It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for July 2022
For July, Adobe addressed 27 CVEs in four patches for Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator. A total of 24 of these bugs were reported through the ZDI program. The update for Acrobat and Reader addresses a combination of 22 different Critical- and Important-rated bugs. The most severe of these could allow code execution if an attacker convinces a target to open a specially crafted PDF document. While there are no active attacks noted, Adobe does list this as a Priority 2 deployment rating. The update for Photoshop fixes one Critical- and one Important-rated bug. The Critical bug is a use-after-free (UAF) that could lead to code execution. The fix for Character Animator addresses two Critical-rated code execution bugs – one a heap overflow and the other an out-of-bounds (OOB) read. Finally, the patch for RoboHelp corrects a single Important-rated cross-site scripting (XSS) bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes most of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2.
Microsoft Patches for July 2022
For July, Microsoft released 84 new patches addressing CVEs in Microsoft Windows and Windows Components; Windows Azure components; Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office and Office Components; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; Open-Source Software; and Xbox. This is in addition to the two CVEs patched in Microsoft Edge (Chromium-based). That brings the total number of CVEs to 87.
While this higher volume is expected for a July release, there are still no fixes available for the multiple bugs submitted during the last Pwn2Own competition. And after a brief respite last month, there are additional updates for the Print Spooler. Looks like this component will be back to a monthly release schedule.
Of the 84 new CVEs released today, four are rated Critical, and 80 are rated Important in severity. One of these bugs was submitted through the ZDI program. None of the new bugs patched this month are listed as publicly known, but one of the updates for CSRSS is listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the CSRSS bug under active attack:
– CVE-2022-22047 – Windows CSRSS Elevation of Privilege
This bug is listed as being under active attack, but there’s no information from Microsoft on where the vulnerability is being exploited or how widely it is being exploited. The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.
– CVE-2022-30216 – Windows Server Service Tampering Vulnerability
This patch corrects a tampering vulnerability in the Windows Server Service that could allow an authenticated attacker to upload a malicious certificate to a target server. While this is listed as “Tampering”, an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution. While tampering bugs don’t often get much attention, Microsoft does give this its highest exploit index rating, meaning they expect active exploits within 30 days. Definitely test and deploy this patch quickly – especially to your critical servers.
– CVE-2022-22029 – Windows Network File System Remote Code Execution Vulnerability
This is the third month in a row with a Critical-rated NFS bug, and while this one has a lower CVSS than the previous ones, it could still allow a remote, unauthenticated attacker to execute their code on an affected system with no user interaction. Microsoft notes multiple exploit attempts may be required to do this, but unless you are specifically auditing for this, you may not notice. If you’re running NFS, make sure you don’t ignore this patch.
– CVE-2022-22038 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
This bug could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high since an attacker would need to make “repeated exploitation attempts” to take advantage of this bug, but again, unless you are actively blocking RPC activity, you may not see these attempts. If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly.
Here’s the full list of CVEs released by Microsoft for July 2022:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2022-22047
Windows CSRSS Elevation of Privilege
Vulnerability
Important
7.8
No
Yes
EoP
CVE-2022-22038
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-30221
Windows Graphics Component Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE
CVE-2022-22029
Windows Network File System Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-22039
Windows Network File System Remote Code
Execution Vulnerability
Critical
7.5
No
No
RCE
CVE-2022-30215
Active Directory Federation Services
Elevation of Privilege Vulnerability
Important
7.5
No
No
EoP
CVE-2022-23816 *
AMD: CVE-2022-23816 AMD CPU Branch Type
Confusion
Important
N/A
No
No
Info
CVE-2022-23825 *
AMD: CVE-2022-23825 AMD CPU Branch Type
Confusion
Important
N/A
No
No
Info
CVE-2022-30181
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33641
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33642
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33643
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33650
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33651
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33652
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.4
No
No
EoP
CVE-2022-33653
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33654
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33655
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33656
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33657
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33658
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.4
No
No
EoP
CVE-2022-33659
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33660
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33661
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33662
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33663
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33664
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33665
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33666
