The July 2022 Security Update Review



Informationsportal Cybersicherheit interne Portal Nachrichten

TSEC NEWS (572 Quellen): 11.08.22 Perofrmance fix. Download Android App Android App von Team IT Security


Informationsportal Cybersecurity Chronologie für Nachrichtenthemen


The July 2022 Security Update Review

thezdi.com

It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for July 2022

For July, Adobe addressed 27 CVEs in four patches for Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator. A total of 24 of these bugs were reported through the ZDI program. The update for Acrobat and Reader addresses a combination of 22 different Critical- and Important-rated bugs. The most severe of these could allow code execution if an attacker convinces a target to open a specially crafted PDF document. While there are no active attacks noted, Adobe does list this as a Priority 2 deployment rating. The update for Photoshop fixes one Critical- and one Important-rated bug. The Critical bug is a use-after-free (UAF) that could lead to code execution. The fix for Character Animator addresses two Critical-rated code execution bugs – one a heap overflow and the other an out-of-bounds (OOB) read. Finally, the patch for RoboHelp corrects a single Important-rated cross-site scripting (XSS) bug.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes most of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2.

Microsoft Patches for July 2022

For July, Microsoft released 84 new patches addressing CVEs in Microsoft Windows and Windows Components; Windows Azure components; Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office and Office Components; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; Open-Source Software; and Xbox. This is in addition to the two CVEs patched in Microsoft Edge (Chromium-based). That brings the total number of CVEs to 87.

While this higher volume is expected for a July release, there are still no fixes available for the multiple bugs submitted during the last Pwn2Own competition. And after a brief respite last month, there are additional updates for the Print Spooler. Looks like this component will be back to a monthly release schedule.

Of the 84 new CVEs released today, four are rated Critical, and 80 are rated Important in severity. One of these bugs was submitted through the ZDI program. None of the new bugs patched this month are listed as publicly known, but one of the updates for CSRSS is listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the CSRSS bug under active attack:

-       CVE-2022-22047 – Windows CSRSS Elevation of Privilege
This bug is listed as being under active attack, but there’s no information from Microsoft on where the vulnerability is being exploited or how widely it is being exploited. The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.

-       CVE-2022-30216 – Windows Server Service Tampering Vulnerability
This patch corrects a tampering vulnerability in the Windows Server Service that could allow an authenticated attacker to upload a malicious certificate to a target server. While this is listed as “Tampering”, an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution. While tampering bugs don’t often get much attention, Microsoft does give this its highest exploit index rating, meaning they expect active exploits within 30 days. Definitely test and deploy this patch quickly – especially to your critical servers.

-       CVE-2022-22029 – Windows Network File System Remote Code Execution Vulnerability
This is the third month in a row with a Critical-rated NFS bug, and while this one has a lower CVSS than the previous ones, it could still allow a remote, unauthenticated attacker to execute their code on an affected system with no user interaction. Microsoft notes multiple exploit attempts may be required to do this, but unless you are specifically auditing for this, you may not notice. If you’re running NFS, make sure you don’t ignore this patch.

