Tim Lovegrove
Security Analyst
Patch Roundup – December 2022
Welcome to the Patch Roundup blog for December 2022, where we review some of the major updates from the big vendors for the month. As the festive season starts and year end hoves into view, admins will be eyeing up the list of patches and bug fixes to plan their work across the break. Let’s get started…
Microsoft Patch Tuesday
Microsoft released updates for just 48 vulnerabilities this month, a blessedly small amount in the run up to Christmas. There are some serious ones in the list though, a couple of which should be patched as soon as possible.
Most pressing is CVE-2022-44698, another “Mark of the Web” vulnerability affecting SmartScreen. Seen being exploited in the wild, this security feature bypass bug allows crafted malicious files to evade detection and potentially run malicious code on the device.
Two Remote Code Execution bugs (RCE) affecting all on-prem versions of SharePoint have been patched, and while these are rated as “Exploitation less Likely” they still receive an 8.8 CVSS score. A user with the “Manage List” privilege can run malicious code on a vulnerable server, with which they can further the attack by extracting data or planting malicious code. The bug references are CVE-2022-44690 and CVE-2022-44963.
The last notable bug from Microsoft is a Critical RCE in PowerShell, CVE-2022-41076, which would allow arbitrary code to be run on the target device. While there is no exploit code currently available, Microsoft consider this bug as being a likely target for malware in the future. Little further detail is given, and the writeup is somewhat cryptic, but the bug is exploitable across the network after the attacker has carried out “additional actions… to prepare the target environment”. This implies the attacker already has a substantial foothold in the network, but the ubiquity of PowerShell across the Windows ecosystem nonetheless makes it a serious bug.
Fortinet
Fortinet have been affected by several zero-day and high criticality vulnerabilities of late. The most recent bug is a zero-day exploit of the FortiOS SSL VPN, which has been seen being exploited in the wild and should be patched urgently. Fortinet have provided details on the upgrade paths to resolve the issue here: https://www.fortiguard.com/psirt/FG-IR-22-398
Earlier in the month they also addressed CVE-2022-35843, an SSH authentication bypass bug, which relied on spoofing RADIUS responses to get around access controls. This is detailed here, however network & security admins should note that the SSL VPN bug above has superseded the upgrade path, so it’s not necessary to address both updates separately.
VMware
Finally, this month we’re going to look at VMware, who addressed 4 serious bugs this month, two of which are Critical.
CVE-2022-31705 affects the ESXi v7 and v8, Fusion v12 and Workstation v16 products. It’s a hypervisor escape flaw in the USB 2.0 driver (EHCI) but has different effects depending on the underlying product.
ESXi manages to contain the exploit in the VMX sandbox and so, while the bug is still present and needs to be patched, it gets rated as a CVSS score of 5.9.
For Fusion and Workstation however, the same bug allows a full escape and therefore the potential for code execution on the underlying machine, raising the CVSS score to 9.3.
Workarounds for the bug are available for each of the affected platforms and are detailed in the advisory linked above.