Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday

Microsoft has released its August 2022 Patch Tuesday edition in which 121 vulnerabilities are fixed. The security update addresses two zero-day vulnerabilities (CVE-2022-34713, CVE-2022-30134), one of which is being exploited in the wild (CVE-2022-34713). Out of the 121 vulnerabilities, 17 are rated critical as they allow remote code execution and elevate privileges 

Microsoft also included 20 updates for Microsoft Edge (Chromium-Based) in this Patch Tuesday edition. The vulnerabilities were patched earlier this month and addressed Elevation of Privilege, Remote Code Execution, and Security Feature Bypass vulnerabilities.

The advisory covers 40 products, features, and roles, including Azure Site Recovery, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Support Diagnostic Tool (MSDT), Visual Studio, Windows Hyper-V, Windows Network File System, and many more.

The vulnerabilities are classified as follows:  

  • Spoofing: 1
  • Denial of Service: 7
  • Elevation of Privilege: 64
  • Security Feature Bypass: 6
  • Information Disclosure: 12
  • Remote Code Execution: 31  

Zero-day vulnerabilities addressed in Patch Tuesday, August 2022 Edition

CVE-2022-34713: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability 

The vulnerability was discovered by Imre Rad in January 2020, but Microsoft did not fix it as they did not consider it a security vulnerability. This vulnerability can be exploited only when a user opens a specially crafted file. This is a variant of the vulnerability publicly known as Dogwalk. 

CVE-2022-30134: Microsoft Exchange Information Disclosure Vulnerability 

This vulnerability requires a user with an affected version of Exchange Server to access a malicious server. Successful exploitation of this vulnerability allows an attacker to read targeted email messages. Microsoft says that the CVE-2022-30134 vulnerability is publicly disclosed but has not been detected in attacks. 

Some of the critical vulnerabilities addressed in Patch Tuesday, August 2022 Edition

CVE-2022-35794: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability  

Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

CVE-2022-30133, CVE-2022-35744: Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability  

This vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port; thus, rendering the vulnerability unexploitable.

Warning: Disabling Port 1723 could affect communications over your network. 

CVE-2022-34691: Active Directory Domain Services Elevation of Privilege Vulnerability 

An authenticated user could manipulate attributes on computer accounts that they own or manage and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to the System. 

Please see Certificate-based authentication changes on Windows domain controllers for more information and ways to protect yourself. 
  
CVE-2022-33646: Azure Batch Node Agent Elevation of Privilege Vulnerability  
Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Evaluating workaround using Qualys Policy Compliance (PC)

Qualys Policy Compliance customers can evaluate workarounds based on the following Controls: 
  
CVE-2022-35793: Windows Print Spooler Elevation of Privilege Vulnerability 
21711 Status of the ‘Allow Print Spooler to accept client connections’ group policy setting 
  
1368 Status of the ‘Print Spooler’ service 
  
CVE-2022-35804: SMB Client and Server Remote Code Execution Vulnerability 
24476 Status of the SMBv3 Client compressions setting 
  
20233 Status of the SMBv3 Server compressions setting 
  
CVE-2022-35755: Windows Print Spooler Elevation of Privilege Vulnerability 
1368 Status of the ‘Print Spooler’ service 
  
CVE-2022-35744, CVE-2022-30133: Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability 
14028 List of ‘Outbound Rules’ configured in Windows Firewall with Advanced Security via GPO 
  
11220 List of ‘Inbound Rules’ configured in Windows Firewall with Advanced Security via GPO 
  
CVE-2022-34715: Windows Network File System Remote Code Execution Vulnerability 
24139 Status of the Windows Network File System (NFSV4) service 
  
CVE-2022-34691: Active Directory Domain Services Elevation of Privilege Vulnerability 
4079 Status of the ‘Active Directory Certificate Service’. 

Executing workaround using Qualys Custom Assessment and Remediation (CAR)

Customers can perform the provided mitigation steps by creating a PowerShell script and executing it on the vulnerable assets.

For CAR free trial or schedule a demo: https://www.qualys.com/apps/custom-assessment-remediation/

CVE-2022-35793, CVE-2022-35755 – Windows Print Spooler Elevation of Privilege Vulnerability

Script Details: Image source: Qualys

Script Output:MSPT August 2022 Image source: Qualys

Impact of workaround

Disabling the Print Spooler service disables the ability to print both locally and remotely.

CVE-2022-34715 – Windows Network File System Remote Code Execution Vulnerability

Script Details: MSPT August 2022Image source: Qualys

Script Output:MSPT August 2022 Image source: Qualys

Impact of workaround: 

This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as temporary mitigation. Warning You should NOT apply this mitigation unless you have installed all previous Windows security updates.

CVE-2022-35804 – SMB Client and Server Remote Code Execution Vulnerability

Script Details:MSPT August 2022 Image source: Qualys

Script Output:MSPT August 2022 Image source: Qualys

How to undo the workaround:

You can revert the workaround with the following PowerShell command:

Remove-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” -Name “DisableCompression” -Force

Remove-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” -Name “DisableCompression” -Force

CVE-2022-30133, CVE-2022-35744 – Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability

Script details:MSPT August 2022 Image source: Qualys

Script output:MSPT August 2022Image source: Qualys 

Impact of Workaround: 

This vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable.

Warning: Disabling Port 1723 could affect communications over your network. 
 
Visit the August 2022 Security Updates page to access the full description of each vulnerability and the systems it affects. 
 
Qualys customers can scan their network with QIDs 110413, 110414, 376813, 50121, 91929, 91931, 91932, 91933, 91934, 91935, 91936 to detect vulnerable assets. 
 
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities. 
 
References: 
https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33646  
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Leave a Reply

Your email address will not be published.