September Patch Tuesday: Microsoft Patches 64 Vulnerabilities Including Two Zero-Day Flaws
Of the 64 fixes released on September Patch Tuesday, five are for critical vulnerabilities, 57 for important-rated vulnerabilities, and one each for moderate and low severity bugs.
Yesterday, Microsoft released a significantly smaller patchload, almost half of the total from August, as part of its September Patch Tuesday. With fixes to 64 vulnerabilities, the September patchload is in line with last year and is the smallest of all months in 2022.
“In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months. However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021, which patched 1,200 CVEs in total,” noted Bharat Jogi, director of vulnerability and threat research at Qualys.
Of the 64 fixes released on September Patch Tuesday, five are for critical vulnerabilities, 57 for important-rated vulnerabilities, and one each for moderate and low severity bugs. Microsoft also addressed two zero-day vulnerabilities, i.e., those actively targeted through a publicly available exploit.
Jordan Schroeder, managing CISO at Barrier Networks, told Spiceworks, “This is a relatively small update in comparison to last month’s 141 fixes, but it does address two zero-days, one of which is being exploited in the wild, so organizations must prioritize applying these fixes.”
Patches for zero-day vulnerabilities in the September Patch Tuesday
First up is CVE-2022-37969, an elevation of privilege flaw in the Common Log File System (CLFS). “The CLFS Driver is a general-purpose logging subsystem first introduced in Windows 2003 R2 Operating system that has become highly important and has shipped with all later versions,” Jogi told Spiceworks.
Microsoft credited four different companies for CVE-2022-36969’s discovery. “Seeing as this vulnerability was reported to MSFT by four different cybersecurity companies, it is highly likely that it is being leveraged extensively in the wild – specifically by APT groups and malware authors – to gain elevated privileges,” Jogi continued.
It has a CVSS score of 7.8 (important) and needs user action as part of the attack chain. Mike Walters, cybersecurity executive and co-founder of Action1, told Spiceworks, “This [7.8] is not the highest possible score because the vulnerability can be exploited only locally; an attacker must already have access to a system and the ability to run code there.”
“An attacker who successfully exploits this vulnerability could gain SYSTEM privileges. No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats,” Walters said and recommended organizations deploy the patch as soon as possible along with CVE-2022-23960, the other zero-day bug patched this month.
See More: Microsoft Sounds Out Last and Final Call to Users To Migrate Away From Basic Auth
CVE-2022-23960 is a cache speculation restriction vulnerability, commonly known as Spectre-BHB, residing in ARM64-based systems. CVE-2022-23960 was discovered in March 2022 by researchers at VUSec or Systems and Network Security Group at Vrije Universiteit Amsterdam.
CVE-2022-23960 allows arbitrary kernel memory leaks on modern Intel CPUs. It also impacts Arms’s recent Cortex-A and Neoverse cores. Both Intel and Arm acknowledged the Spectre-BHB flaw in respective advisories. “This vulnerability is a variant of Spectre v2, which has reinvented itself numerous times and has affected various processor architectures since its discovery in 2017,” Jogi added.
“This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening. If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.”
Five critical vulnerabilities addressed in September Patch Tuesday
All five critical vulnerabilities patched this month (17 in August) are remote code execution (RCE) flaws in three different Microsoft products/product components. With a CVSS score of 9.8, three of the five critical vulnerabilities are as good as they can get for attackers.
The five critical vulnerabilities are:
|
Vulnerability |
Exists In | CVSS Score | Type |
|---|---|---|---|
| CVE-2022-34721 | Windows Internet Key Exchange (IKE) Protocol Extensions | 9.8 |
RCE |
| Windows Internet Key Exchange (IKE) Protocol Extensions | 9.8 | RCE | |
| CVE-2022-34718 | Windows TCP/IP | 9.8 |
RCE |
| On-Premises Microsoft Dynamics 3658 | 8.8 | RCE | |
| CVE-2022-35805 | On-Premises Microsoft Dynamics 3658 | 8.8 |
RCE |
Microsoft noted that CVE-2022-34721 and CVE-2022-34722 are less likely to be exploited. However, Walters told Spiceworks that “both have low complexity for exploitation and allow threat actors to perform the attack with no user interaction. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable remote code execution.”
“This vulnerability impacts only IKEv1 and not IKEv2; however, all Windows Servers are affected because they accept both V1 and V2 packets. There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable.”
See More: Google Ships Emergency Update for the Sixth Zero-day Chrome Vulnerability in 2022
CVE-2022-34718 is the only critically-rated vulnerability whose exploitation is “more likely,” according to Microsoft. It requires no user interaction to enable an unauthenticated attacker to execute code and elevate privileges. “That officially puts it into the “wormable” category and earns it a CVSS rating of 9.8,” wrote Dustin Childs of Trend Micro’s Zero Day Initiative.
The only reason CVE-2022-34718 couldn’t score the highest possible 10 is that only those systems with an enabled IPv6 and configured with IPSec are vulnerable. “Windows TCP/IP remote code execution vulnerability, tracked as CVE-2022-34724, is a critical vulnerability that is more likely than the previous two to be exploited,” Walters said.
“If a system doesn’t need the IPsec service, disable it as soon as possible. The attack can be successful when an adversary sends a specially crafted IPv6 packet to a Windows node where IPsec is enabled and performs remote code execution (RCE). This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have.”
Finally, CVE-2022-34700 and CVE-2022-35805 also have a low attack complexity but are nonetheless critical.
Of the 121 patches rolled out on September Patch Tuesday,
- 25 were for RCE vulnerabilities
- 19 for EoP vulnerabilities
- Seven for information disclosure vulnerabilities
- Seven for denial of service vulnerabilities
- Four for security feature bypass vulnerabilities
September Patch Tuesday is the third one since Microsoft Autopatch became generally available. Schroeder highlighted the importance of the automated update download and installation tool.
“Autopatch should make these updates seamless for most organizations, and they won’t need to worry about their systems. For those that have not enabled the feature and can benefit from it, it is advised to turn it on now,” he said.
“However, when Autopatch is not practicable, it is critical to have a well-oiled patch management process that identifies patches, even ones that come out before Patch Tuesdays. These patches should be applied to all affected systems all within 14 days, which is the Cyber Essentials requirement, or sooner.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON SECURITY VULNERABILITY MANAGEMENT