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33667
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33668
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33669
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33671
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-33672
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33673
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-33674
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
8.3
No
No
EoP
CVE-2022-33675
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-33677
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
7.2
No
No
EoP
CVE-2022-33676
Azure Site Recovery Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE
CVE-2022-33678
Azure Site Recovery Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE
CVE-2022-30187
Azure Storage Library Information Disclosure
Vulnerability
Important
4.7
No
No
Info
CVE-2022-22048
BitLocker Security Feature Bypass
Vulnerability
Important
6.1
No
No
SFB
CVE-2022-27776 *
HackerOne: CVE-2022-27776 Insufficiently
protected credentials vulnerability might leak authentication or cookie
header data
Important
N/A
No
No
Info
CVE-2022-22040
Internet Information Services Dynamic
Compression Module Denial of Service Vulnerability
Important
7.3
No
No
DoS
CVE-2022-33637
Microsoft Defender for Endpoint Tampering
Vulnerability
Important
6.5
No
No
Tampering
CVE-2022-33632
Microsoft Office Security Feature Bypass
Vulnerability
Important
4.7
No
No
SFB
CVE-2022-22036
Performance Counters for Windows Elevation
of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-33633
Skype for Business and Lync Remote Code
Execution Vulnerability
Important
7.2
No
No
RCE
CVE-2022-22037
Windows Advanced Local Procedure Call
Elevation of Privilege Vulnerability
Important
7.5
No
No
EoP
CVE-2022-30202
Windows Advanced Local Procedure Call
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-30224
Windows Advanced Local Procedure Call
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-22711
Windows BitLocker Information Disclosure
Vulnerability
Important
6.7
No
No
Info
CVE-2022-30203
Windows Boot Manager Security Feature Bypass
Vulnerability
Important
7.4
No
No
SFB
CVE-2022-30220
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-30212
Windows Connected Devices Platform Service
Information Disclosure Vulnerability
Important
4.7
No
No
Info
CVE-2022-22031
Windows Credential Guard Domain-joined
Public Key Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-22026
Windows CSRSS Elevation of Privilege
Vulnerability
Important
8.8
No
No
EoP
CVE-2022-22049
Windows CSRSS Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-30214
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2022-22043
Windows Fast FAT File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-22050
Windows Fax Service Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-22024
Windows Fax Service Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-22027
Windows Fax Service Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-30213
Windows GDI+ Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-22034
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-30205
Windows Group Policy Elevation of Privilege
Vulnerability
Important
6.6
No
No
EoP
CVE-2022-22042
Windows Hyper-V Information Disclosure
Vulnerability
Important
6.5
No
No
Info
CVE-2022-30223
Windows Hyper-V Information Disclosure
Vulnerability
Important
5.7
No
No
Info
CVE-2022-30209
Windows IIS Server Elevation of Privilege
Vulnerability
Important
7.4
No
No
EoP
CVE-2022-22025
Windows Internet Information Services
Cachuri Module Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2022-21845
Windows Kernel Information Disclosure
Vulnerability
Important
4.7
No
No
Info
CVE-2022-30211
Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Important
7.5
No
No
RCE
CVE-2022-30225
Windows Media Player Network Sharing Service
Elevation of Privilege Vulnerability
Important
7.1
No
No
EoP
CVE-2022-22028
Windows Network File System Information
Disclosure Vulnerability
Important
5.9
No
No
Info
CVE-2022-22023
Windows Portable Device Enumerator Service
Security Feature Bypass Vulnerability
Important
6.6
No
No
SFB
CVE-2022-22022
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP
CVE-2022-22041
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
6.8
No
No
EoP
CVE-2022-30206
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-30226
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP
CVE-2022-30208
Windows Security Account Manager (SAM)
Denial of Service Vulnerability
Important
6.5
No
No
DoS
CVE-2022-30216
Windows Server Service Tampering
Vulnerability
Important
8.8
No
No
Tampering
CVE-2022-30222
Windows Shell Remote Code Execution
Vulnerability
Important
8.4
No
No
RCE
CVE-2022-22045
Windows.Devices.Picker.dll Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-33644
Xbox Live Save Service Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-2294 *
Chromium: CVE-2022-2294 Heap buffer overflow
in WebRTC
High
N/A
No
Yes
RCE
CVE-2022-2295 *
Chromium: CVE-2022-2295 Type Confusion in
V8
High
N/A
No
No
RCE
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Please note that Google is aware that an exploit for one of the Chromium bugs (CVE-2022-2294) exists in the wild. If you’re using Microsoft Edge (Chromium-based), make sure it gets updated as soon as possible.
Looking at the rest of the release, the first thing that stands out is the 32(!) patches for the Azure Site Recovery service. Two are remote code execution (RCE) bugs while the rest are elevation of privilege (EoP) issues. This is primarily a cloud-based service, but there are some on-prem components. Don’t expect an automatic update for these bugs. In all cases, you will need to upgrade to version 9.49 to remediate these vulnerabilities. Instructions for this can be found here. It’s incredibly unusual to see so many CVEs addressed in a single month for a single component, and it’s not clear why Microsoft chose to address these bugs in this manner. Regardless of why, if you rely on Azure Site Recovery, make sure you update all the necessary components.
