Microsoft’s September Patch Tuesday update arrived on schedule late on 13 September, and this month contained five critical common vulnerabilities and exposures (CVEs) and one actively exploited zero-day, among a total of 64 bug fixes.
The zero-day, tracked as CVE-2022-37969, is a privilege elevation vulnerability in Windows Common Log File System Driver. It affects all versions of Windows and, if successfully exploited, an attacker could gain system-level privileges.
Microsoft said the zero-day was reported by four different individuals or organisations independently of each other, which suggests its exploitation may be widespread. It is, however, only rated as Important, with a CVSS score of 7.8, because it requires a threat actor to be authenticated, but this makes it no less dangerous.
“The attack does require the attacker to have access and ability to run code on the target system, but chaining multiple vulnerabilities in an attack is common enough practice that this should be considered a minor barrier for threat actors,” said Chris Goettl, vice-president of security products at Ivanti.
The September drop also includes a second publicly disclosed but apparently unexploited vulnerability in ARM-based Windows 11 systems that could allow cache speculation restriction. It is being tracked as CVE-2022-23960, and is also known as Spectre-BHB. It is a variant of Spectre v2, which has been reinvented several times and has been dogging various processor architectures for five years at this point.
“This class of vulnerabilities poses a large headache to the organisations attempting mitigation,” said Bharat Jogi, director of vulnerability and threat research at Qualys, “as they often require updates to the operating systems, firmware and, in some cases, a recompilation of applications and hardening. If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.”
The other critical vulnerabilities patched yesterday are as follows:
- CVE-2022-34700, a remote code execution (RCE) vulnerability in Microsoft Dynamics 365 (on-prem).
- CVE-2022-34718, an RCE vulnerability in Windows TCP/IP.
- CVE-2022-34721, an RCE vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions.
- CVE-2022-34722, a second RCE vulnerability in Windows IKE Protocol Extensions.
- CVE-2022-35805, an RCE vulnerability in Microsoft Dynamics CRM (on-prem).
Assessing some of these critical vulnerabilities, Mike Walters, president and co-founder of Action1, a remote monitoring and management specialist, said: “CVE-2022-34722 and CVE-2022-34721…both have low complexity for exploitation and allow threat actors to perform the attack with no user interaction…There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable,” he said.
Walters also warned security teams to pay attention to CVE-2022-34724, a denial of service vulnerability in Windows DNS Server, which he said was likely to be exploited.
“It is a network attack with low complexity, but it affects only systems that are running the IPsec service, so if a system doesn’t need the IPsec service, disable it as soon as possible,” he said. “This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have.”
Kev Breen of Immersive Labs also highlighted some SharePoint RCE vulnerabilities that he said should be higher on the list of priorities in organisations that have SharePoint installed.
“Tracked as CVE-2022-35823, CVE-2022-38008, CVE-2022-38009, and CVE-2022-37961 an attacker would, however, need authenticated access with the ability to edit existing content. This kind of vulnerability would likely be abused by an attacker who already has the initial foothold to move laterally across the network,” said Breen.
“This could affect organisations that use SharePoint for internal wikis or document stores. Attackers might exploit this vulnerability to steal confidential information, replace documents with new versions that contain malicious code, or macros to infect other systems.”
Finally, Ivanti’s Chris Goettl drew attention to two other bugs of note: “There is a Print Spooler Elevation of Privilege vulnerability – CVE-2022-38005 – resolved this month. Since PrintNightmare, there have been a number of additional Print Spooler vulnerabilities resolved. Some have caused additional challenges for certain vendors and models of printers. If you have experienced challenges, it would be good to test this update with some additional care to ensure no issues affect your environment.
“An elevation of privilege vulnerability – CVE-2022-38007 – in Azure ARC and Azure Guest Configuration could allow an attacker to replace Microsoft-shipped code with their own code. This could allow the attacker’s code to be run as root as a daemon in the context of the affected service.”