Ena Jovanovich
Security Analyst
Welcome to the Patch Roundup blog for March 2022 where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware, and the other major vendors.
Microsoft Patch Tuesday
Microsoft has addressed a total of 71 bugs in the March Patch Tuesday update including three vulnerabilities classified as critical and three zero-days that have been fixed.
The RDP client issue CVE-2022-21990 is a client-side bug that is less severe than some of the server-side related RDP, but it should be treated as critical since it has been listed as publicly known. Once the threat actor lures an affected RDP client to connect to a malicious RDP server, he can trigger code execution on the targeted client.
The second zero-day vulnerability, CVE-2022-24459, is a Windows Fax and Scan Service Elevation of Privilege Vulnerability. According to Microsoft’s advisory, this vulnerability is of less concern since the client would need to trigger a payload within the application and the threat actor would need to combine this with other vulnerabilities to complete the attack.
While none of the zero-day vulnerabilities have been used in attacks, Microsoft states that there are public proof-of-concept exploits for CVE-2022-21990 and CVE-2022-24459.
Finally, worth noting is that Microsoft reported three critical vulnerabilities, all of which could lead to remote code execution and all of which require social engineering. While CVE-2022-22006 and CVE-2022-24501 are both video extension vulnerabilities that require the victim to open a malicious file, CVE-2022-23277 is a Microsoft Exchange Server vulnerability that requires the attacker to be authenticated in order to execute code with elevated privileges, through a network call.
Cisco
Cisco disclosed only two critical vulnerabilities in March relating to a vulnerability in an API endpoint and video communication server vulnerabilities.
CVE-2021-1577 could allow an unauthenticated, remote attacker to read or write arbitrary files by using a specific API endpoint to upload a file to an affected device. This vulnerability can affect Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC). Similarly, CVE-2022-20754 and CVE-2022-20755 detail vulnerabilities in the API that could allow an authenticated, remote attacker to read and write on the affected device as the root user.
Check the advisory for affected models and update as soon as possible.
Other Updates of Note
Researchers at Binarly discovered 16 high-impact UEFI firmware vulnerabilities that affect multiple HP laptops, desktops, and other devices. A number of these vulnerabilities can lead to the attacker infecting devices with malware and gaining high privileges. The threat actor could remain undetected by installing security software; check the advisory for full details.
Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most critical issue is CVE-2021-39708 that allows remote escalation of privilege with no user interaction needed for exploitation.