Another advantage of using check results for Scan Diagnostics is that they are built atop the expert system at the core of the scanner. This helps Scan Diagnostics target the most precise cause of an error and provide guidance accordingly. No more going through a laundry list of checkboxes to make sure your sites and assets are configured correctly.

Here is the initial set of Scan Diagnostics we’ll be releasing:

Credential Type Check ID Summary
AS400 rapid7-diagnostics-as400-service-usable No usable AS400 service
SNMP rapid7-diagnostics-snmp-service-usable No usable SNMP service
Telnet rapid7-diagnostics-telnet-service-usable No usable Telnet service
SSH rapid7-diagnostics-privilege-elevation-failed-cisco Cisco SSH privilege elevation failed for the scan
rapid7-diagnostics-privilege-elevation-failed-unix Unix SSH privilege elevation failed for the scan
rapid7-diagnostics-ssh-algorithm-compatibility SSH algorithm mismatch between scan engine and target
rapid7-diagnostics-unix-privilege-elevation-root SSH credential is configured to elevate to a non-root user
rapid7-diagnostics-unix-variant-authenticated-with-non-root-account No SSH credentials with root privileges configured
CIFS rapid7-diagnostics-cifs-read-access-errors Access errors while attempting to read from the file system
rapid7-diagnostics-cifs-sam-access-errors Unable to access the remote Security Account Manager
rapid7-diagnostics-cifs-sam-unknown-error Unknown error while trying to access the remote Security Account Manager
rapid7-diagnostics-cifs-write-access-errors Access errors while attempting to write to the file system
rapid7-diagnostics-smb2-share-access Unable to obtain access to SMB2 shares
rapid7-diagnostics-windows-registry-access-issues Access issues interacting with the Windows Registry
rapid7-diagnostics-windows-registry-enable-services-template Windows Services not enabled in template
rapid7-diagnostics-windows-registry-failed-to-enable-services Failed to enable Windows Services
rapid7-diagnostics-windows-registry-unexpected-error Failed to connect to the Remote Registry Service
rapid7-diagnostics-wmi-connection-error Unable to connect to the WMI Service
rapid7-diagnostics-wmi-dcom-port-error Error when connecting to DCOM Ports (required for WMI)
rapid7-diagnostics-wmi-permission-error Permission error when connecting to the WMI Service
rapid7-diagnostics-wmi-read-access-errors Access errors encountered in attempts to read over WMI
rapid7-diagnostics-wmi-unknown-error Unknown error occurred trying to connect to the WMI Service
rapid7-diagnostics-winrm-authentication-error Authentication error when connecting to the WMI Service
rapid7-diagnostics-winrm-listener-error The WinRM listener on the target appears to be blocking the scan engine from connecting
rapid7-diagnostics-winrm-unknown-error Unknown error occurred trying to connect to the WinRM Service
rapid7-diagnostics-winrm-unencrypted The WinRM service is operating over an unencrypted protocol, potentially leaking valuable data

Note that these “vulnerabilities” carry the lowest possible severity and will not increase your risk score. However, they may increase overall vulnerability counts, so we’re leaving them turned off by default for now. If you do scan with them, you can adjust the scope of generated reports to exclude these results if you don’t want them to get passed through to remediation teams.

The existing status shown in the Authentication column of Scan Results and Node pages will remain the same for the time being, so that it is available regardless of whether this new Scan Diagnostics check type is enabled and won’t adjust anything on the corresponding dashboard card.

We’d love to hear any feedback on this new feature! Please reach out to your Customer Success Manager to let them know how it’s working out in your scans.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – October 2021

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/10/12/patch-tuesday-october-2021/

Patch Tuesday - October 2021

Today’s Patch Tuesday sees Microsoft issuing fixes for over 70 CVEs, affecting the usual mix of their product lines. From Windows, Edge, and Office, to Exchange, SharePoint, and Dynamics, there is plenty of patching to do for workstation and server administrators alike.

One vulnerability has already been seen exploited in the wild: CVE-2021-40449 is an elevation of privilege vulnerability in all supported versions of Windows, including the newly released Windows 11. Rated as Important, this is likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems.

Three CVEs were publicly disclosed before today, though haven’t yet been observed in active exploitation. CVE-2021-40469 is an RCE vulnerability affecting Microsoft DNS servers, CVE-2021-41335 is another privilege escalation vulnerability in the Windows Kernel, and CVE-2021-41338 is a flaw in Windows AppContainer allowing attackers to bypass firewall rules.