-       CVE-2022-22038 - Remote Procedure Call Runtime Remote Code Execution Vulnerability
This bug could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high since an attacker would need to make “repeated exploitation attempts” to take advantage of this bug, but again, unless you are actively blocking RPC activity, you may not see these attempts. If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for July 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-22047 Windows CSRSS Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2022-22038 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-30221 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-22029 Windows Network File System Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-22039 Windows Network File System Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2022-30215 Active Directory Federation Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2022-23816 * AMD: CVE-2022-23816 AMD CPU Branch Type Confusion Important N/A No No Info
CVE-2022-23825 * AMD: CVE-2022-23825 AMD CPU Branch Type Confusion Important N/A No No Info
CVE-2022-30181 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33641 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33642 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33643 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33650 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33651 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33652 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.4 No No EoP
CVE-2022-33653 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33654 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33655 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33656 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33657 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33658 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.4 No No EoP
CVE-2022-33659 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33660 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33661 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33662 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33663 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33664 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33665 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33666 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33667 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33668 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33669 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33671 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-33672 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33673 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-33674 Azure Site Recovery Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-33675 Azure Site Recovery Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-33677 Azure Site Recovery Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2022-33676 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-33678 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-30187 Azure Storage Library Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2022-22048 BitLocker Security Feature Bypass Vulnerability Important 6.1 No No SFB
CVE-2022-27776 * HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data Important N/A No No Info
CVE-2022-22040 Internet Information Services Dynamic Compression Module Denial of Service Vulnerability Important 7.3 No No DoS
CVE-2022-33637 Microsoft Defender for Endpoint Tampering Vulnerability Important 6.5 No No Tampering
CVE-2022-33632 Microsoft Office Security Feature Bypass Vulnerability Important 4.7 No No SFB
CVE-2022-22036 Performance Counters for Windows Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-33633 Skype for Business and Lync Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-22037 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2022-30202 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-30224 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-22711 Windows BitLocker Information Disclosure Vulnerability Important 6.7 No No Info
CVE-2022-30203 Windows Boot Manager Security Feature Bypass Vulnerability Important 7.4 No No SFB
CVE-2022-30220 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30212 Windows Connected Devices Platform Service Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2022-22031 Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22026 Windows CSRSS Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-22049 Windows CSRSS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30214 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2022-22043 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22050 Windows Fax Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22024 Windows Fax Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22027 Windows Fax Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30213 Windows GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22034 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30205 Windows Group Policy Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2022-22042 Windows Hyper-V Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-30223 Windows Hyper-V Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2022-30209 Windows IIS Server Elevation of Privilege Vulnerability Important 7.4 No No EoP
CVE-2022-22025 Windows Internet Information Services Cachuri Module Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21845 Windows Kernel Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2022-30211 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-30225 Windows Media Player Network Sharing Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-22028 Windows Network File System Information Disclosure Vulnerability Important 5.9 No No Info
CVE-2022-22023 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability Important 6.6 No No SFB
CVE-2022-22022 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-22041 Windows Print Spooler Elevation of Privilege Vulnerability Important 6.8 No No EoP
CVE-2022-30206 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30226 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-30208 Windows Security Account Manager (SAM) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-30216 Windows Server Service Tampering Vulnerability Important 8.8 No No Tampering
CVE-2022-30222 Windows Shell Remote Code Execution Vulnerability Important 8.4 No No RCE
CVE-2022-22045 Windows.Devices.Picker.dll Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-33644 Xbox Live Save Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-2294 * Chromium: CVE-2022-2294 Heap buffer overflow in WebRTC High N/A No Yes RCE
CVE-2022-2295 * Chromium: CVE-2022-2295 Type Confusion in V8 High N/A No No RCE

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Please note that Google is aware that an exploit for one of the Chromium bugs (CVE-2022-2294) exists in the wild. If you’re using Microsoft Edge (Chromium-based), make sure it gets updated as soon as possible.

Looking at the rest of the release, the first thing that stands out is the 32(!) patches for the Azure Site Recovery service. Two are remote code execution (RCE) bugs while the rest are elevation of privilege (EoP) issues. This is primarily a cloud-based service, but there are some on-prem components. Don’t expect an automatic update for these bugs. In all cases, you will need to upgrade to version 9.49 to remediate these vulnerabilities. Instructions for this can be found here. It’s incredibly unusual to see so many CVEs addressed in a single month for a single component, and it’s not clear why Microsoft chose to address these bugs in this manner. Regardless of why, if you rely on Azure Site Recovery, make sure you update all the necessary components.

There are two other Critical-rated bugs still to cover. There’s a second Critical-rated NFS vulnerability in addition to the one previously discussed. This is very similar to the other one but rates a slightly lower CVSS. It’s still Critical and the CVSS is questionable, so don’t think it’s any less dangerous. The highest CVSS patch this month belongs to a bug in Windows Graphic Component. These types of bugs usually manifest by either opening a file or viewing an image.

The remaining Critical-rated bugs impact some critical business functions. The first is a patch for the DNS server component. While certainly worth paying attention to, it does require the attacker to have elevated privileges. There’s an RCE bug in Windows Shell, but it requires a local attacker to interact with the logon screen. As always, don’t ignore physical security. There’s a code execution bug in Skype for Business and Lync (remember those?), but there are several prerequisites that make exploitation less likely. There’s a patch for the Layer 2 Tunneling Protocol (L2TP). It’s not clear how many people are using L2TP these days, but if you’re one of them, make sure you get this patch installed. Speaking of outdated methods of communication, there are two RCE bugs in the Windows Fax service receiving patches.

There are 52 fixes for EoP bugs, which includes the 30 Azure Site Recovery bugs we’ve already mentioned. In addition to the one under active attack, there are two other EoP bugs in CSRSS. For the most part, the rest of these bugs require an attacker to already have the ability to execute code on the target. They can then use one of these bugs to escalate to SYSTEM or some other elevated level. An exception to this is the bug in the Media Player Network Sharing service, which could be leveraged to delete registry keys. There’s also a patch for IIS to address a bug that could allow attackers to bypass authentication on an affected IIS server. The Group Policy bug requires the attacker to have privileges to create Group Policy Templates. Microsoft reminds us to regularly audit these groups, and that’s good advice for many reasons. There’s a patch for the Xbox Live Save Service, but it’s not clear what privileges an attacker would gain if they exploited this bug. Microsoft does list the attack vector as local, so perhaps multiple user profiles on the same Xbox would be impacted? And finally, after getting a month off, there are four new patches for the Print Spooler. We will likely continue to see additional print spooler fixes for the foreseeable future.

