Action1 5 Blog 5 August 2022 Vulnerability Digest from Action1

August 2022 Vulnerability Digest from Action1

August 17, 2022

By Mike Walters

Each month, we provide a review of the most serious vulnerabilities in popular Windows software for which patches were released during the past month, including those from Patch Tuesday.

In this issue, you will learn about patches for vulnerabilities from:

  • ^ Microsoft
  • ^ Microsoft Edge
  • ^ Google Chrome
  • ^ Mozilla Firefox
  • ^ Foxit PDF Reader
  • ^ Java
  • ^ Adobe
  • ^ VMware

Microsoft Vulnerabilities

August Patch Tuesday brought us a huge number of vulnerability fixes — a 30% increase over the last month. Moreover, this month includes 17 critical patches (325% more), two of which are zero-days, and 104 important patches.

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

One of the zero-days, CVE-2022-34713 or “DogWalk,” is being actively exploited in attacks. This RCE vulnerability affects Microsoft Windows MSDT diagnostic tools. It was discovered back in January 2020, but Microsoft decided not to patch it then, believing it was not security-related. But now it is a brother of Follina has been in the hacker’s arsenal for long time.
Microsoft Exchange Information Disclosure Vulnerability
The other zero-day, tracked as CVE-2022-30134, is a Microsoft Exchange disclosure vulnerability that enables an attacker to read targeted emails. Microsoft says the bug has not been used in any real attacks. But it is a matter of time. Action1 also recommends turning on Extended Protection to block this attack.

Microsoft Exchange Server Elevation of Privilege

Another critical Exchange vulnerability is CVE-2022-21980, a network attack with a CVSS score of 8.0. It has low complexity but requires user interaction. In order to succeed, attackers would have to use phishing or spear phishing to convince a user to visit their malicious server share or website. Microsoft states that exploitation likely is going on but has not been publicly disclosed. Turning on Windows Extended Protection is also useful here.

Windows Network File System Remote Code Execution Vulnerability

Another critical vulnerability, tracked as CVE-2022-34715, has a 9.8 CVSS score. It is a network attack vulnerability with low complexity that does not require user interaction. It affects only servers with the NFS role enabled; an attacker can just make a special request to the NFSv4.1 service and trigger remote code execution. This is the latest in a set of NFS vulnerabilities that Microsoft has been fixing monthly. It began in May when NFSv2 was fixed. Then in June, they fixed NFSv4.1, and in July they fixed NFSv3. Now NFSv4.1 is vulnerable again — what’s next? Will they fix NFSv3 and v2 again in September? We’ll see. Note that Microsoft recommends disabling NFSv4.1 and using only v3 and v2 for mitigation. But what if NFSv2 and NFSv3 are as vulnerable as NFSv4.1, and Microsoft just didn’t have time to release a fix for them this month? That is why it’s advisable to be prepared for the network attacks that this type of vulnerability is susceptible to. In particular, make sure you have an up-to-date antivirus tool on the file server that can spot and prevent malware uploads; an IDS or EDR that can notice the attack and respond in a timely manner; and a sandbox polygon that can detonate and quarantine malicious files.

Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerabilities

Microsoft also released patches for two other vulnerabilities with a CVSS score of 9.8: CVE-2022-30133 and CVE-2022-35744. These vulnerabilities enable a network attack that does not require any action from a user. The vulnerability is exploited on port 1723, causing remote execution of malicious code. If you have a Windows Server-based remote access server (RAS) tunnel running on this port, you should change it to a less popular port. But be careful or it will cause your tunnels to fail to connect properly; do it wisely on both sides.

Active Directory Domain Services Elevation of Privilege Vulnerability

Another critical vulnerability, tracked as CVE-2022-34691, affects Active Directory Domain Services (ADDS). It has a score of 8.8 and can be exploited by a network attack without user interaction. This vulnerability affects servers that run Active Directory Certificate Services. It is connected to the May patches for CVE-2022-26931 and CVE-2022-26923, and addresses an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the security update released in May 10, 2022, certificate-based authentication allowed related certificates to be spoofed in various ways. The May and August updates provide audit events that identify certificates that are not compatible with Full Enforcement mode; if you haven’t yet enabled these audit events, do so as soon as possible. This will give you info to troubleshoot certificate login failures: Event IDs 39, 40 and 41 in the system event log.

