Microsoft September Patch Tuesday Update arrived on time last minute on september 13th and this month contained five reviews common vulnerabilities and exposures (CVE) and one actively exploited zero-day, among a total of 64 bug fixes.
Zero day, tracked as CVE-2022-37969, is an elevation of privilege vulnerability in the Windows Common Log File System driver. It affects all versions of Windows, and if successfully exploited, an attacker could gain system-level privileges.
Microsoft said that day zero was reported by four different people or organizations independently, suggesting that its exploitation may be widespread. However, it is only rated Important, with a CVSS score of 7.8, because it requires threat actor authentication, but this does not make it any less dangerous.
“The attack requires the attacker to have access to and the ability to execute code on the target system, but chaining multiple vulnerabilities into one attack is a common enough practice that it is considered less of a barrier to threat actors,” said Chris Goettl. , vice president. of security products in Ivanti.
The September drop also includes a second publicly disclosed but apparently unexploited vulnerability in ARM-based Windows 11 systems that could allow cache speculation restriction. is being tracked as CVE-2022-23960, and is also known as Spectre-BHB. It’s a variant of Specter v2, which has been reimagined multiple times and has been chasing various processor architectures for five years at this point.
“These kinds of vulnerabilities pose a huge headache for organizations trying to mitigate them,” said Bharat Jogi, director of threat and vulnerability research at Ratings, “since they often require updates to operating systems, firmware and, in some cases, a collection of applications and hardening. If an attacker successfully exploits this type of vulnerability, he could gain access to sensitive information.”
The other critical vulnerabilities patched yesterday are as follows:
- CVE-2022-34700a remote code execution (RCE) vulnerability in Microsoft Dynamics 365 (on-premises).
- CVE-2022-34718an RCE vulnerability in Windows TCP/IP.
- CVE-2022-34721an RCE vulnerability in the Windows Internet Key Exchange (IKE) protocol extensions.
- CVE-2022-34722a second RCE vulnerability in the Windows IKE protocol extensions.
- CVE-2022-35805an RCE vulnerability in Microsoft Dynamics CRM (on-premises).
In evaluating some of these critical vulnerabilities, Mike Walters, president and co-founder of Action1a remote monitoring and management specialist, said: “CVE-2022-34722 and CVE-2022-34721… both have low complexity for exploitation and allow threat actors to perform the attack without user interaction… No exploit or PoC detected in the wild yet, however installing the fix is highly recommended,” he said.
Walters also warned security teams to pay attention to CVE-2022-34724a denial of service vulnerability in the Windows DNS server, which he said was likely to be exploited.
“It’s a low-complexity network attack, but it affects only systems running the IPsec service, so if a system doesn’t need the IPsec service, disable it as soon as possible,” he said. “This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must.”
Kevin Breen from Immersion labs he also highlighted some SharePoint RCE vulnerabilities that he said should be higher on the priority list in organizations that have SharePoint installed.
“Tracked as CVE-2022-35823, CVE-2022-38008, CVE-2022-38009Y CVE-2022-37961 however, an attacker would need authenticated access with the ability to edit existing content. This type of vulnerability would likely be abused by an attacker who already has the initial foothold to move laterally through the network,” Breen said.
“This could affect organizations that use SharePoint for internal wikis or document stores. Attackers can exploit this vulnerability to steal sensitive information, replace documents with new versions containing malicious code, or macros to infect other systems.”
Finally, Ivanti’s Chris Goettl drew attention to two other major mistakes: “An elevation of privilege vulnerability exists in the print queue: CVE-2022-38005 – resolved this month. Since PrintNightmare, several additional Print Spooler vulnerabilities have been resolved. Some have caused additional challenges for certain vendors and printer models. If you have experienced challenges, it would be good to test this update with extra care to ensure that no issues affect your environment.
“An elevation of privilege vulnerability: CVE-2022-38007 – in Azure ARC and Azure Guest Configuration could allow an attacker to replace code shipped by Microsoft with their own code. This could allow the attacker’s code to run as root as a daemon in the context of the affected service.”