Attackers will likely be paying attention to the latest Windows Print Spooler vulnerability – CVE-2021-36970 is a Spoofing vulnerability with a CVSSv3 score of 8.8 that we don’t yet have much more information about. Also worth noting is CVE-2021-40486, an RCE affecting Microsoft Word, OWA, as well as SharePoint Server, which can be exploited via the Preview Pane. CVE-2021-40487 is another RCE affecting SharePoint Server that Microsoft expects to be exploited before too long.

Another notable vulnerability is CVE-2021-26427, the latest in Exchange Server RCEs. The severity is mitigated by the fact that attacks are limited to a “logically adjacent topology,” meaning that it cannot be exploited directly over the public Internet. Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a Spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege; and CVE-2021-34453, which is a Denial of Service vulnerability.

Finally, virtualization administrators should be aware of two RCEs affecting Windows Hyper-V: CVE-2021-40461 and CVE-2021-38672. Both affect relatively new versions of Windows and are considered Critical, allowing a VM to escape from guest to host by triggering a memory allocation error, allowing it to read kernel memory in the host.

Summary Charts

Patch Tuesday - October 2021
Patch Tuesday - October 2021
Patch Tuesday - October 2021
Patch Tuesday - October 2021

Summary Tables

Apps Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-41363 Intune Management Extension Security Feature Bypass Vulnerability No No 4.2 Yes

Browser Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-37980 Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox No No N/A Yes
CVE-2021-37979 Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC No No N/A Yes
CVE-2021-37978 Chromium: CVE-2021-37978 Heap buffer overflow in Blink No No N/A Yes
CVE-2021-37977 Chromium: CVE-2021-37977 Use after free in Garbage Collection No No N/A Yes
CVE-2021-37976 Chromium: CVE-2021-37976 Information leak in core No No N/A Yes
CVE-2021-37975 Chromium: CVE-2021-37975 Use after free in V8 No No N/A Yes
CVE-2021-37974 Chromium: CVE-2021-37974 Use after free in Safe Browsing No No N/A Yes

Developer Tools Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-3450 OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT No No N/A Yes
CVE-2021-3449 OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing No No N/A Yes
CVE-2020-1971 OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference No No N/A Yes
CVE-2021-41355 .NET Core and Visual Studio Information Disclosure Vulnerability No No 5.7 Yes

ESU Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-38663 Windows exFAT File System Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-40465 Windows Text Shaping Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-36953 Windows TCP/IP Denial of Service Vulnerability No No 7.5 No
CVE-2021-40460 Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability No No 6.5 Yes
CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability No No 8.8 No
CVE-2021-41332 Windows Print Spooler Information Disclosure Vulnerability No No 6.5 Yes
CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-41342 Windows MSHTML Platform Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-40455 Windows Installer Spoofing Vulnerability No No 5.5 No
CVE-2021-26442 Windows HTTP.sys Elevation of Privilege Vulnerability No No 7 No
CVE-2021-41340 Windows Graphics Component Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-38662 Windows Fast FAT File System Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-41343 Windows Fast FAT File System Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability No Yes 7.2 Yes
CVE-2021-40443 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-40466 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-40467 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-40449 Win32k Elevation of Privilege Vulnerability Yes No 7.8 No
CVE-2021-40489 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 Yes

Exchange Server Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability No No 6.5 No
CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes
CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 No
CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability No No 7.5 No

Microsoft Dynamics Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-40457 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability No No 7.4 Yes
CVE-2021-41353 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability No No 5.4 No
CVE-2021-41354 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 4.1 No

Microsoft Office Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability No No 7.6 No
CVE-2021-40483 Microsoft SharePoint Server Spoofing Vulnerability No No 7.6 No
CVE-2021-41344 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.1 No
CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability No No 5.3 Yes
CVE-2021-40480 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40481 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.1 Yes
CVE-2021-40471 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40473 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40474 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40479 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40485 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-40472 Microsoft Excel Information Disclosure Vulnerability No No 5.5 Yes

Microsoft Office Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-40454 Rich Text Edit Control Information Disclosure Vulnerability No No 5.5 Yes

System Center Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-41352 SCOM Information Disclosure Vulnerability No No 7.5 Yes

Windows Vulnerabilities

CVE Title Exploited Publicly Disclosed? CVSSv3 Base Score has FAQ?
CVE-2021-40464 Windows Nearby Sharing Elevation of Privilege Vulnerability No No 8 No
CVE-2021-40463 Windows NAT Denial of Service Vulnerability No No 7.7 No
CVE-2021-40462 Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-41336 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability No No 8 Yes
CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability No No 8 No
CVE-2021-40477 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-41334 Windows Desktop Bridge Elevation of Privilege Vulnerability No No 7 No
CVE-2021-40475 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-40468 Windows Bind Filter Driver Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-41347 Windows AppX Deployment Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability No Yes 5.5 No
CVE-2021-40476 Windows AppContainer Elevation Of Privilege Vulnerability No No 7.5 No
CVE-2021-40456 Windows AD FS Security Feature Bypass Vulnerability No No 5.3 Yes
CVE-2021-40450 Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-41357 Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-40478 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-40488 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26441 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2021-41345 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-41330 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-41339 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 4.7 No
CVE-2021-40470 DirectX Graphics Kernel Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-41346 Console Window Host Security Feature Bypass Vulnerability No No 5.3 No
CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability No No 4.9 Yes
CVE-2021-41361 Active Directory Federation Server Spoofing Vulnerability No No 5.4 Yes

