A “light” February 2022 Patch Tuesday that should not be ignored

February 2022 Patch Tuesday is here and it’s all-around “light” – light in fixed CVE-numbered vulnerabilities (51), extremely light in critical fixes (50 are “important” and one is “moderate”), and light in exploited vulnerabilities (none of the vulnerabilities are listed as under active attack).

Only one is listed as publicly known – CVE-2022-21989, a Windows Kernel EOP flaw – but while there’s apparently a PoC exploit out there (not necessarily public), “Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.”

Microsoft also noted that exploitation of the vulnerability could be performed from a low privilege AppContainer. “The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” they said.

Other vulnerabilities of note

Dustin Childs, with Trend Micro’s Zero Day Initiative, advises admins of Windows DNS servers to consider CVE-2022-21984, a RCE flaw, critical.

“The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges,” he warned.

He also noted that enterprise admins that oversee Hyper-V servers should patch for CVE-2022-21995, a Windows Hyper-V RCE vulnerability, despite the fact that the complexity of a successful attack exploiting it is rated as “High”.

Mac users of Microsoft Outlook may also want to patch CVE-2022-23280, a feature bypass vulnerability, quickly. “This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target’s IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution,” Childs explained.

Danny Kim, Principal Architect at Virsec, noted that it’s interesting that Microsoft republished a CVE-2013-3900, a vulnerability from 2013, to notify customers that an update to Windows 10/11 is available that addresses it.

“The CVE allows an attacker to inject malicious code into a signed application without invalidating the file’s original signature. With the ability to inject malicious code into ‘verified’ applications, the attacker can gain complete control over a system especially if the user who runs the application has administrative privileges. The attacker can go as far as creating new user accounts with full access allowing the attacker to login to the machine at will,” he told Help Net Security.

“This type of CVE, though it is originally from 2013, highlights two concerning facts that are still relevant today: patching is a slow-moving solution and applications need to be monitored at all times. Patching is a post-attack solution that moves too slowly to keep up with today’s attacks. Applications, even verified ones, cannot just be checked when they start execution – their behavior throughout the lifetime of the application needs to be monitored and verified against expected behavior.”

Satnam Narang, staff research engineer at Tenable, singled out four elevation of privilege vulnerabilities in its Windows Print Spooler, including two rated Exploitation More Likely.

“One of these two flaws, CVE-2022-21999, is credited to researchers at Sangfor, who were responsible for disclosing some of the PrintNightmare vulnerabilities last summer. Because of the ubiquity of Print Spooler, vulnerabilities like this have been leveraged by ransomware groups. Organizations should apply these patches as soon as possible,” he advises.

Finally, Kevin Breen, Director of Cyber Threat Research at Immersive Labs, noted that Microsoft has released more patches for the same style of vulnerability (and in the same component) as CVE-2022-21882, a vulnerability in Win32k that is being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied.

“It’s not clear from the release notes whether this is a brand-new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly,” he says.