This month, Microsoft has fixed 55 vulnerabilities, including 3 criticals and 1 zero-day (well-known ‘Follina’).
CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (aka Follina)
Microsoft finally fixed the widely-exploited Follina MSDT zero-day vulnerability!
This zero-day vulnerability was discovered last month and bypassed security protections, like Microsoft Office’s Protected View, and executed the PowerShell scripts just by opening a Word document. If you didn’t do the recommended mitigation (disable the MSDT protocol), patch ASAP!
CVE-2022-30136 – Windows Network File System Remote Code Execution Vulnerability
This vulnerability is similar to CVE-2022-26937 published last month, but this time the NFSv4.1 is vulnerable, not NFSv2 and NFSv3. NFS role isn’t enabled by default on Windows Servers, but if your environment is a mix of Linux/Unix/Windows, please double check if NFS isn’t enabled in your systems. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv4.1.
To find NFS instances in your domain you can use a PowerShell script like the below one:
$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address
$CSV =
Foreach ($Computer in $Computers){
$NFS =
Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
Where-Object {$_.InstallState -eq "Installed"}
[pscustomobject]@{
ComputerName = $Computer.Name
NFSInfo = if($NFS){$NFS.Name -join ";"}else{"-"}
}
}
$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation
CVE-2022-30163 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow running a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code. Successful exploitation of this vulnerability requires an attacker to win a race condition. The complexity of the attack is high, but still, this one is rated as critical.
CVE-2022-30139 & CVE-2022-30141 & CVE-2022-30143 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Again… similar to CVE-2022-22012 & CVE-2022-29130 published last month. This time is rated as Critical (7.5), Important (8.1), Important (7.5). For me, it’s a mystery why Microsoft decided to use Critical classification this time. Still, it is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default (10,485,760). Systems with the default value of this policy would not be vulnerable, and it isn’t common to change that value. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.
To check MaxReceiveBuffer on your LDAP policy you can use ntdsutil.exe:
Also, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, and CVE-2022-30161 are connected with the LDAP remote code execution, but they are less critical based on the CVSS score.
Below you can see the most important CVEs released by Microsoft for June 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in SharePoint and Kerberos.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | Important (7.8) | Local | Low | None | Required | Exploited | Windows 7+ Server 2008+ |
CVE-2022-30136 | Windows Network File System Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Server 2012+ |
CVE-2022-30163 | Windows Hyper-V Remote Code Execution Vulnerability | Critical (8.5) | Network | High | Low | None | Unproven | Windows 7 SP1+ Server 2008 R2+ |
CVE-2022-30139 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical (7.5) | Network | High | Low | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-30153 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-30161 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-30157 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016 SharePoint Server 2019 SharePoint Server Subscription Edition |
CVE-2022-30158 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint Server 2013 SP1 SharePoint Foundation Server 2013 SP1 SharePoint Enterprise Server 2016 SharePoint Server 2019 SharePoint Server Subscription Edition |
CVE-2022-30165 | Windows Kerberos Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-30164 | Kerberos AppContainer Security Feature Bypass Vulnerability | Important (8.4) | Local | Low | Low | None | Unproven | Windows 8.1+ Server 2012+ |
CVE-2022-30141 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023
Pingback: Microsoft Patch Tuesday – August 2022 - IT Constructors