There are three fixes for denial-of-service (DoS) bugs in this month’s release, and all are impactful. The first impacts the Security Account Manager (SAM). While Microsoft doesn’t state the impact of this bug, a DoS on the SAM would likely lead to problems logging on to a domain. The other DoS patches fix bugs in IIS. The first covers the Cachuri module, which provides user-mode caching of URL information. The other is in the dynamic compression module, which (as its name implies) allows IIS to compress responses coming from various handlers. It doesn’t seem like either of these would lead to a complete website shutdown, but they would certainly degrade services.

In addition to the tampering bug mentioned above, there’s another tampering issue in Microsoft Defender for Endpoint. However, this bug requires the attacker to authenticate to the management console appliance and to have an integration token.

Physical access is a common factor in three of the four security feature bypass bugs getting fixed this month. The first is a BitLocker bypass that allows an attacker with physical access to a powered-off system to gain access to encrypted data. Similarly, the bug in Boot Manager allows an attacker with physical access to bypass Secure Boot and access the pre-boot environment. The bypass in the Windows Portable Device Enumerator service allows an attacker to attach a USB storage device to a system where Group Policy failed to apply. The final SFB occurs when opening a specially crafted Office file.

The July release contains new fixes for seven information disclosure bugs. Most of these only result in leaks consisting of unspecified memory contents, but there are a couple of notable exceptions. The bug in BitLocker could allow a local attacker to view raw, unencrypted disk sector data. Considering BitLocker’s purpose, you could almost consider this a security feature bypass. One of the Hyper-V bugs could let an attacker on a guest OS gain data from the Hyper-V host. The bug in the Azure Storage Library allows an attacker to decrypt data on the client side and disclose the content of the file or blob. There’s also a CVE assigned by HackerOne that could leak authentication or cookie header data via curl. This was originally patched in April 2022 and is now being incorporated into Microsoft products that use curl.

Finally, there are two information disclosure bugs covering AMD CPU Branch Type Confusion issues. These are related to the “Hertzbleed” vulnerabilities first documented in Intel processors last month. While interesting from an academic perspective, exploits using speculative execution side channels haven’t had much of an impact in the real world. 

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on August 9, and I’ll be at Black Hat in Las Vegas to present on determining risk in an era of low patch quality. I’ll still be able to publish details and patch analysis of the August release, but please come by for the presentation if you’re at the conference. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

...

Komplette Nachricht lesen

Zur Startseite


➤ Ähnliche Beiträge für 'The July 2022 Security Update Review'

The April 2022 Security Update Review

vom 912.93 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for April 2022For April, Ad

The August 2022 Security Update Review

vom 891.37 Punkte
It’s the second Tuesday of the month, and the last second Tuesday before Black Hat and DEFCON, which means Microsoft and Adobe have released their latest security fixes. Take a break from packing (if you’re headed to hacker summer camp) or your nor

CentOS Blog: CentOS Community Newsletter, August 2019 (#1908)

vom 652.93 Punkte
Dear CentOS enthusiast, It's been another busy month, but better a few days late than never! If you'd like to help out with the process of putting together the newsletter, please see the Contributing section at the end. We're always looking for help! R

The March 2022 Security Update Review

vom 622.18 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The July 2022 Security Update Review

vom 595.26 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The September 2022 Security Update Review

vom 540.03 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for September 2022 For Sep

The February 2022 Security Update Review

vom 496.04 Punkte
It’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The May 2022 Security Update Review

vom 485.25 Punkte
It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their ex

The May 2022 Security Update Review

vom 485.25 Punkte
It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their ex

The June 2022 Security Update Review

vom 450.42 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

Data science

vom 297.69 Punkte
BrandPost Sponsored by AWSHow organizational learning can unlock more business value from machine learningA deeper understanding of AI/ML methodologies can help you realize greater business value. An end-to-end understanding of how your business dynamics

AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control

vom 247.77 Punkte
Original release date: May 18, 2022 | Last revised: June 2, 2022SummaryUpdate June 2, 2022: This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and

Team Security Diskussion über The July 2022 Security Update Review