{"id":20082,"date":"2022-09-13T13:20:55","date_gmt":"2022-09-13T21:20:55","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/09\/13\/news-13815\/"},"modified":"2022-09-13T13:20:55","modified_gmt":"2022-09-13T21:20:55","slug":"news-13815","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/09\/13\/news-13815\/","title":{"rendered":"A lighter Patch Tuesday, but one heavy with remote code execution bugs"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Tue, 13 Sep 2022 18:38:14 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Microsoft on Tuesday released patches for 62 vulnerabilities in nine Microsoft product families, making this a relatively light Patch Tuesday. All but two bugs are rated Critical or Important in severity, with the majority (36) affecting Windows.<\/p>\n<p>Only one vulnerability in the release, CVE-2022-37969, has been publicly disclosed. This is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver, and according to Microsoft, is also the only bug in this month\u2019s update to have been exploited.<\/p>\n<p>There are five Critical-class vulnerabilities this month, all of which are remote code execution bugs. Two of these (CVE-2022-34700 and CVE-2022-35805) are in Microsoft Dynamics 365 (on-premises), and another two (CVE-2022-34721 and CVE-2022-34722) are in Windows Internet Key Exchange (IKE). The standout is CVE-2022-34718, covered in more detail below, which is an unauthenticated remote code execution vulnerability in Windows TCP\/IP. It\u2019s the only Critical-class bug which is listed as more likely to be exploited (although not for older software releases).<\/p>\n<h3><strong>By the numbers<\/strong><\/h3>\n<ul>\n<li>Total Microsoft CVEs: 62<\/li>\n<li>Publicly disclosed: 1<\/li>\n<li>Exploited: 1<\/li>\n<li>Exploitation more likely: 7 (older and\/or newer product versions)<\/li>\n<li>Severity\n<ul>\n<li>Critical: 5<\/li>\n<li>Important: 56<\/li>\n<li>Moderate: 1<\/li>\n<li>Low: 0<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Remote Code Execution: 30<\/li>\n<li>Elevation of Privilege: 17<\/li>\n<li>Denial of Service: 8<\/li>\n<li>Information Disclosure: 6<\/li>\n<li>Security Feature Bypass: 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-86713 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png\" alt=\"Bar chart showing impact and severity for vulnerabilities in the September 2022 Patch Tuesday release\" width=\"2944\" height=\"2036\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png 2944w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png?resize=300,207 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png?resize=768,531 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png?resize=1024,708 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png?resize=1536,1062 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph1_logo_a-2.png?resize=2048,1416 2048w\" sizes=\"auto, (max-width: 2944px) 100vw, 2944px\" \/><\/a><\/p>\n<p><em>Figure 1: Important remote code execution vulnerabilities make up the majority of this month\u2019s numbers, with all five critical bugs also being remote code execution<\/em><\/p>\n<h3><strong>Products<\/strong><\/h3>\n<ul>\n<li>Windows: 36<\/li>\n<li>Office: 7<\/li>\n<li>OLE DB: 6<\/li>\n<li>ODBC Driver: 5<\/li>\n<li>Azure: 1<\/li>\n<li>Dynamics 365: 2<\/li>\n<li>.NET: 3<\/li>\n<li>Defender: 1<\/li>\n<li>DirectX: 1<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-86714 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png\" alt=\"Bar chart showing vulnerabilities in Microsoft product families in the September 2022 Patch Tuesday release\" width=\"3107\" height=\"1998\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png 3107w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png?resize=300,193 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png?resize=768,494 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png?resize=1024,658 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png?resize=1536,988 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph2_logo_a-1.png?resize=2048,1317 2048w\" sizes=\"auto, (max-width: 3107px) 100vw, 3107px\" \/><\/a><\/p>\n<p><em>Figure 2: As with the previous 2 months, Windows makes up the bulk of vulnerabilities in September \u2013 but far fewer Azure bugs this time round<\/em><\/p>\n<h3><strong>Notable vulnerabilities<\/strong><\/h3>\n<h4><strong>Windows TCP\/IP Remote Code Execution Vulnerability (CVE-2022-34718)<\/strong><\/h4>\n<p>One of the five critical vulnerabilities in this month\u2019s update, CVE-2022-34718 is an unauthenticated remote code execution vulnerability in Windows TCP\/IP. The bug is described as being of low attack complexity, with exploitation involving sending a crafted IPv6 packet to a Windows node where IPSec is enabled. This vulnerability appears to affect multiple versions of Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022. Microsoft assesses exploitation is more likely for latest product releases, but less likely with older releases. Two other critical vulnerabilities in this month\u2019s update (CVE-2022-34721 and CVE-2022-34722) also involve remote code execution as a result of sending a crafted IP packet to Windows nodes with IPSec enabled, although both these vulnerabilities are in the Windows Internet Key Exchange (IKE) protocol (IKEv1 only).