June 2022 Patch Tuesday has been marked by Microsoft with the release of fixes for 55 new CVEs, as well as security updates that fix Follina (CVE-2022-30190), the Microsoft Windows Support Diagnostic Tool (MSDT) RCE that is being widely exploited by attackers.
“The update for [CVE-2022-30190] is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action,” the company noted.
Other vulnerabilities to prioritize
Microsoft has patched flaws in Windows and Windows Components, Office and Office Components, Microsoft Edge; Windows Hyper-V Server, .NET and Visual Studio, SharePoint Server, Windows Defender, Windows Powershell, Windows LDAP, and other solutions.
Of the three critical vulnerabilities fixed, Dustin Childs, with Trend Micro’s Zero Day Initiative, singled out CVE-2022-30136, a Windows Network File System (NFS) RCE that could be triggered over the network with an unauthenticated, specially crafted call to a Network File System (NFS) service. It affects only several versions of Windows Server.
CVE-2022-30163, a Windows Hyper-V vulnerability that allows a guest-to-host escape should also be addressed quickly.
“Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update,” Childs explained.
CVE-2022-30139, a Windows LDAP RCE flaw is deemed critical, but for it to be exploitable an attacker would either have to target a system with a non-default value of the MaxReceiveBuffer LDAP policy, or to prepare the target environment accordingly before running the exploit. This patch can, therefore, wait a bit.
CVE-2022-30148, on the other hand, should be prioritized by system administrators who use Windows Desired State Configuration (DSC), Childs opined.
“Most info disclosure bugs simply leak unspecified memory contents, but this bug is different. An attacker could use this to recover plaintext passwords and usernames from log files,” he noted.
“Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, there are likely some sought-after username/password combos that could be recovered. This would also be a great bug for an attacker to move laterally within a network.”
A quick reminder for Azure Synapse and Data Factory customers
As a side note unrelated to the Patch Tuesday fixes but still relevant for certain Microsoft customers, Orca Security researcher Tzah Pahima has released a post explaining the technical details of SynLapse (CVE-2022-29972), a critical vulnerability in Microsoft Azure that also affected Azure Data Factory, and allowed attackers to bypass tenant separation.
As noted by Pahima, a successful exploitation of SynLapse could have allowed attackers to obtain credentials to other Azure Synapse customer accounts, control their Azure Synapse workspaces, execute code on targeted customer machines inside the Azure Synapse Analytics service, and leak customer credentials to data sources external to Azure.
Microsoft had a little trouble delivering a complete patch – it was bypassed twice by the researchers – but ultimately mitigated it in April. Since it affected Azure Data Factory or Azure Synapse pipeline customers hosted in the Azure cloud (Azure Integration Runtime) and those hosted on-premises (Self-Hosted Integration Runtime), the researchers waited with the release of the technical details until the latter had a chance to patch their on-premises versions. If you’re one of those and you have yet to implement the fix, you should do it now.
Finally, you should also get a move on if your organization hasn’t prepared for tomorrow’s retirement of Internet Explorer.