Patch Tuesday Despite worries that Patch Tuesday may not be as exciting now that Microsoft’s Windows Autopatch is live — with a slew of caveats — the second Tuesday of this month arrived with 84 security fixes, including 4 critical bugs and one that’s under active exploit.
Let’s start with the one that miscreants have already found and exploited. CVE-2022-22047 is an elevation of privilege vuln in Windows’ Client Server Runtime Subsystem (CSRSS). Microsoft deemed it an “important” security issue, with low complexity and low privileges required to exploit. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the security advisory explained.
But in typical Redmond fashion, it didn’t provide any additional details about how widely this bug is being exploited in the wild. One assumes this is used by malware that manages to get onto a Windows system, or by an intruder or rogue insider, to gain system admin-level privileges and completely take over the box.
The Zero Day Initiative provided more context in its July security patch summary:
That delay in blocking internet-sourced macros in Office by default was covered here.
In an email to The Register, Immersive Labs’ Director of Cyber Threat Research Kevin Breen explained what could happen if an attacker exploited this bug to escalate permissions from a normal user to SYSTEM-level access.
“With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,” he said. “With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”
Critcal Windows RCE vulns
Moving on to the four critical remote code execution flaws: CVE-2022-30221, a Windows Graphics Component RCE, received the highest CVSS severity rating of 8.8 out of 10. Microsoft considered exploitation “less likely” for this one because an attacker would have to convince the target to connect to a malicious RDP server in order to drop malware on the victim’s system.
CVE-2022-22029 and CVE-2022-22039 are two more critical vulns in the Windows Network File System (NFS), which has needed patches for critical RCE flaws in the past few months. While the July fixes received a lower CVSS score compared to previous months’ — the latest ones received 8.1 and 7.5 severity scores, respectively, compared to last month’s 9.8 CVSS rating — as with the earlier NFS bugs, they could be exploited over the network by a unauthenticated attacker and used to remotely execute malicious code.
Redmond considers the attack complexity high for both. Exploiting CVE-2022-22029, “requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data,” the software giant explained. Meanwhile, CVE-2022-22039 would require a miscreant to win a race condition.
The fourth critical bug, tracked as CVE-2022-22038, is a remote procedure call runtime RCE in Windows that received a CVSS score of 8.1. While Microsoft says exploitation is less likely for this RCE, the Zero Day Initiative warns the code execution would likely occur at elevated privileges and result in a potentially wormable bug.
“Unless you are actively blocking RPC activity, you may not see these attempts,” ZDI’s Dustin Childs explained. “If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly.”
Adobe fixes 27 CVEs
Adobe also had a slow-ish July Patch Tuesday, compared to last month, and fixed 27 vulnerabilities across its RoboHelp, Acrobat and Reader, Character and Animator, and Photoshop products. Of these, 18 are critical and the rest are rated important.
Most of Adobe’s flaws this month are in Acrobat and Reader, which accounted for 22 of the bugs, of which 15 are critical and five deemed important. These could allow remote code execution and memory leaks.
Two critical bugs in Character and Animator could allow an attacker to execute arbitrary code on victims’ machines via heap-based buffer overflow and out-of-bounds read vulns.
Older AMD, Intel chips vulnerable to data-leaking ‘Retbleed’ Spectre variant
Adobe fixed one critical arbitrary code execution vulnerability and one important memory leak bug in Photoshop.
And finally, one important flaw in RoboHelp could lead to arbitrary code execution.
SAP issues 20 Security Notes
Also today, SAP released 20 new Security Notes and three updates to previously released Patch Day Security Notes [PDF]. This includes four high-priority fixes, 17 rated medium and two low-priority.
Most of the high-priority notes are for SAP Business One. This includes Security Note #3212997, which received a 7.6 CVSS, and patches information disclosure holes in integration scenarios of SAP B1 and SAP HANA.
“The vulnerability allows a highly privileged attacker to gain access to sensitive information such as high privileged account credentials, which could be used to help launch subsequent attacks,” explained Onapsis’ SAP security researcher Thomas Fritsch.
Cisco patches two critical bugs
Meanwhile, Cisco, earlier this month, issued 10 security updates.
This includes two critical bugs that affect Cisco Expressway Series software and Cisco TelePresence VCS software if they are in the default configuration. Both critical vulns, tracked as CVE-2022-20812 and CVE-2022-20813, received 9.0 severity scores. Cisco released patches for both, and said it isn’t aware of any in-the-wild exploits.
CVE-2022-20812 is a flaw in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS.
“An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command,” according to the security advisory. “A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system as the root user.”
The other critical bug, CVE-2022-20813, in the certificate validation of Cisco Expressway Series and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to access sensitive data. It’s due to an improper certificate validation, and could be exploited using a man-in-the-middle attack to intercept traffic between devices and potentially alter or steal the data in transit.
Android fixes critical RCE
And finally, Google issued 27 fixes for Android devices in its July security bulletin. “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” it warned. ®