Patch Roundup – July 2022
Welcome to the Patch Roundup blog for July 2022, where we review some of the major updates from the big vendors for the month.
Microsoft Patch Tuesday
Microsoft released fixes for 84 vulnerabilities this month, 4 of which are rated Critical, and one of which is known to be targeted in the wild.
Notably from this list is a slew of Azure Site Recovery vulnerabilities – 31 CVE’s in total. The majority of these are Elevation of Privilege bugs, allowing an attacker to use the flaws to gain control of the ASR configuration server, one of the on-premises elements of the service. Once in control of the Config server, the attacker could take further steps to disrupt services or modify data. Most of the bugs are rated as “Important”, but this is a situation where the sheer quantity of vulnerabilities in a single system makes the overall need to update more pressing.
CVE-2022-22047 is an Elevation of Privilege bug affecting all supported versions of Windows and exists in the CSRSS (Client/Server Runtime Subsystem) component. CSRSS is responsible for various user-mode actions in the OS, including spawning console windows, and by exploiting the bug an attacker can gain SYSTEM privileges. Exploits have been detected in the wild, however an attacker needs to have local access to the machine already in order to carry out an attack.
Four further updates are released for Print Spooler bugs this month, two of which would allow an attacker to gain SYSTEM privileges on the targeted machine. As with previous Spooler-related vulnerabilities, Microsoft have provided a workaround that involves disabling the Print Spooler service. This approach buys time before the patch is deployed but could have a detrimental effect on printing services across the network. Use the workaround with care or prioritise updates to print servers.
Notably from Cisco is a Critical-rated bug in the Expressway and TelePresence Video Communication server, affecting versions older than 14.0.7. The two vulnerabilities are present in the API and web management console, and allow file overwrite and null-byte poisoning attacks respectively. The latter is due to a certificate validation vulnerability, allowing an attacker to capture traffic from the VCS server and decrypt it using a bogus certificate. The only fix is to update to v14.0.7 of the platform, as no workarounds are provided.
Finally this month, Adobe released updates to a number of products, including Acrobat, Reader and Photoshop, among others. As is so often the way, Acrobat & Reader receive the bulk of these updates – 22 in total, 15 Critical – across the Classic and DC release tracks. These are primarily arbitrary code execution attacks, allowing crafted PDF’s to run malicious code on the victim’s machine.