<\/p>\n<h4><strong>Remote code execution vulnerabilities in Office products<\/strong><\/h4>\n<p>September\u2019s Patch Tuesday also includes a host of Office remote code execution vulnerabilities, with several SharePoint bugs (all of which require authentication and appropriate permissions), one in PowerPoint (CVE-2022-37962) and two in Visio (CVE-2022-37963 and CVE-2022-38010). The latter three bugs are rated as Important, but with exploitation less likely. The attack vector for these is local, according to the CVSS metrics, as exploitation of the vulnerabilities themselves occurs locally. A remote attacker could send a crafted file to a victim, leading to a local attack on the victim\u2019s machine \u2013 so some user interaction is required.<\/p>\n<h4><strong>Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2022-37969)<\/strong><\/h4>\n<p>This bug, which if successfully exploited would elevate an attacker\u2019s privileges to SYSTEM, is in the Windows CLFS driver. Microsoft has detected exploitation against the latest product release, and says this bug has been publicly disclosed. with low attack complexity and no user interaction required. While the specific attack vector isn\u2019t known, a previous privilege escalation vulnerability in CLFS (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-31954\">CVE-2021-31954<\/a>) was due to <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-21-668\/\">a lack of proper validation of the length of user-supplied data<\/a>, resulting in a buffer overflow. Another elevation of privilege bug in CLFS, CVE-2022-35803, appears in this month\u2019s release, but has not been exploited.<\/p>\n<h4><strong>Windows Kernel Elevation of Privilege Vulnerabilities (CVE-2022-37956 and CVE-2022-37957)<\/strong><\/h4>\n<p>Finally, this month\u2019s release includes two kernel privilege escalation vulnerabilities, CVE-2022-37956 and CVE-2022-37957. Microsoft assesses the latter as more likely to be exploited, but both have low attack complexity and do not require user interaction. Successful exploitation of either bug would result in an attacker gaining SYSTEM privileges.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-86715 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png\" alt=\"Bar chart showing impact and severity for cumulative vulnerabilities in 2022 Patch Tuesday releases\" width=\"2954\" height=\"2020\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png 2954w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png?resize=300,205 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png?resize=768,525 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png?resize=1024,700 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png?resize=1536,1050 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/graph3_logo_a-1.png?resize=2048,1400 2048w\" sizes=\"auto, (max-width: 2954px) 100vw, 2954px\" \/><\/a><\/p>\n<p><em>Figure 3: Elevation-of-privilege vulnerabilities are still in the lead as we head into the final quarter of 2022, although remote code execution bugs are catching up, with a higher percentage of critical ratings<\/em><\/p>\n<p>As you can every month, if you don\u2019t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your particular system\u2019s architecture and build number.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/09\/13\/a-lighter-patch-tuesday-but-one-heavy-with-remote-code-execution-bugs\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/09\/shutterstock_1209143419.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Tue, 13 Sep 2022 18:38:14 +0000<\/strong><\/p>\n<p>There are fewer bugs in September\u2019s update than in previous months, with RCE vulns making up the bulk of the addressed CVEs<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[10516,19245,27030,16771],"class_list":["post-20082","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-microsoft","tag-patch-tuesday","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20082"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20082\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20082"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}