The June 2022 Security Update Review

The June 2022 Security Update Review

It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for June 2022

This month, Adobe released six patches addressing 46 CVEs in Adobe Illustrator, InDesign, InCopy, Bridge, Robohelp, and Animate. A total of 40 of these CVEs were reported by ZDI vulnerability researcher Mat Powell. The largest update belongs to Illustrator, which addresses 17 total CVEs. The most severe of these bugs could allow code execution if an affected system opens a specially crafted file. Many of these bugs fall into the Out-Of-Bounds (OOB) Write category. The update for Adobe Bridge fixes 12 bugs, 11 of which are rated Critical. The patch for InCopy fixes eight Critical-rated bugs, all of which could lead to arbitrary code execution. Similarly, the InDesign patch fixes seven Critical-rated arbitrary code execution bugs. For both InDesign and InCopy, the bugs are a mix of OOB Read, OOB Write, heap overflow, and Use-After-Free (UAF) vulnerabilities. The lone bug fixed by the Animate patch is also a Critical-rated OOB Write that could lead to arbitrary code execution. Finally, the Robohelp patch fixes a Moderate-rated privilege escalation bug caused by improper authorization.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as priority 3.

Microsoft Patches for June 2022

For June, Microsoft released 55 new patches addressing CVEs in Microsoft Windows and Windows Components; .NET and Visual Studio; Microsoft Office and Office Components; Microsoft Edge (Chromium-based); Windows Hyper-V Server; Windows App Store; Azure OMI, Real Time Operating System, and Service Fabric Container; SharePoint Server; Windows Defender; Windows Lightweight Directory Access Protocol (LDAP); and Windows Powershell. This is in addition to the 4 CVEs patched in Microsoft Edge (Chromium-based), and the new update for MSDT. That brings the total number of CVEs to 60.

Of the 55 new CVEs released today, three are rated Critical, 51 are rated Important, and one is rated Moderate in severity. None of the new bugs patched this month are listed as publicly known or under active attack at the time of release, however, we do have an update for MSDT, which is public and reported to be under active attack.

It’s also interesting to note is what is not included in today’s release. This is the first month in recent memory without an update for the Print Spooler. We’ll see if that trend continues or if this reprieve is only temporary. Finally, there are no fixes listed for any of the bugs disclosed during Pwn2Own Vancouver.

Before we take a deeper dive into this month’s release, let’s take just a minute to remember Internet Explorer, which will go out of support tomorrow. The ubiquitous browser has served up websites to users since 1995, and while it’s doubtful anyone will miss it, it certainly had a good run. If you’re worried about your legacy apps still functioning, IE Mode in Microsoft Edge will be supported through at least 2029. With nostalgia out of the way, let’s take a closer look at some of the more interesting updates for this month, starting with the much anticipated fix for MSDT:

–       CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Although it’s difficult to see from the Security Update Guide, Microsoft did release an update to address the much discuss “Follina” vulnerability in MSDT. This bug has been reported to be under active attack, so priority should be given to the testing and deployment of this update.

–       CVE-2022-30136 – Windows Network File System Remote Code Execution Vulnerability
This CVSS 9.8 bug looks eerily similar to CVE-2022-26937 – an NFS bug patched last month and one we blogged about last week. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0. It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.

 –       CVE-2022-30163 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS. The update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously. Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.

–       CVE-2022-30148 – Windows Desired State Configuration (DSC) Information Disclosure Vulnerability
Most info disclosure bugs simply leak unspecified memory contents, but this bug is different. An attacker could use this to recover plaintext passwords and usernames from log files. Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, there are likely some sought-after username/password combos that could be recovered. This would also be a great bug for an attacker to move laterally within a network. If you’re using DSC, make sure you don’t miss this update.

