Microsoft fixes exploited zero-day in the Windows CLFS Driver (CVE-2022-37969)

September 2022 Patch Tuesday is here, with fixes for 64 CVE-numbered vulnerabilities in various Microsoft products, including one zero-day (CVE-2022-37969) exploited by attackers.

About CVE-2022-37969

CVE-2022-37969 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver, and an attacker must already have access and the ability to run code on the target system (e.g., by exploiting another vulnerability or through social engineering) before trying to trigger it.

“Post-exploitation flaws such as this one are often exploited through a specially crafted application,” says Satnam Narang, senior staff research engineer at Tenable.

He also pointed out that CVE-2022-24521, a similar vulnerability in CLFS, was patched earlier this year as part of Microsoft’s April Patch Tuesday release and was also exploited in the wild – “though it’s unclear at this point if CVE-2022-37969 is a patch-bypass for CVE-2022-24521.”

CVE-2022-24521 was flagged by the U.S. National Security Agency and researchers from CrowdStrike. CVE-2022-37969 was disclosed by researchers from four different security companies and this, according to Zero Day Initiative’s Dustin Childs, means that it’s likely that the attacks in which it’s exploited are not just targeted.

Other vulnerabilities to prioritize

Childs advises admins to also prioritize fixing CVE-2022-34724, a Windows DNS Server Denial of Service Vulnerability, due to its potential impact to enterprise resources; and CVE-2022-34718, a RCE vulnerability in Windows TCP/IP that could be triggered without user interaction.

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly,” he added.

Microsoft has also patched two RCEs (CVE-2022-34721, CVE-2022-34722) in the Windows Internet Key Exchange (IKE) Protocol that could also be exploited via a specially crafted IP packet if the target machine has IPSec enabled.

Finally, there’s a fix for a cache speculation vulnerability known as Spectre-BHB (CVE-2022-23960) affecting Windows 11 for ARM64-based Systems, critical fixes for several SharePoint RCEs, and even for a PowerPoint RCE that can be exploited if an attacker tricks users into downloading and opening a specially crafted presentation file.