The September 2022 Security Update Review

The September 2022 Security Update Review

Another Patch Tuesday is upon us, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for September 2022

For September, Adobe released seven patches addressing 63 in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. A total of 42 of these bugs were reported by ZDI Sr Vulnerability Researcher Mat Powell. The update for InDesign is the largest patch this month, with eight Critical-rated and 10 Important-rated vulnerabilities receiving fixes. The most severe of these could lead to code execution if a specially crafted file is opened on an affected system. The patch for Photoshop fixes 10 CVEs, nine of which are rated Critical. Again, an attacker can get code execution if they can convince a user to open a malicious file. The fix for InCopy fixes five similar code execution bugs and two info disclosure bugs. Adobe Animate also receives patches for two Critical-rated code execution bugs.

The update for Adobe Bridge corrects 10 Critical-rated code execution bugs and two Important-rated info disclosure bugs. One of the three Illustrator vulnerabilities getting patched could also lead to code execution. As with the bugs previously mentioned, a user would need to open a malicious file with an affected software version. Finally, the patch for Adobe Experience Manager addresses 11 Important-rated bugs, primarily of the cross-site scripting (XSS) variety.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Apple Patches for September 2022

Yesterday, Apple released updates for iOS, iPadOS, macOS, and Safari. They also released updates for watchOS and tvOS but provided no details on any of the fixes included in these patches. Two of the bugs patched by Apple were identified as being under active exploit. The first is a kernel bug (CVE-2022-32917) resulting from improper bounds checking. It affects iOS 15 and iPadOS 15, macOS Big Sur, and macOS Monterey. Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS. The Big Sur version of macOS also includes a fix for an Out-of-Bounds (OOB) Write bug in the kernel (CVE-2022-32894) that’s also listed as under active attack. One final note: Apple states in its iOS 16 advisory that “Additional CVE entries to be added soon.” It is possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.

Microsoft Patches for September 2022

This month, Microsoft released 64 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio and .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel (really). This is in addition to the 15 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 79. Five of these CVEs were submitted through the ZDI program.

The volume of fixes released this month is about half of what we saw in August, but it is in line with the volume of patches from previous September releases. For whatever reason, the last quarter of the calendar year tends to have fewer patches released. We’ll see if that trend continues in 2022.

Of the 64 new CVEs released today, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. One of these new CVEs is listed as publicly known and under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the CLFS bug under active attack:

–       CVE-2022-37969 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This bug in the Common Log File System (CLFS) allows an authenticated attacker to execute code with elevated privileges. Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link. Once they do, additional code executes with elevated privileges to take over a system. Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.

–       CVE-2022-34718 – Windows TCP/IP Remote Code Execution Vulnerability
This Critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. That officially puts it into the “wormable” category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.

–       CVE-2022-34724 – Windows DNS Server Denial of Service Vulnerability
This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.

–       CVE-2022-3075 – Chromium: CVE-2022-3075 Insufficient data validation in Mojo
This patch was released by the Google Chrome team back on September 2, so this is more of an “in case you missed it.” This vulnerability allows code execution on affected Chromium-based browsers (like Edge) and has been detected in the wild. This is the sixth Chrome exploit detected in the wild this year. The trend shows the near-ubiquitous browser platform has become a popular target for attackers. Make sure to update all of your systems based on Chromium.

Here’s the full list of CVEs released by Microsoft for September 2022:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2022-37969
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
Yes
Yes
EoP

CVE-2022-23960 *
Arm: CVE-2022-23960 Cache Speculation
Restriction Vulnerability
Important
N/A
Yes
No
Info

CVE-2022-34700
Microsoft Dynamics 365 (on-premises) Remote
Code Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2022-35805
Microsoft Dynamics 365 (on-premises) Remote
Code Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2022-34721
Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2022-34722
Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2022-34718
Windows TCP/IP Remote Code Execution
Vulnerability
Critical
9.8
No
No
RCE

CVE-2022-38013
.NET Core and Visual Studio Denial of
Service Vulnerability
Important
7.5
No
No
DoS

CVE-2022-26929
.NET Framework Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-38019
AV1 Video Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-38007
Azure Guest Configuration and Azure
Arc-enabled servers Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-37954
DirectX Graphics Kernel Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-35838
HTTP V3 Denial of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2022-35828
Microsoft Defender for Endpoint for Mac
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-34726
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2022-34727
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2022-34730
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2022-34732
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2022-34734
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2022-37963
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-38010
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-34731
Microsoft OLE DB Provider for SQL Server
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-34733
Microsoft OLE DB Provider for SQL Server
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-35834
Microsoft OLE DB Provider for SQL Server
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-35835
Microsoft OLE DB Provider for SQL Server
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-35836
Microsoft OLE DB Provider for SQL Server
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-35840
Microsoft OLE DB Provider for SQL Server
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-37962
Microsoft PowerPoint Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-35823
Microsoft SharePoint Remote Code Execution
Vulnerability
Important
8.1
No
No
RCE

