Welcome to Post Patch Roundup – August 2022
The Post Patch Roundup blog for August 2022, where we review some of the major updates from the big vendors for the month.
Microsoft
Microsoft have been busy this month, with well over 100 vulnerabilities addressed. This includes a 0-Day, multiple bugs in the on-prem versions of Exchange, and further updates to Azure Site Recovery.
CVE-2022-34713 is getting the most attention this month, being a further bug in the MSDT support diagnostic tool that has been previously targeted and was dubbed Follina. User interaction is required, in the form of opening a malicious file, and this bug is being actively exploited in the wild. Microsoft note that this bug isn’t directly related to the Follina flaw but was discovered after “greater scrutiny” was applied to MSDT following the previous high-profile bugs.
Companies with on-prem Exchange environments are being urged to update it ASAP following the discovery of three critical vulnerabilities (CVE-2022-21980, CVE-2022-24477, CVE-2022-24516), and to apply extended protection controls to further lock down those servers. Microsoft’s details on the three vulnerabilities are scant but imply that local access to the server is needed, with the attacks delivered by an authenticated user on the server accessing a share or website containing malicious files. This would need a degree of social engineering or a malicious insider to carry out, but full system compromise is possible once delivered.
Carrying on from last month’s batch of Azure Site Recovery (ASR) vulnerabilities, more than 30 additional fixes have been released for the tool in August. These cover a range of severities, the lowest having a CVSS score of 4.4 and ranging up to 8.1 for CVE-2022-35802. ASR is used to replicate workloads between failover Azure sites to ensure services aren’t affected by outages, and this requires an on-prem server to act as the mediator and management server. All these vulnerabilities are Elevation of Privilege bugs that would allow an attacker with network access to the ASR management server to gain access and potentially modify or disrupt the server’s activities.
Elsewhere, CVE-2022-34691 is an Elevation of Privilege bug affecting Active Directory Domain services, that could allow an attacker to steal certificates from AD-CS; CVE-2022-35804 is a critical RCE vulnerability affecting SMB; and there is the usual spread of updates to Office, Edge, and a variety of Windows components.|
Cisco
Cisco dropped several critical updates this month, with their Secure Email and Wed Manager product (previously named Email Security Appliance (ESA) and Security Management Appliance (SMA)) being affected by an authentication bypass bug. This could allow a remote attacker to gain access to the management console by entering code into the login prompt.
The Nexus dashboard is affected by several issues, one allowing a particular API to be abused by a remote attacker to run malicious code; another cross-site forgery attack allows Administrator-level access to the device; the final vulnerability allows access to the platform’s image management service, which would allow the attacker to access and upload or download the software images used to configure the device, ultimately allowing the deployment of malicious code into the device.