August Patch Tuesday: Microsoft Fixes Two Zero-Day and 17 Critical Vulnerabilities
Microsoft released its second-biggest patchload of 2022 yesterday. The company shipped fixes for 121 vulnerabilities on the August Patch Tuesday, which is almost thrice as big as the August 2021 Patch Tuesday and second only to the April Patch Tuesday in 2022.
Microsoft released its second-biggest patchload of 2022 yesterday. The company shipped fixes for 121 vulnerabilities on the August Patch Tuesday, which is almost thrice as big as the August 2021 Patch Tuesday and second only to the April Patch Tuesday in 2022.
The August patchload is not only the second-largest one so far this year, but it also fixes the highest number of critical vulnerabilities: 17. Compared to August, ten and four critical vulnerabilities were fixed in April and July Patch Tuesday, respectively.
One of the critical vulnerabilities that admins should prioritize is CVE-2022-34713, a remote code execution (RCE) vulnerability residing in Microsoft Support Diagnostic Tool (MSDT). Microsoft terms CVE-2022-34713 as a variant of the DogWalk vulnerability discovered in January 2020 by security researcher Imre Rad.
Microsoft chose to keep the flaw unaddressed for almost 30 months. However, the advent of the zero-day vulnerability Follina (patched in June 2022) in the Windows troubleshooting tool in May-June 2022 proved a wake-up call for the tech giant to fix the older one.
Microsoft said CVE-2022-34713 is being actively exploited in the wild, has a low attack complexity, and requires no privileges on the target system. This is why patching it up should be prioritized, despite a lower CVSS score (7.8, important) than other vulnerabilities. An attacker simply needs to convince the target user to click on a specially crafted file that calls MSDT to run arbitrary code.
It can also be exploited in a web-based scenario where “an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.” In both cases, the threat actor would need to trick the target into clicking either a file or a link.
Another vulnerability with a low attack complexity that requires no privileges and, unlike CVE-2022-34713, requires no user interaction is CVE-2022-34715. An RCE vulnerability with a CVSS score of 9.8 exists in the Windows Network File System.
Mike Walters, cybersecurity executive and co-founder of Action1, told Spiceworks, “This is the latest in a set of NFS vulnerabilities that Microsoft has been fixing monthly. It began in May when NFSv2 was fixed. Then in June, they fixed NFSv4.1, and in July, they fixed NFSv3. Now, NFSv4.1 is vulnerable again — what next? Will they fix NFSv3 and v2 again in September? We’ll see.”
CVE-2022-34715 impacts those servers wherein the NFS role is enabled. “An attacker can just make a special request to the NFSv4.1 service and trigger remote code execution,” Walters added. “Note that Microsoft recommends disabling NFSv4.1 and using only v3 and v2 for mitigation.
“But what if NFSv2 and NFSv3 are as vulnerable as NFSv4.1, and Microsoft just didn’t have time to release a fix for them this month? That is why it’s advisable to be prepared for the network attacks that this type of vulnerability is susceptible to.” Besides an up-to-date antivirus tool for the file server, Walters recommends setting up an IDS or EDR for timely detection and response and a sandbox polygon that can detonate and quarantine malicious files.
Some of the other important picks by Walters that admins can prioritize are CVE-2022-30133 and CVE-2022-35744, both of which have a CVSS score of 9.8 and were rated critical by Trend Micro’s Zero Day Initiative.
CVE-2022-30133 and CVE-2022035744 are RCE vulnerabilities in the Windows Point-to-Point Protocol (PPP). Once again, the two bugs require no user interaction or system privileges and have a low attack complexity, leading the SANS Internet Storm Center to believe they could be wormable. Both of these RCE flaws can be rendered unexploitable by blocking traffic through port 1723 since this is the only one impacted.
See More: Log4Shell Flaw Declared an Endemic, but Remains a Significant Threat for Organizations
However, Walter advises caution. “If you have a Windows Server-based remote access server (RAS) tunnel running on this port, you should change it to a less popular port. But be careful, or it will cause your tunnels to fail to connect properly; do it wisely on both sides.” In other words, it can cause communication issues on the network, so prudence dictates patching is the best way to go.
Another flaw Walters believes should be patched on priority is CVE-2022-34691, an elevation of privilege vulnerability in Active Directory Domain Services with a CVSS score of 8.8. “It [CVE-2022-34691] is connected to the May patches for CVE-2022-26931 and CVE-2022-26923 and addresses an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request,” Walters noted.
“Before the May 10, 2022, security update, certificate-based authentication allowed related certificates to be spoofed in various ways. The May and August updates provide audit events that identify certificates that are not compatible with Full Enforcement mode; if you haven’t yet enabled these audit events, do so as soon as possible. This will give you info to troubleshoot certificate login failures: Event IDs 39, 40 and 41 in the system event log.”
Of the 121 patches rolled out on August Patch Tuesday,
- 64 were for EoP vulnerabilities
- 31 for RCE vulnerabilities
- 12 for Information Disclosure vulnerabilities
- 7 for Denial of Service Vulnerabilities
- 6 for Security Feature Bypass vulnerabilities, and
- 1 Spoofing Vulnerability
Two of these, CVE-2022-34713 and CVE-2022-30134, were zero-day vulnerabilities. CVE-2022-30134 has a CVSS score of 7.6 and is an information disclosure flaw in Microsoft Exchange. Microsoft said users could prevent attacks through CVE-2022-30134 by enabling Extended Protection.
Other critical vulnerabilities addressed in August are:
Vulnerability |
Exists In | CVSS Score |
Vulnerability Type |
---|---|---|---|
Azure Batch Node Agent | 7.0 | RCE | |
CVE-2022-24477 | Microsoft Exchange Server | 8.0 |
EoP |
Microsoft Exchange Server | 8.0 | EoP | |
CVE-2022-21980 | Microsoft Exchange Server | 8.0 |
EoP |
SMB Client and Server | 8.8 | RCE | |
CVE-2022-34696 | Windows Hyper-V | 7.8 |
RCE |
Windows Secure Socket Tunneling Protocol (SSTP) | 8.1 | RCE | |
CVE-2022-35745 | Windows Secure Socket Tunneling Protocol (SSTP) | 8.1 |
RCE |
RAS Point-to-Point Tunneling Protocol | 8.1 | RCE | |
CVE-2022-35753 | RAS Point-to-Point Tunneling Protocol | 8.1 |
RCE |
Windows Secure Socket Tunneling Protocol (SSTP) | 8.1 | RCE | |
CVE-2022-35766 | Windows Secure Socket Tunneling Protocol (SSTP) | 8.1 |
RCE |
Windows Secure Socket Tunneling Protocol (SSTP) | 8.1 | RCE | |
CVE-2022-35794 | Windows Secure Socket Tunneling Protocol (SSTP) | 8.1 |
RCE |
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON SECURITY VULNERABILITY AND MANAGEMENT
- Twitter Confirms Vulnerability That Allowed Hacker to Collect Account Data of Millions
- Over 750,000 DrayTek Vigor Routers Vulnerable to Critical RCE Bug
- ProxyShell and Log4J Vulnerabilities Were the Most Exploited Flaws in 2021: Study
- Six Vulnerabilities in a Popular GPS Device Threaten Millions of Users