CVE-2022-37961
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-38008
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-38009
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-37959
Network Device Enrollment Service (NDES)
Security Feature Bypass Vulnerability
Important
6.5
No
No
SFB

CVE-2022-38011
Raw Image Extension Remote Code Execution
Vulnerability
Important
7.3
No
No
RCE

CVE-2022-35830
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Important
8.1
No
No
RCE

CVE-2022-37958
SPNEGO Extended Negotiation (NEGOEX)
Security Mechanism Information Disclosure Vulnerability
Important
7.5
No
No
Info

CVE-2022-38020
Visual Studio Code Elevation of Privilege
Vulnerability
Important
7.3
No
No
EoP

CVE-2022-34725
Windows ALPC Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2022-35803
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30170
Windows Credential Roaming Service Elevation
of Privilege Vulnerability
Important
7.3
No
No
EoP

CVE-2022-34719
Windows Distributed File System (DFS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-34724
Windows DNS Server Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2022-34723
Windows DPAPI (Data Protection Application
Programming Interface) Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-35841
Windows Enterprise App Management Service
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2022-35832
Windows Event Tracing Denial of Service
Vulnerability
Important
5.5
No
No
DoS

CVE-2022-38004
Windows Fax Service Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-34729
Windows GDI Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-38006
Windows Graphics Component Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2022-34728
Windows Graphics Component Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-35837
Windows Graphics Component Information
Disclosure Vulnerability
Important
5
No
No
Info

CVE-2022-37955
Windows Group Policy Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-34720
Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2022-33647
Windows Kerberos Elevation of Privilege
Vulnerability
Important
8.1
No
No
EoP

CVE-2022-33679
Windows Kerberos Elevation of Privilege
Vulnerability
Important
8.1
No
No
EoP

CVE-2022-37956
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-37957
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-37964
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-30200
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-26928
Windows Photo Import API Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2022-38005
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-35831
Windows Remote Access Connection Manager
Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-30196
Windows Secure Channel Denial of Service
Vulnerability
Important
8.2
No
No
DoS

CVE-2022-35833
Windows Secure Channel Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2022-38012
Microsoft Edge (Chromium-based) Remote Code
Execution Vulnerability
Low
7.7
No
No
RCE

CVE-2022-3038 *
Chromium: CVE-2022-3038 Use after free in
Network Service
Critical
N/A
No
No
RCE

CVE-2022-3075 *
Chromium: CVE-2022-3075 Insufficient data
validation in Mojo
High
N/A
No
Yes
RCE

CVE-2022-3039 *
Chromium: CVE-2022-3039 Use after free in
WebSQL
High
N/A
No
No
RCE

CVE-2022-3040 *
Chromium: CVE-2022-3040 Use after free in
Layout
High
N/A
No
No
RCE

CVE-2022-3041 *
Chromium: CVE-2022-3041 Use after free in
WebSQL
High
N/A
No
No
RCE

CVE-2022-3044 *
Chromium: CVE-2022-3044 Inappropriate
implementation in Site Isolation
High
N/A
No
No
N/A

CVE-2022-3045 *
Chromium: CVE-2022-3045 Insufficient
validation of untrusted input in V8
High
N/A
No
No
RCE

CVE-2022-3046 *
Chromium: CVE-2022-3046 Use after free in
Browser Tag
High
N/A
No
No
RCE

CVE-2022-3047 *
Chromium: CVE-2022-3047 Insufficient policy
enforcement in Extensions API
Medium
N/A
No
No
SFB

CVE-2022-3053 *
Chromium: CVE-2022-3053 Inappropriate
implementation in Pointer Lock
Medium
N/A
No
No
N/A

CVE-2022-3054 *
Chromium: CVE-2022-3054 Insufficient policy
enforcement in DevTools
Medium
N/A
No
No
SFB

CVE-2022-3055 *
Chromium: CVE-2022-3055 Use after free in
Passwords
Medium
N/A
No
No
RCE

CVE-2022-3056 *
Chromium: CVE-2022-3056 Insufficient policy
enforcement in Content Security Policy
Low
N/A
No
No
SFB

CVE-2022-3057 *
Chromium: CVE-2022-3057 Inappropriate
implementation in iframe Sandbox
Low
N/A
No
No
EoP

CVE-2022-3058 *
Chromium: CVE-2022-3058 Use after free in
Sign-In Flow
Low
N/A
No
No
RCE

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Checking the remaining Critical-rated updates, there are two for Windows Internet Key Exchange (IKE) Protocol Extensions that could also be classified as “wormable.” For both bugs, only systems running IPSec are affected. There are also two Critical-rated vulnerabilities in Dynamics 365 (On-Premises) that could allow an authenticated user to perform SQL injection attacks and execute commands as db_owner within their Dynamics 356 database.

