Written by Bharat Jogi, Director, Vulnerability and Threat Research, Qualys
Microsoft Patch Tuesday Summary
Microsoft has fixed 121 vulnerabilities (aka flaws) in the August 2022 update, including 17 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP) and Remote Code Execution (RCE). This month’s Patch Tuesday fixes two zero-day vulnerabilities, with one actively exploited* in attacks (CVE-2022-34713*, CVE-2022-30134). Earlier this month, August 5, 2022, Microsoft also released 20 Microsoft Edge (Chromium-Based) updates addressing Elevation of Privilege (EoP), Remote Code Execution (RCE) and Security Feature Bypass with severities of Low, Moderate and Important respectively.
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass and Spoofing.
The August 2022 Microsoft vulnerabilities are classified as follows:
Related Threat Protection Post
Notable Microsoft Vulnerabilities Patched
A vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
CVE-2022-34713 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 7.8/10.
In May, Microsoft released a blog giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as their research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk.
Exploitability Assessment: Exploitation Detected
CVE-2022-30134 | Microsoft Exchange Information Disclosure Vulnerability
This vulnerability has a CVSSv3.1 score of 7.6/10.
This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For more information, see Exchange Server Support for Windows Extended Protection and/or The Exchange Blog.
Exploitability Assessment: Exploitation Unlikely
Security Feature Bypass Vulnerabilities Addressed
These are standalone security updates. These packages must be installed in addition to the normal security updates to be protected from this vulnerability.
These security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built-in pre-requisite logic to ensure the ordering.
Microsoft customers should ensure they have installed the latest Servicing Stack Update before installing these standalone security updates. See ADV990001 | Latest Servicing Stack Updates for more information.
An attacker who successfully exploited either of these three vulnerabilities could bypass Secure Boot.
CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass
CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass
CERT/CC: CVE-2022-34303 Crypto Pro Boot Loader Bypass
At the time of publication, a CVSSv3.1 score has not been assigned.
Exploitability Assessment: Exploitation More Likely
Microsoft Critical and Important Vulnerability Highlights
This month’s advisory covers multiple Microsoft product families, including Azure, Browser, Developer Tools, Extended Security Updates (ESU), Exchange Server, Microsoft Office, System Center and Windows.
A total of 86 unique Microsoft products/versions are affected, including .NET, Azure, Edge (Chromium-based), Excel, Exchange Server (Cumulative Update), Microsoft 365 Apps for Enterprise, Office, Open Management Infrastructure, Outlook and System Center Operations Manager (SCOM), Visual Studio, Windows Desktop and Windows Server.
Downloads include IE Cumulative, Monthly Rollup, Security Only and Security Updates.
CVE-2022-35766, CVE-2022-35794 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.1/10.
Successful exploitation of this vulnerability requires an attacker to win a race condition.
An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.
Exploitability Assessment: Exploitation Less Likely
CVE-2022-30133, CVE-2022-35744 | Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 9.8/10.
This vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. Warning: Disabling Port 1723 could affect communications over your network.
Exploitability Assessment: Exploitation Less Likely
CVE-2022-34691 | Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
This vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround, an authenticated user could manipulate attributes on computer accounts they own or manage and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.
Please see Certificate-based authentication changes on Windows domain controllers for more information and ways to protect your domain.
Exploitability Assessment: Exploitation Less Likely
CVE-2022-33646 | Azure Batch Node Agent Elevation of Privilege (EoP) Vulnerability
This vulnerability has a CVSSv3.1 score of 7.0/10.
Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.
Exploitability Assessment: Exploitation More Likely
Microsoft Edge | Last But Not Least
Earlier in August, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities CVE-2022-33636, CVE-2022-33649 and CVE-2022-35796. The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see Security Update Guide Supports CVEs Assigned by Industry Partners.
CVE-2022-33649 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
This vulnerability has a CVSSv3.1 score of 9.6/10.
An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message or by getting the user to open an attachment sent through email.
The user would have to click on a specially crafted URL to be compromised by the attacker.
Exploitability Assessment: Exploitation Less Likely
CVE-2022-33636, CVE-2022-35796 | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.3/10. Per Microsoft’s severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system does not allow for this type of nuance.
An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message or by getting the user to open an attachment sent through email.
Successful exploitation of this vulnerability requires an attacker to win a race condition.
Exploitability Assessment: Exploitation Less Likely
Adobe Security Bulletins and Advisories
Adobe released five advisories with updates to fix 25 vulnerabilities affecting Adobe Acrobat and Reader, Commerce, FrameMaker, Illustrator and Premiere Elements applications. Of these 25 vulnerabilities, 15 are rated as Critical; ranging in severity from a CVSS score of 7.8/10 to 9.1/10, as summarised below..png)
APSB22-38 | Security update available for Adobe Commerce
This update resolves seven vulnerabilities:
Adobe Priority: 3
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.
APSB22-39 | Security update available for Adobe Acrobat and Reader
This update resolves seven vulnerabilities:
Adobe Priority: 2
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.
APSB22-41 | Security Updates Available for Adobe Illustrator
This update resolves four vulnerabilities:
Adobe Priority: 3
Adobe has released an update for Adobe Illustrator 2022. This update resolves critical and important vulnerabilities that could lead to arbitrary code execution and memory leak.
APSB22-42 | Security update available for Adobe FrameMaker
This update resolves six vulnerabilities:
Adobe Priority: 3
Adobe has released a security update for Adobe FrameMaker. This update addresses multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.
APSB22-43 | Security update available for Adobe Premiere Elements
This update resolves one Critical vulnerability.
Adobe Priority: 3
Adobe has released a security update for Adobe FrameMaker. This update addresses multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.
