The Microsoft September 2022 Patch Tuesday includes fixes for two publicly disclosed zero-day vulnerabilities, one of which is known to be actively exploited.
Five of the 60+ security vulnerabilities were rated as “Critical”, and 57 as important. Two vulnerabilities qualify as zero-days, with one of them being actively exploited.
The first zero-day, CVE-2022-37969, is a Windows Common Log File System Driver Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges, although the attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system. This flaw is already being exploited in the wild.
Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
The second zero-day, CVE-2022-23960, is an Arm cache speculation restriction vulnerability that is unlikely to be exploited. Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mis-predicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. The vulnerability was disclosed in March by researchers at VUSec.
The critical vulnerabilities
CVE-2022-35805 and CVE-2022-34700 are both Microsoft Dynamics CRM (on-premises) Remote Code Execution (RCE) vulnerabilities. An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 365 database.
CVE-2022-34718: a Windows TCP/IP RCE vulnerability with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. Only systems with the IPSec service running are vulnerable to this attack. Systems are not affected if IPv6 is disabled on the target machine.
CVE-2022-34721 and CVE-2022-34722: are both Windows Internet Key Exchange (IKE) Protocol Extensions RCE vulnerabilities with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. The vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets.
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:
- Adobe released seven patches addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator.
- Earlier this month, the Android security bulletin for September came out, which was followed up with a Pixel specific update.
- Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari.
- Cisco released security updates for numerous products this month.
- Google released a fix for a Chrome zero-day.
- Samsung has released a new security update for major flagship models.
- SAP published its September 2022 Patch Day updates.
- VMware released security advisory for VMware Tools.