Here’s the full list of CVEs released by Microsoft for June 2022:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2022-30163
Windows Hyper-V Remote Code Execution
Vulnerability
Critical
8.5
No
No
RCE

CVE-2022-30139
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Critical
7.5
No
No
RCE

CVE-2022-30136
Windows Network File System Remote Code
Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2022-30184
.NET and Visual Studio Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-30167
AV1 Video Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30193
AV1 Video Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-29149
Azure Open Management Infrastructure (OMI)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30180
Azure RTOS GUIX Studio Information
Disclosure Vulnerability
Important
7.8
No
No
Info

CVE-2022-30177
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30178
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30179
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30137
Azure Service Fabric Container Elevation of
Privilege Vulnerability
Important
6.7
No
No
EoP

CVE-2022-22018
HEVC Video Extensions Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-29111
HEVC Video Extensions Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-29119
HEVC Video Extensions Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30188
HEVC Video Extensions Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-21123 *
Intel: CVE-2022-21123 Shared Buffer Data
Read (SBDR)
Important
N/A
No
No
Info

CVE-2022-21125 *
Intel: CVE-2022-21125 Shared Buffers Data
Sampling (SBDS)
Important
N/A
No
No
Info

CVE-2022-21127 *
Intel: CVE-2022-21127 Special Register
Buffer Data Sampling Update (SRBDS Update)
Important
N/A
No
No
Info

CVE-2022-21166 *
Intel: CVE-2022-21166 Device Register
Partial Write (DRPW)
Important
N/A
No
No
Info

CVE-2022-30164
Kerberos AppContainer Security Feature
Bypass Vulnerability
Important
8.4
No
No
SFB

CVE-2022-30166
Local Security Authority Subsystem Service
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30173
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30154
Microsoft File Server Shadow Copy Agent
Service (RVSS) Elevation of Privilege Vulnerability
Important
5.3
No
No
EoP

CVE-2022-30159
Microsoft Office Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2022-30171
Microsoft Office Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2022-30172
Microsoft Office Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2022-30174
Microsoft Office Remote Code Execution
Vulnerability
Important
7.4
No
No
RCE

CVE-2022-30168
Microsoft Photos App Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-30157
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-30158
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-29143
Microsoft SQL Server Remote Code Execution
Vulnerability
Important
7.5
No
No
RCE

CVE-2022-30160
Windows Advanced Local Procedure Call
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30151
Windows Ancillary Function Driver for
WinSock Elevation of Privilege Vulnerability
Important
7
No
No
EoP

CVE-2022-30189
Windows Autopilot Device Management and
Enrollment Client Spoofing Vulnerability
Important
6.5
No
No
Spoofing

CVE-2022-30131
Windows Container Isolation FS Filter Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30132
Windows Container Manager Service Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30150
Windows Defender Remote Credential Guard
Elevation of Privilege Vulnerability
Important
7.5
No
No
EoP

CVE-2022-30148
Windows Desired State Configuration (DSC)
Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-30145
Windows Encrypting File System (EFS) Remote
Code Execution Vulnerability
Important
7.5
No
No
RCE

CVE-2022-30142
Windows File History Remote Code Execution
Vulnerability
Important
7.1
No
No
RCE

CVE-2022-30147
Windows Installer Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30140
Windows iSCSI Discovery Service Remote Code
Execution Vulnerability
Important
7.1
No
No
RCE

CVE-2022-30165
Windows Kerberos Elevation of Privilege
Vulnerability
Important
8.8
No
No
EoP

CVE-2022-30155
Windows Kernel Denial of Service
Vulnerability
Important
5.5
No
No
DoS

CVE-2022-30162
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2022-30141
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
8.1
No
No
RCE

CVE-2022-30143
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
7.5
No
No
RCE

CVE-2022-30146
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
7.5
No
No
RCE

CVE-2022-30149
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
7.5
No
No
RCE

CVE-2022-30153
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-30161
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-30135
Windows Media Center Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30152
Windows Network Address Translation (NAT)
Denial of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2022-32230 *
Windows SMB Denial of Service
Vulnerability
Important
N/A
No
No
DoS

CVE-2022-22021
Microsoft Edge (Chromium-based) Remote Code
Execution Vulnerability
Moderate
8.3
No
No
RCE

CVE-2022-2007 *
Chromium:
Use after free in WebGPU
High
N/A
No
No
RCE

CVE-2022-2008 *
Chromium:
Out of bounds memory access in WebGL
High
N/A
No
No
RCE

