September’s Patch Tuesday sees Microsoft fixing 64 vulnerabilities, including a Windows TCP/IP vuln, an actively-exploited 0day, and four more critical flaws – including two allowing unauthenticated RCE bugs.
In total 36 patches involve RCE, although most of these require authentication. But given the growing prevalence of attackers to use easily-traded user credentials instead of malware, any RCE vulnerability should be taken seriously.
The vulnerability already under active exploit – and reported to MSFT by four separate security teams – is CVE-2022-37969 in the Windows Common Log File System (CLFS) driver, allowing elevation of privilege (EOP) to SYSTEM, but only if the attacker already has the ability to execute code on the target machine. While it’s only ranked as important, security researchers have suggested it is being widely exploited in the wild.
CVE-2022-34718, a Windows TCP/IP vuln, is arguably the other serious issue in the monthly series of patches, described as having low attack complexity. It allows pre-authentication remote code execution, with no user interaction on receipt of a specially-crafted IPv6 packet, but only if the target system is running IPSec. Microsoft and others have flagged this as more likely to be exploited if you're using IPv6 and should be patched as a priority.
See also: Exploited Windows 0day, zero-click pre-auth RCE vuln in RPC
A pair of critical vulns in Windows Internet Key Exchange (IKE) – CVE-2022-34721 and CVE-2022-34722 – also allow unauthenticated RCE in Windows machines running IPSec, upon receipt of a particular IP packet. While the flaws are only in IKEv1 and not in IKEv2, all Windows Servers are vulnerable as they accept both v1 and v2 packets.
MSFT flags these as less likely to be exploited than the Windows TCP/IP vuln – but plenty of security researchers suggest patching these should be a priority.
The Zero Day Initiative’s writeup of this release also suggests giving attention to CVE-2022-34724, a DoS vuln in Windows DNS Server, allowing a remote unauthenticated attacker to take down the DNS server at minimum. It is only rated as Important, but ZDI notes its potential impact should move it up the list.
On-prem Microsoft Dynamics 365 also has a pair of critical flaws patched this month: CVE-2022-34700 and CVE-2022-35805. While an attack requires authentication, it allows execution of arbitrary SQL commands, and from there the ability to execute commands as the database owner.
ZDI also highlighted flaws in SharePoint, one of which was reported by a ZDI member; which it notes a SharePoint vuln was used by Iran to target Albania, which caused Albania to sever diplomatic ties with Iran. The vulnerabilities (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, CVE-2022-38009) all allow RCE, and are all rated Important.
Cisco’s Talos Intelligence noted five more flaws, all ranked Important, which MSFT has flagged as more likely to be exploited:
- CVE-2022-37957 — Windows Kernel Elevation of Privilege Vulnerability
- CVE-2022-35803 — Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2022-37954 — DirectX Graphics Kernel Elevation of Privilege Vulnerability
- CVE-2022-34725 — Windows ALPC Elevation of Privilege Vulnerability
- CVE-2022-34729 — Windows GDI Elevation of Privilege Vulnerability
Further down the list, the Patch Tuesday release also deals with a whole bunch of RCE flaws in ODBC SQL drivers reported earlier in the summer by noted researcher Haifei Li. In July, when Li reported the vulns, he said he had uncovered 17 issues, mostly in under-explored sections of code.
“Novel attack surface/vector research is soooo key important. Even for SDL leading vendors like Microsoft, there're still full of bugs if you find an unexplored area or a creative way to attack,” Li wrote on Twitter at the time.
“The bugs I found are fairly easy to find and classic, sitting in Windows for a really long time, bug types from fixed-size heap overflows, stack overflows, integer overflow, alloc(0), oob writes, to use-after-frees etc.”