Moving on to other code execution bugs, more than half of this month’s release involves some form of remote code execution. Of these, the patches for SharePoint stand out. Microsoft recently detailed how a SharePoint bug was used by Iranian threat actors against the Albanian government, resulting in Albania breaking off diplomatic relations with Iran. Those attacks involved a SharePoint bug we had previously blogged about. These new SharePoint cases do require authentication, but they sound very similar to other SharePoint bugs that came through the ZDI program. There are six RCE bugs in OLE DB Provider for SQL Server, but they require user interaction. A threat actor would need a user on an affected system to connect to a malicious SQL server via OLEDB, which could result in the target server receiving a malicious packet, resulting in code execution. There are five RCE bugs in the ODBC driver that also require user interaction. For these, opening a malicious MDB in Access would get code execution, similar to the other open-and-own bugs in Office components. The bug in LDAP also requires user interaction, but no other information about the exploit scenario is given.

The bug in the Enterprise App Management component requires authentication, but it’s still intriguing. An attacker could use the vulnerability to install arbitrary SYSTEM services that would then run with SYSTEM privileges. I could definitely see this bug being used after an initial breach for lateral movement and to maintain a presence on a target network. The RPC bug also looks interesting, but it’s likely not as practical since an attacker would need to spoof the localhost IP address of the target. There’s an RCE bug in .NET, but no information besides the requirement for user interaction is given. Finally, there are updates for the AV1 video extension and the Raw image extension. Both updates are delivered automatically through the Microsoft store. If you’re in a disconnected environment, you’ll need to apply these updates manually.

There are a total of 19 elevation of privilege (EoP) fixes in this month’s release, including the aforementioned patch for CLFS. Many of these require an authenticated user to run specially crafted code on an affected system. The bug in Windows Defender for Mac fits this description, as do the kernel-related patches. However, there are a couple of interesting bugs that don’t fit this profile. The first of these is a bug in the Credential Roaming Service that could allow attackers to gain remote interactive logon rights on a machine. There are two bugs in Kerberos that could lead to SYSTEM, but both have many caveats, so exploitation is unlikely. The EoP in Azure Guest Configuration and Arc-Enabled servers is fascinating for multiple reasons. A threat actor could use this vulnerability to replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons. While this is interesting on its own, the mere fact that Microsoft is producing patches for the Linux kernel boggles the mind. And, of course, it wouldn’t be a monthly update if it didn’t include a patch for the print spooler.

The September release includes six patches for information disclosure vulnerabilities. For the most part, these only result in leaks consisting of unspecified memory contents. One exception is the bug impacting the Data Protection Application Programming Interface (DPAPI). If you aren’t familiar with it, DPAPI allows you to encrypt data using information from the current user account or computer. The bug patched this month could allow an attacker to view the DPAPI master key. The vulnerability in the Windows graphics component could leak metafile memory values, although it’s not clear what an attacker could do with this information.

Seven different DoS vulnerabilities are patched this month, including the DNS bug previously mentioned above. Two bugs in secure channel would allow an attacker to crash a TLS by sending specially crafted packets. There’s a DoS in IKE, but unlike the code execution bugs listed above, no IPSec requirements are listed here. If you’re running newer OSes with the latest features, don’t miss the fix for an HTTP DoS. The system needs HTTP/3 enabled and the server using buffered I/O to be affected. HTTP/3 is a new feature in Windows Server 2022, so in this rare instance, older is better.

The September release includes a fix for a lone security feature bypass in Network Device Enrollment (NDES) Service. An attacker could bypass the service’s cryptographic service provider.

The Low-rated bug is a sandbox escape in Microsoft Edge (Chromium-based) that requires user interaction. However, the CVSS for this bug is 7.7, which Mitre classifies as “High.” Microsoft claims the user interaction involved justifies the Low rating, but I would still treat this as an important update and not delay the rollout.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on October 11, and we’ll return with details and patch analysis then. Don’t forget – I’ll be premiering the Patch Report webcast tomorrow on our YouTube channel at 9:00 am Central time. I hope you’re able to tune in and check it out. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative – Blog   

More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.