Microsoft Patch Tuesday – June 2022

This month, Microsoft has fixed 55 vulnerabilities, including 3 criticals and 1 zero-day (well-known ‘Follina’).

CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (aka Follina)

Microsoft finally fixed the widely-exploited Follina MSDT zero-day vulnerability!
This zero-day vulnerability was discovered last month and bypassed security protections, like Microsoft Office’s Protected View, and executed the PowerShell scripts just by opening a Word document. If you didn’t do the recommended mitigation (disable the MSDT protocol), patch ASAP!

CVE-2022-30136 – Windows Network File System Remote Code Execution Vulnerability

This vulnerability is similar to CVE-2022-26937 published last month, but this time the NFSv4.1 is vulnerable, not NFSv2 and NFSv3. NFS role isn’t enabled by default on Windows Servers, but if your environment is a mix of Linux/Unix/Windows, please double check if NFS isn’t enabled in your systems. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv4.1.
To find NFS instances in your domain you can use a PowerShell script like the below one:

$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address | 
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address

$CSV = 
Foreach ($Computer in $Computers){
    $NFS =
    Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
    Where-Object {$_.InstallState -eq "Installed"}
    
    [pscustomobject]@{
        ComputerName = $Computer.Name
        NFSInfo      = if($NFS){$NFS.Name  -join ";"}else{"-"}
    }
}

$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation

CVE-2022-30163 – Windows Hyper-V Remote Code Execution Vulnerability

This bug could allow running a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code. Successful exploitation of this vulnerability requires an attacker to win a race condition. The complexity of the attack is high, but still, this one is rated as critical.

CVE-2022-30139 & CVE-2022-30141 & CVE-2022-30143 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Again… similar to CVE-2022-22012 & CVE-2022-29130 published last month. This time is rated as Critical (7.5), Important (8.1), Important (7.5). For me, it’s a mystery why Microsoft decided to use Critical classification this time. Still, it is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default (10,485,760). Systems with the default value of this policy would not be vulnerable, and it isn’t common to change that value. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.
To check MaxReceiveBuffer on your LDAP policy you can use ntdsutil.exe:

Check MaxReceiveBuffer using ntdsutil

Also, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, and CVE-2022-30161 are connected with the LDAP remote code execution, but they are less critical based on the CVSS score.

Below you can see the most important CVEs released by Microsoft for June 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also some info about bugs in SharePoint and Kerberos.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2022-30190Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution VulnerabilityImportant (7.8)LocalLowNoneRequiredExploitedWindows 7+
Server 2008+
CVE-2022-30136Windows Network File System Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenServer 2012+
CVE-2022-30163Windows Hyper-V Remote Code Execution VulnerabilityCritical (8.5)NetworkHighLowNoneUnprovenWindows 7 SP1+
Server 2008 R2+
CVE-2022-30139Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityCritical (7.5)NetworkHighLowNoneUnprovenWindows 10+
Server 2016+
CVE-2022-30153Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-30161Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-30157Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016
SharePoint Server 2019
SharePoint Server Subscription Edition
CVE-2022-30158Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Server 2013 SP1
SharePoint Foundation Server 2013 SP1
SharePoint Enterprise Server 2016
SharePoint Server 2019
SharePoint Server Subscription Edition
CVE-2022-30165Windows Kerberos Elevation of Privilege VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Server 2016+
CVE-2022-30164Kerberos AppContainer Security Feature Bypass VulnerabilityImportant (8.4)LocalLowLowNoneUnprovenWindows 8.1+
Server 2012+
CVE-2022-30141Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008+

1 thought on “Microsoft Patch Tuesday – June 2022”

  1. Pingback: Microsoft Patch Tuesday – August 2022 - IT Constructors

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top