Patch Roundup – September 2022
Welcome to the Patch Roundup blog for September 2022, where we review some of the major updates from the big vendors for the month.
Microsoft Patch Tuesday
A modest release of updates from Microsoft compared to previous months, with just 62 vulnerabilities addressed across the usual spread of OS components and software.
Three vulnerabilities have been identified in components of the IPSec feature. These are respectively CVE-2022-34718, which affects the IPv6 IPSec component, and CVE-2022-34721 and CVE-2022-34722, both of which affect IKEv1. All are rated as Critical Remote Code Execution (RCE) bugs that would allow an attacker to run arbitrary code on a machine by sending a crafted packet to it. The first of these can be mitigated by simply turning off IPv6 in the networking setting. If it isn’t used or needed for that machine. The two bugs affecting IKEv1 can only be resolved by patching.
DNS vulnerabilities are often interesting and important to address, since DNS underpins most organisations and indeed the operation of the entire Internet itself. CVE-2022-34724 is Denial of Service vulnerability that can be triggered with a malicious query to a Windows DNS server, potentially disrupting DNS services for the entire network it serves. While only rated as Important, the affect on Availability for wider services than just the DNS server itself means this should be treated as a high priority.
Finally, CVE-2022-37969 is a Zero-Day bug in the Windows Common Log File System has been identified that allows an attacker to elevate their privileges on the target machine. This attack is considered a “post exploitation” EoP, meaning the attacker must have already gained a foothold on the target machine, but can then use this flaw to gain greater control over it. The fact that this attack can’t be used in isolation means it only rates as Important, but Microsoft have reported it being used in the wild, making it a high priority to patch.
Earlier this week Apple released an update for iOS, iPadOS and macOS to fix several bugs, at least one of which is being exploited in the wild. Details are scant but CVE-2022-32917 enables a malicious application to run arbitrary code with kernel privileges, allowing an attacker to effectively own the device entirely. Along similar lines, CVE-2022-32864 and CVE-2022-32911 also enable kernel-level actions, disclosing the contents of kernel memory and allowing arbitrary code execution respectively. Neither of the latter two are known to be being targeted at present.