CVE-2022-2010 *
Chromium:
Out of bounds read in compositing
High
N/A
No
No
RCE

CVE-2022-2011 *
Chromium:
Use after free in ANGLE
High
N/A
No
No
RC

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the release we that more than half of the patches this month deal with remote code execution. Seven of these deal with LDAP vulnerabilities, which is at least a decrease from the 10 LDAP patches last month. The most severe of these clocks in with a CVSS of 9.8 but would require the MaxReceiveBuffer LDAP policy to be set to a value higher than the default value. This doesn’t seem to be a common scenario. Still, the volume of bugs in LDAP over the last couple of months could indicate a broad attack surface in the component. Speaking of fertile attack surfaces, there are another six fixes for code execution bugs in the AV1 and HEVC media codecs. If you are connected to the Internet, you should automatically get updates from the Windows Store. However, if you are using these optional components in a disconnected environment, you’ll need to get these through either the Microsoft Store for Business or the Microsoft Store for Education. The same holds true for the patch addressing the RCE in the Photos App.

There are three RCE bugs receiving fixes in the Azure RTOS GUIX Studio, which provides developers a design for developing GUIs for IoT applications. What’s not clear is whether these apps will also need updates after installing these patches. There are a few RCE bugs in Office components, including a couple of interesting SharePoint bugs. Most of these require a user to open a specially crafted file. The SQL Server bug sounds pretty nasty but requires authentication. That should lessen the impact. Still, admins will need to carefully review the listed chart to determine which GDR and CU updates they require. This release includes patches impacting the iSCSI Discovery Service, Encrypting File System (EFS), and the File History component. All require some form of authentication, and the iSCSI and File History bugs require user interaction.

Moving on, there are 12 patches to address elevation of privilege (EoP) vulnerabilities. Most of these require an attacker to log on to a system and run specially crated code. There are, however, a couple of patches that stand out. The update for Azure Open Management Infrastructure (OMI) impacts multiple different Azure and SCOM components. Admins will need to touch most of these to ensure the bug is fully addressed, which will add to their workload. The patch for Azure Service Fabric doesn’t fix any bugs. Instead, it enforces the path to least privilege on Linux clusters. The bug in Kerberos affects servers with both Credential Security Service Provider (CredSSP) and Remote Credential Guard (RCG) installed. An attacker could elevate privileges and then spoof the Kerberos logon process when an RCG connection is made via CredSSP. Finally, the patch for the File Server Shadow Copy Agent Service (RVSS) only affects systems where the File Server VSS Agent Service is installed. However, on those systems, the patch alone isn’t enough. Admins must install the updates on Application and File Servers. Failure to do so could negatively impact backups and cause them to fail. See this KB article for more details.

The June release contains fixes for three Denial-of-Service (DoS) bugs. The DoS in the kernel could crash the OS, but it’s not clear how severe the bug in NAT could be. If it shut down NAT completely, it could devastate impacted enterprises. If you use NAT, treat this as a Critical update. Rapid7 also contributed a CVE in a Windows SMB that Microsoft had initially classified as a stability bug. This was silently fixed in the May 2022 updates and is being documented publicly here.

There’s a single security feature bypass being fixed this month in Kerberos AppContainer. If exploited, an attacker could bypass the Kerberos service ticketing feature that performs user access control checks. There’s also a single spoofing bug in this release for the Windows Autopilot Device Management component. There are a mountain of caveats to this bug, so if you’re using this management tool, read the bulletin carefully to determine if your systems are affected.

The release is rounded out by 11 information disclosure bugs. As previously mentioned, most of these only result in leaks consisting of unspecified memory contents. There are a couple of exceptions. The Office bug could expose device information such as resource IDs, SAS tokens, and user properties. The bug in .NET and Visual Studio could be used to intercept the API key intended for NuGet.org.

Finally, there are four info disclosure bugs addressing Intel Processor MMIO stale data vulnerabilities. An attacker could use these bugs to read privileged data across trust boundaries. Microsoft has also released Advisory ADV220002 detailing these bugs, and Intel has also released further details about this class of vulnerabilities.

Looking Ahead

The next Patch Tuesday falls on July 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative – Blog   

More To Explore

Red Hat Security Advisory 2022-8750-01

Red Hat Security Advisory 2022-8750-01 – OpenShift Virtualization is Red Hat’s virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of

Do You Want To Secure Your Business?

drop us a line and keep in touch

Cyber Security Automation
Generated by Feedzy