Microsoft fixes exploited zero-day in Windows CSRSS (CVE-2022-22047)

The July 2022 Patch Tuesday is upon us and has brought fixes for 84 CVEs in various Microsoft products, including an actively exploited zero-day: CVE-2022-22047, an elevation of privilege bug in Windows’ Client/Server Runtime Subsystem (CSRSS).

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft noted, but the attacker must first gain access to the system, usually by exploiting a separate code execution bug.

Is it being used in widespread or targeted attacks? Microsoft doesn’t say, so it’s difficult for admins to judge correctly whether they should implement the provided patch sooner rather than later. In the absence of such info, they should probably opt for the former option, just in case.

Other vulnerabilities to prioritize

Dustin Childs, with Trend Micro’s Zero Day Initiative, says that CVE-2022-30216, a “tampering” vulnerability in the Windows Server Service that may allow an authenticated attacker to upload a malicious certificate to a target server, should be patched quickly on critical servers.

“While tampering bugs don’t often get much attention, Microsoft does give this its highest exploit index rating, meaning they expect active exploits within 30 days,” he pointed out.

Exploitation of CVE-2022-22029, a RCE in the Windows NFS service, and CVE-2022-22038, a Microsoft Remote Procedure Call (RPC) runtime RCE, doesn’t hinge on the (remote) attacker being authenticated nor on user interaction.

In both cases, though, the attacker must make “repeated exploitation attempts through sending constant or intermittent data,” which means exploitation is not quick-and-easy. Still, as Childs noted, these attempts could easily passed unnoticed, and so the patching of these bugs should be prioritized – even though, again, there is not enough information to currently properly assess their practical potential for exploitation.

A special note for Azure Site Recovery users

One (relatively) interesting thing about this Patch Tuesday’s batch of patches (try saying that three times in a row!) is that it includes fixes for 32 vulnerabilities affecting Azure Site Recovery, a disaster recovery as a service (DRaaS) offering.

Two of these flaws can lead to remote code execution and the remaining thirty to elevation of privilege. Among the latter is CVE-2022–33675, a DLL hijacking vulnerability discovered and detailed by James Sebree, Principal Research Engineer at Tenable.

“DLL hijacking is quite an antiquated technique that we don’t often come across these days. When we do, impact is often quite limited due to lack of security boundaries being crossed,” he explained.

“In this case, however, we were able to cross a clear security boundary and demonstrated the ability to escalate a user to SYSTEM level permissions, which shows the growing trend of even dated techniques finding a new home in the cloud space due to added complexities in these sorts of environments.”

A bug like this could be quite be a boon for ransomware groups, he opined, since it would allow them to target victim organizations’ backups.

For organizations using Azure Site Recovery, Microsoft has provided instructions on how to close those holes.

Luckily, “Microsoft is not aware of any exploitation of these vulnerabilities, which only impact replication capabilities, not customer workloads. There is also no risk of cross-tenant data exposure since this is an on-premises offering.”

Finally, it has to be mentioned that this Patch Tuesday is when Microsoft enterprise customers who opted for using Windows Autopatch will start testing the automated managed patching service (and hoping everything goes well).

“Because the Autopatch service has such a broad footprint, and pushes updates around the clock, we are able to detect potential issues among an incredibly diverse array of hardware and software configurations. This means that an issue that may have an impact on your portfolio could be detected and resolved before ever reaching your estate. And as the service expands and grows, the ability to detect issues will get more robust,” noted Lior Bela, Senior Product Marketing Manager for Microsoft Managed Desktop and Windows Autopatch on the Microsoft 365 team.