Microsoft Patch Tuesday – July 2022

This month, Microsoft has fixed 55 vulnerabilities, including 3 criticals and 1 zero-day.

CVE-2022-22047 – Windows CSRSS Elevation of Privilege Vulnerability

Let’s start with the zero-day – Microsoft is silent about exploitation details, like where or how widely it is being exploited. This bug allows an attacker to gain SYSTEM privileges. An attacker might combine that with some Remote Code Execution (RCE), e.g. with one of those, recently published, macros vulnerability. Bear in mind, that Microsoft delayed blocking all Office macros by default. This vulnerability was discovered internally by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).

CVE-2022-30221 – Windows Graphics Component Remote Code Execution Vulnerability

Long time without RDP bugs. Isn’t it? During the establishing connection to a malicious RDP server, the code execution might be performed on the victim’s system in the context of the targeted user. Windows 7 SP1 or Window Server 2008 R2 SP1 are vulnerable only if either RDP 8.0 or RDP 8.1 is installed.

CVE-2022-22038 – Remote Procedure Call Runtime Remote Code Execution Vulnerability

This bug could allow an unauthenticated attacker to remote code execution on an affected system. Microsoft states the attack complexity is high since an attacker would need “to invest time in repeated exploitation attempts”. But, if an attacker finds a way to automate attack attempts, then the CVSS would be 9.8 (if we change the complexity to low). Patch ASAP.

CVE-2022-22029 & CVE-2022-22039 – Windows Network File System Remote Code Execution Vulnerability

And the third time in a row – critical bugs in NFS. This time the CVSS is slightly lower (8.1 right now and 9.8 in June and May), but still could allow an unauthenticated, remote attacker to execute his code on an affected system with no user interaction. And the rating was lowered because an attacker would need “to invest time in repeated exploitation attempts”, as in the above RPC vulnerability…

CVE-2022-22029 is not exploitable in NFSv4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv3. However the CVE-2022-22039 seems to be applied to all versions.

If you’re running NFS, make sure you don’t ignore this and previous patches. To find NFS instances in your domain you can use a PowerShell script like the below one:

$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address | 
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address

$CSV = 
Foreach ($Computer in $Computers){
    $NFS =
    Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
    Where-Object {$_.InstallState -eq "Installed"}
    
    [pscustomobject]@{
        ComputerName = $Computer.Name
        NFSInfo      = if($NFS){$NFS.Name  -join ";"}else{"-"}
    }
}

$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation

CVE-2022-30216 – Windows Server Service Tampering Vulnerability

This tampering vulnerability in the Windows Server Service could allow an authenticated attacker to remotely upload a malicious certificate to a target server. This kind of bug might be used by an attacker for various purposes, including code execution. Unluckily, Microsoft said the exploitation probability is “more likely”, meaning they expect active exploits within 30 days. Worth to consider to patch ASAP.

Below you can see the most important CVEs released by Microsoft for July 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in Azure Site Recovery (VMWare-to-Azure scenario), and Windows Shell.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2022-22047Windows CSRSS Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 7+
Server 2008+
CVE-2022-30221Windows Graphics Component Remote Code Execution VulnerabilityCritical (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-22038Remote Procedure Call Runtime Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNonePoCWindows 8.1+
Server 2012+
CVE-2022-22029Windows Network File System Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenServer 2008+
CVE-2022-22039Windows Network File System Remote Code Execution VulnerabilityCritical (7.5)NetworkHighLowNoneUnprovenServer 2008+
CVE-2022-22026Windows CSRSS Elevation of Privilege VulnerabilityImportant (8.8)LocalLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-30216Windows Server Service Tampering VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Server 20H2+
CVE-2022-30222Windows Shell Remote Code Execution VulnerabilityImportant (8.4)LocalLowNoneNoneUnprovenWindows 10+
Server 2016+
CVE-2022-33674Azure Site Recovery Elevation of Privilege VulnerabilityImportant (8.3)AdjacentLowNoneNonePoCAzure Site Recovery
(VMWare to Azure)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top