Patch Tuesday – February 2021

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/

Patch Tuesday - February 2021

The second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft’s product families. Despite that, there’s still plenty to discuss this month.

Vulnerability Breakdown by Software Family

Family Vulnerability Count
Windows 28
ESU 14
Microsoft Office 11
Browser 9
Developer Tools 8
Microsoft Dynamics 2
Exchange Server 2
Azure 2
System Center 2

Exploited and Publicly Disclosed Vulnerabilities

One zero-day was announced: CVE-2021-1732 is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: CVE-2021-1727, a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; CVE-2021-24098, which is a denial of service (DoS) affecting Windows 10 and Server 2019; CVE-2021-24106, an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and CVE-2021-26701, an RCE in .NET Core.

Vulnerabilities in Windows TCP/IP

Microsoft also disclosed a set of three serious vulnerabilities affecting the TCP/IP networking stack in all supported versions of Windows. Two of these (CVE-2021-24074 and CVE-2021-24094) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). CVE-2021-24094 is specific to IPv6 link-local addresses, meaning it isn’t exploitable over the public internet. CVE-2021-24074, however, does not have this limitation. The third, CVE-2021-24086, is a DoS vulnerability that could allow an attacker to trigger a “blue screen of death” on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.

In the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.

Zerologon Update

Back in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. “Zerologon”. In October, Microsoft noted that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they reminded organizations that the February 2021 security update bundle will also be enabling “Domain Controller enforcement mode” by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to heed the detailed guidance before applying the latest updates to ensure continued business process continuity.

Adobe

Most important amongst the six security advisories published by Adobe today is APSB21-09, detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.

Summary Tables

Azure Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability No No 6.8 Yes
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability No No 7 Yes

Browser Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability No No 5 Yes
CVE-2021-24113 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 4.6 Yes
CVE-2021-21148 Chromium CVE-2021-21148: Heap buffer overflow in V8 N/A N/A nan Yes
CVE-2021-21147 Chromium CVE-2021-21147: Inappropriate implementation in Skia N/A N/A nan Yes
CVE-2021-21146 Chromium CVE-2021-21146: Use after free in Navigation N/A N/A nan Yes
CVE-2021-21145 Chromium CVE-2021-21145: Use after free in Fonts N/A N/A nan Yes
CVE-2021-21144 Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups N/A N/A nan Yes
CVE-2021-21143 Chromium CVE-2021-21143: Heap buffer overflow in Extensions N/A N/A nan Yes
CVE-2021-21142 Chromium CVE-2021-21142: Use after free in Payments N/A N/A nan Yes

Developer Tools Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability No No 7 No
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability No Yes 7.8 Yes
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability No No 8.4 Yes
CVE-2021-24111 .NET Framework Denial of Service Vulnerability No No 7.5 No
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability No Yes 6.5 No
CVE-2021-26701 .NET Core Remote Code Execution Vulnerability No Yes 8.1 Yes
CVE-2021-24112 .NET Core Remote Code Execution Vulnerability No No 8.1 Yes

ESU Windows Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability No No 6.5 No
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability No No 7.5 Yes
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability No No 7.5 Yes
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability No No 7.8 No

Exchange Server Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability No No 6.5 Yes
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability No No 5.4 Yes

Microsoft Dynamics Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability No No 6.1 No
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability No No 6.5 Yes

Microsoft Office Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability No No 6.5 No
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability No No 6.5 No
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability No No 5.7 Yes
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability No No 8 Yes
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability No No 5.3 Yes
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

System Center Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability No No 7.8 Yes

Windows Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Yes No 7.8 No
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability No No 6.8 No
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability No Yes 5.5 Yes
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability No Yes 5.5 Yes
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability No No 5.5 Yes
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability No No 4.3 No
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability No No 7.8 No

Summary Charts

Patch Tuesday - February 2021
Patch Tuesday - February 2021
Patch Tuesday - February 2021
Patch Tuesday - February 2021

Note: Chart data is reflective of data presented by Microsoft’s CVRF at the time of writing.