Microsoft Patch Tuesday
Microsoft addressed 117 CVEs this month, and there’s a couple of headline grabbing bugs that need attention. Critical vulnerabilities are also fixed in Dynamics 365, Hyper-V, .Net, PowerShell, DNS and many other common Windows features.
CVE-2022-26809 is a potentially wormable Remote Procedure Call (RPC) runtime Remote Code Execution (RCE) zero-day vulnerability affecting all supported versions of Windows, and Microsoft have taken the step of going further back and checking Windows 7 and Server 2012 for its presence. This bug is notable as it bears a something of a similarity to WannaCry – it can be exploited using crafted remote procedure calls to the SMB port. Microsoft recommends ensuring perimeter firewalls are configured to block port TCP/445 inbound and outbound, a hard lesson many people learned with the WannaCry bug. Additional guidance on securing SMB services has also been flagged in the advisory.
Two zero-day bugs have also been addressed this month, in the form of CVE-2022-24521 and CVE-2022-26904. Both are Elevation of Privilege attacks and have known exploits, with the former listed as “exploitation detected”, meaning Microsoft have seen active attacks in the wild. The latter has a High attack complexity, meaning that although the bug allows a high level of system compromise, it’s currently difficult to carry out a successful attack using it.
Finally, NFS (the Network File System) across all supported versions of Windows is affected by two critical vulnerabilities (CVE-2022-24491, CVE-2022-24497) that each score 9.8 on the CVSS scoring scale. Exploit code is available, and Microsoft believe exploitation of this vulnerability is likely. NFS is a Windows feature available in all flavours of the OS but isn’t enabled by default, however in both cases, sending crafted packets to an NFS-enabled device would allow an attacker to execute arbitrary code with high privileges.
Cisco & VMware
The recently announced “Spring4Shell” vulnerability in the Spring framework has affected many vendors, and updates continue to drop to address it. While it shares a similar name and also affects a Java framework, the vulnerability is distinct from the Log4Shell bug announced earlier in the year. Cisco and VMware are the latest to drop updates, with VMware addressing the issue in Tanzu and TKGI, and Cisco fixing the issue across numerous products.
Not to be outdone, Adobe have released updates for Acrobat/Reader, Photoshop, After Effects and Commerce (Magento). For Acrobat, the update addresses 62 bugs, including 35 Critical issues made up of Arbitrary Code Execution vulnerabilities.