Update now—July Patch Tuesday patches include fix for exploited zero-day

Update now—July Patch Tuesday patches include fix for exploited zero-day

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of known to be exploited in the wild list that are due for patching by August 2, 2022.

Microsoft

In total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as “Critical” since they are remote code execution (RCE) vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:

CVE-2022-22029: Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.

CVE-2022-22039: Another Windows Network File System (NFS) RCE vulnerability. It’s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.

CVE-2022-22038: Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

CVE-2022-30221: Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

Azure Site Recovery

A huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. Azure Site Recovery is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.

According to Microsoft, SQL injection vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.

CVE-2022-22047

The vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

The vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system’s operation and is mainly responsible for Win32 console handling and GUI shutdown.

This type of vulnerability are often chained together with others in macros, which makes the decision to roll back Office Macro blocking incomprehensible, even if it is only temporary.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released security updates for Acrobat, Character Animator, Photoshop,  Reader, and RoboHelp.

Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates.

Citrix released hotfixes to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.

Google released Android’s July security updates including 3 labelled as “Critical”.

SAP released its July 2022 Patch Day bulletin with 20 new Security Notes.

VMWare released security updates.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.