Tim Lovegrove
Security Analyst
Patch Roundup – June 2022
Welcome to the Patch Roundup blog for June 2022, where we review some of the major updates from the big vendors for the month.
Microsoft Patch Tuesday
Microsoft released a modest 55 updates this month, 3 of which are rated Critical, and a couple of things stand out as being particularly important to address.
The “Follina” zero-day attack was much publicised earlier in the month and gets a patch in the June release. CVE-2022-3019 is a vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT) and can be triggered by opening a booby-trapped Office document. Using an external link to load some crafted HTML, a PowerShell script can be executed using ms-msdt, bypassing any macro controls and even Defender. Needless to say, the PowerShell script can run any desired arbitrary code, and the method was seen being exploited in the wild in late May, making it a high-profile bug to fix and something Windows admins will want to patch ASAP.
NFS sees the second major vulnerability in as many months, with CVE-2022-30136 addressing another Remote Code Execution (RCE) bug in the system. By sending an unauthenticated, crafted NFS call to an affected server, the attacker run arbitrary code on the server, potentially allowing them to compromise the machine or stage further attacks. While this is a serious bug, the attacker needs to be on the network already in order to send the crafted packets. Disabling NFS 4.1 is offered as a potential short-term mitigation while patching is organised, but Microsoft note the adverse effect this would have on common network operations such as file shares and is also reliant on the aforementioned May 2022 updates being installed already.
LDAP is patched to address a total of 7 RCE vulnerabilities across various components of the service. 5 of these are client-side vulnerabilities and require a degree of subterfuge to exploit: the attacker must direct an authenticated client to a compromised LDAP server, which returns crafted commands to the client, which in turn runs the code in the context of the user or application that connected to the LDAP server. In this context a client could be a desktop or server OS connecting to the LDAP server. The full list of CVE’s is CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153 and CVE-2022-30161.
Lastly, today (15th June) is the final day of support for Microsoft’s venerable Internet Explorer web browser. While not the first web browser to be created, for a long time it was the most widely used due to its inclusion in Windows 95 and later OSes. Some may cynically say that its creation led directly to the development of better, more widely adopted browsers such as Firefox and Chrome in subsequent years, but its availability opened up the web to a much wider audience and helped shape the Internet we know today, for better or worse. As part of this month’s Patch Tuesday Microsoft will be implementing settings to direct users to Edge instead, which includes an IE compatibility mode for web apps that don’t support modern browsers.
Cisco
As we noted last month, Cisco continue to release updates for the Spring Java bug dubbed “spring4shell”, with a number of patches being released or updated for various products. They also continue to update the list of confirmed unaffected systems in the article. Additionally, High-rated bugs for the ASA and Firepower Threat Defense platforms are addressed, including patches for several SSL VPN bugs and a web services interface privilege escalation vulnerability.
Atlassian
Finally, at the end of May a critical vulnerability was disclosed for supported versions of Confluence Server and Data Centre, a widely used collaboration tool. Versions 7.4 through to 7.18 received updates to address a bug that allows an attacker to create a webshell by uploading a crafted file to the Confluence server. The official Confluence advisory is being updated as mitigation and patch information is released, and can be found here: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html