This month, Microsoft has fixed 55 vulnerabilities, including 3 criticals and 1 zero-day.
CVE-2022-22047 – Windows CSRSS Elevation of Privilege Vulnerability
Let’s start with the zero-day – Microsoft is silent about exploitation details, like where or how widely it is being exploited. This bug allows an attacker to gain SYSTEM privileges. An attacker might combine that with some Remote Code Execution (RCE), e.g. with one of those, recently published, macros vulnerability. Bear in mind, that Microsoft delayed blocking all Office macros by default. This vulnerability was discovered internally by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
CVE-2022-30221 – Windows Graphics Component Remote Code Execution Vulnerability
Long time without RDP bugs. Isn’t it? During the establishing connection to a malicious RDP server, the code execution might be performed on the victim’s system in the context of the targeted user. Windows 7 SP1 or Window Server 2008 R2 SP1 are vulnerable only if either RDP 8.0 or RDP 8.1 is installed.
CVE-2022-22038 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
This bug could allow an unauthenticated attacker to remote code execution on an affected system. Microsoft states the attack complexity is high since an attacker would need “to invest time in repeated exploitation attempts”. But, if an attacker finds a way to automate attack attempts, then the CVSS would be 9.8 (if we change the complexity to low). Patch ASAP.
CVE-2022-22029 & CVE-2022-22039 – Windows Network File System Remote Code Execution Vulnerability
And the third time in a row – critical bugs in NFS. This time the CVSS is slightly lower (8.1 right now and 9.8 in June and May), but still could allow an unauthenticated, remote attacker to execute his code on an affected system with no user interaction. And the rating was lowered because an attacker would need “to invest time in repeated exploitation attempts”, as in the above RPC vulnerability…
CVE-2022-22029 is not exploitable in NFSv4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv3. However the CVE-2022-22039 seems to be applied to all versions.
If you’re running NFS, make sure you don’t ignore this and previous patches. To find NFS instances in your domain you can use a PowerShell script like the below one:
$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address
$CSV =
Foreach ($Computer in $Computers){
$NFS =
Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
Where-Object {$_.InstallState -eq "Installed"}
[pscustomobject]@{
ComputerName = $Computer.Name
NFSInfo = if($NFS){$NFS.Name -join ";"}else{"-"}
}
}
$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation
CVE-2022-30216 – Windows Server Service Tampering Vulnerability
This tampering vulnerability in the Windows Server Service could allow an authenticated attacker to remotely upload a malicious certificate to a target server. This kind of bug might be used by an attacker for various purposes, including code execution. Unluckily, Microsoft said the exploitation probability is “more likely”, meaning they expect active exploits within 30 days. Worth to consider to patch ASAP.
Below you can see the most important CVEs released by Microsoft for July 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in Azure Site Recovery (VMWare-to-Azure scenario), and Windows Shell.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2022-22047 | Windows CSRSS Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Exploited | Windows 7+ Server 2008+ |
CVE-2022-30221 | Windows Graphics Component Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-22038 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | PoC | Windows 8.1+ Server 2012+ |
CVE-2022-22029 | Windows Network File System Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Server 2008+ |
CVE-2022-22039 | Windows Network File System Remote Code Execution Vulnerability | Critical (7.5) | Network | High | Low | None | Unproven | Server 2008+ |
CVE-2022-22026 | Windows CSRSS Elevation of Privilege Vulnerability | Important (8.8) | Local | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-30216 | Windows Server Service Tampering Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Server 20H2+ |
CVE-2022-30222 | Windows Shell Remote Code Execution Vulnerability | Important (8.4) | Local | Low | None | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-33674 | Azure Site Recovery Elevation of Privilege Vulnerability | Important (8.3) | Adjacent | Low | None | None | PoC | Azure Site Recovery (VMWare to Azure) |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023