Microsoft Edge Vulnerabilities

In the latest Edge, version 104, only one important vulnerability was fixed: Security Feature Bypass Vulnerability, which has a CVSS score of 9.6. It is a network attack with low complexity that requires user interaction and could lead to a browser sandbox escape. An attacker can exploit this vulnerability using a phishing attack that leads to a malicious website. If a user clicks on a link and loads the site via Edge, the attack will succeed.

Google Chrome

Google released updates for Chrome v103 and v104 that fix 38 vulnerabilities.
In Chrome 103, high-severity vulnerabilities fixes are CVE-2022-2477, CVE-2022-2478, CVE-2022-2480 and CVE-2022-2481. These bugs are triggered when the program fails to clear the pointer after freeing memory and affect components such as Guest View, PDF, Service Worker API and Views. Exploitation can lead to remote code execution (RCE), denial of service (DoS) or data corruption, but when combined with other flaws, they can lead to full system compromise. They can also be used to break out of the Chrome browser sandbox.

In Chrome 104, many of the vulnerabilities have been identified through automated AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. No critical problems that bypass all layers of browser protection and execute code on the system outside the sandbox environment were reported.

Google has not reported exploiting any of the patched vulnerabilities in the wild.

Mozilla Firefox

Mozilla fixed 10 vulnerabilities in Firefox 103. Four of them (summarized under CVE-2022-2505 and CVE-2022-36320) are marked as dangerous and are caused by memory handling problems, such as buffer overflows and accessing memory areas that have already been freed. These problems could lead to the execution of malicious code when opening specially crafted pages.
Among the vulnerabilities with a moderate rating are the possibility of determining the cursor position via CSS overflow and transform properties, and freezing of the Android version when processing a very long URL.

Foxit PDF Editor 12

Foxit fixed two low-severity vulnerabilities (CVE-2022-26979, 2022-27944) that enable a remote attacker to perform a DoS attack. The vulnerability exists due to a NULL pointer de-reference error; a remote attacker can trick a victim to open a specially crafted PDF file and perform a DoS attack.

Java

Oracle has released patches for three vulnerabilities with critical, high or medium severity. The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. CVE-2022-34169 can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
The CVE-2022-21541 vulnerability enables an unauthenticated attacker with network access to compromise Oracle Java SE 7u343, 8u333, 11.0.15.1, 17.0.3.1 and 18.0.1.1 or Oracle GraalVM Enterprise Edition 20.3.6, 21.3.2 and 22.1.0. Successful exploits of this vulnerability can result in unauthorized creation, deletion or modification of critical data or all accessible data. But Oracle states that this vulnerability is quite hard to exploit.

The third vulnerability, CVE-2022-21540, is also related to Oracle Java SE and Oracle GraalVM Enterprise Edition. Affected versions are Oracle Java SE 7u343, 8u333, 11.0.15.1, 17.0.3.1 and 18.0.1.1, and Oracle GraalVM Enterprise Edition 20.3.6, 21.3.2 and 22.1.0. Unlike the previous one, this vulnerability is easily exploitable and enables an unauthenticated attacker with network access to gain unauthorized read access to a subset of accessible data. It has medium severity because the access to data is read-only.

Adobe

Adobe released patches for 25 vulnerabilities that potentially expose Windows and macOS users to hacker attacks. According to Adobe, the updates fix a lot of critical and important vulnerabilities that could lead to execution of arbitrary code and memory leaks. The most urgent fixes concern Adobe Acrobat and Reader, which are commonly used to create, view and manage PDF files. Adobe said it is not aware of any exploits for the fixed vulnerabilities.

VMware

VMware reports a public PoC for a critical authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation.

CVE-2022-31656, which has a CVSS score of 9.8 and could enable attackers to gain administrator rights, was patched by VMware in the beginning of August along with other flaws, including a serious RCE SQL injection vulnerability (CVE-2022-31659). The PoC is published along with detailed technical analysis of each vulnerability. In addition, a PoC for CVE-2022-22972 will appear soon.
There is a temporary workaround for those who can’t patch vulnerable devices promptly: Disable all but one dedicated administrator.

Since VMware servers are among the favorite targets of cybercriminals, vulnerable devices should be updated or disabled immediately to avoid likely compromise.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1 RMM, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Get started today and use Action1 RMM on 100 endpoints free of charge with no functionality limitations.

See What You Can Do with Action1 RMM

 

Join our weekly LIVE webinar “Patching and remote management” to learn more

about Action1 RMM features and use cases for your IT needs.

 

Related Posts

6-Step Patch Management Process

Patch management is often a complicated process because many organizations use proprietary software. The lack of enough staff members and strict legal requirements also...

read more