There are two other Critical-rated bugs still to cover. There’s a second Critical-rated NFS vulnerability in addition to the one previously discussed. This is very similar to the other one but rates a slightly lower CVSS. It’s still Critical and the CVSS is questionable, so don’t think it’s any less dangerous. The highest CVSS patch this month belongs to a bug in Windows Graphic Component. These types of bugs usually manifest by either opening a file or viewing an image.
The remaining Critical-rated bugs impact some critical business functions. The first is a patch for the DNS server component. While certainly worth paying attention to, it does require the attacker to have elevated privileges. There’s an RCE bug in Windows Shell, but it requires a local attacker to interact with the logon screen. As always, don’t ignore physical security. There’s a code execution bug in Skype for Business and Lync (remember those?), but there are several prerequisites that make exploitation less likely. There’s a patch for the Layer 2 Tunneling Protocol (L2TP). It’s not clear how many people are using L2TP these days, but if you’re one of them, make sure you get this patch installed. Speaking of outdated methods of communication, there are two RCE bugs in the Windows Fax service receiving patches.
There are 52 fixes for EoP bugs, which includes the 30 Azure Site Recovery bugs we’ve already mentioned. In addition to the one under active attack, there are two other EoP bugs in CSRSS. For the most part, the rest of these bugs require an attacker to already have the ability to execute code on the target. They can then use one of these bugs to escalate to SYSTEM or some other elevated level. An exception to this is the bug in the Media Player Network Sharing service, which could be leveraged to delete registry keys. There’s also a patch for IIS to address a bug that could allow attackers to bypass authentication on an affected IIS server. The Group Policy bug requires the attacker to have privileges to create Group Policy Templates. Microsoft reminds us to regularly audit these groups, and that’s good advice for many reasons. There’s a patch for the Xbox Live Save Service, but it’s not clear what privileges an attacker would gain if they exploited this bug. Microsoft does list the attack vector as local, so perhaps multiple user profiles on the same Xbox would be impacted? And finally, after getting a month off, there are four new patches for the Print Spooler. We will likely continue to see additional print spooler fixes for the foreseeable future.
There are three fixes for denial-of-service (DoS) bugs in this month’s release, and all are impactful. The first impacts the Security Account Manager (SAM). While Microsoft doesn’t state the impact of this bug, a DoS on the SAM would likely lead to problems logging on to a domain. The other DoS patches fix bugs in IIS. The first covers the Cachuri module, which provides user-mode caching of URL information. The other is in the dynamic compression module, which (as its name implies) allows IIS to compress responses coming from various handlers. It doesn’t seem like either of these would lead to a complete website shutdown, but they would certainly degrade services.
In addition to the tampering bug mentioned above, there’s another tampering issue in Microsoft Defender for Endpoint. However, this bug requires the attacker to authenticate to the management console appliance and to have an integration token.
Physical access is a common factor in three of the four security feature bypass bugs getting fixed this month. The first is a BitLocker bypass that allows an attacker with physical access to a powered-off system to gain access to encrypted data. Similarly, the bug in Boot Manager allows an attacker with physical access to bypass Secure Boot and access the pre-boot environment. The bypass in the Windows Portable Device Enumerator service allows an attacker to attach a USB storage device to a system where Group Policy failed to apply. The final SFB occurs when opening a specially crafted Office file.
The July release contains new fixes for seven information disclosure bugs. Most of these only result in leaks consisting of unspecified memory contents, but there are a couple of notable exceptions. The bug in BitLocker could allow a local attacker to view raw, unencrypted disk sector data. Considering BitLocker’s purpose, you could almost consider this a security feature bypass. One of the Hyper-V bugs could let an attacker on a guest OS gain data from the Hyper-V host. The bug in the Azure Storage Library allows an attacker to decrypt data on the client side and disclose the content of the file or blob. There’s also a CVE assigned by HackerOne that could leak authentication or cookie header data via curl. This was originally patched in April 2022 and is now being incorporated into Microsoft products that use curl.
Finally, there are two information disclosure bugs covering AMD CPU Branch Type Confusion issues. These are related to the “Hertzbleed” vulnerabilities first documented in Intel processors last month. While interesting from an academic perspective, exploits using speculative execution side channels haven’t had much of an impact in the real world.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The next Patch Tuesday falls on August 9, and I’ll be at Black Hat in Las Vegas to present on determining risk in an era of low patch quality. I’ll still be able to publish details and patch analysis of the August release, but please come by for the presentation if you’re at the conference. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Zero Day Initiative – Blog
