Microsoft patch Tuesday – June 2022

Microsoft has released 55 security fixes that resolve critical issues including Remote Code Execution (RCE) and also includes fixes for problems information leaks, Elevation of Privilege (EoP), Use-After-Free issues, and out-of-bounds memory access.

This month’s update includes patches for:

• .NET and Visual Studio
• Azure OMI
• Azure Real Time Operating System
• Azure Service Fabric Container
• Intel
• Microsoft Edge (Chromium-based)
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Windows ALPC
• Microsoft Windows Codecs Library
• Remote Volume Shadow Copy Service (RVSS)
• Role: Windows Hyper-V
• SQL Server
• Windows Ancillary Function Driver for WinSock
• Windows App Store
• Windows Autopilot
• Windows Container Isolation FS Filter Driver
• Windows Container Manager Service
• Windows Defender
• Windows Encrypting File System (EFS)
• Windows File History Service
• Windows Installer
• Windows iSCSI
• Windows Kerberos
• Windows Kernel
• Windows LDAP – Lightweight Directory Access Protocol
• Windows Local Security Authority Subsystem Service
• Windows Media
• Windows Network Address Translation (NAT)
• Windows Network File System
• Windows PowerShell
• Windows SMB

Windows Network File System RCE Vulnerability

CVE-2022-30136 is a RCE vulnerability in the network file system (NFS) that can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. The vulnerability has a 9.8 CVSSv3 score and Exploitation More Likely. The advisory notes that NFS versions 2.0 and 3.0 are not affected and administrators can disable NFS version 4.1 to mitigate this flaw. Disabling NFSv4.1 could have adverse impacts, caution required while adopting it. This is only a mitigation option, the advisory also provides a warning that you should not disable NFSv4.1 unless you have installed the May 2022 Windows security updates, specifically the updates addressing CVE-2022-26937.

Windows Advanced Local Procedure Call EoP Vulnerability

CVE-2022-30160 is an EoP vulnerability affecting the advanced local procedure call (ALPC), a message-passing mechanism for internal operating system communications. With a CVSSv3 score of 7.8, this vulnerability can be exploited by a local, authenticated attacker and rated as Exploitation More Likely. patches are available for all supported Windows variants including Windows Server Core installations.

Windows Installer EoP Vulnerability

CVE-2022-30147 is an EoP vulnerability affecting the Windows Installer. The flaw received a 7.8 CVSSv3 score and can be exploited by a local, authenticated attacker and Exploitation More Likely and patches are available for all supported Windows variants including Windows Server Core Installations..

Numerous RCE Vulnerabilities in Windows  LDAP

This month Microsoft patched seven vulnerabilities in the Lightweight Directory Access Protocol (LDAP).

• CVE-2022-30139
• CVE-2022-30141
• CVE-2022-30143
• CVE-2022-30146
• CVE-2022-30149
• CVE-2022-30153
• CVE-2022-30161

Two of the CVEs, CVE-2022-30153, and CVE-2022-30161 received CVSSv3 scores of 8.8, CVE-2022-30141 was scored at 8.1, and the remainder of the flaws each were scored at 7.5 and all are Exploitation Less Likely.

The vulnerability descriptions for CVE-2022-30139, CVE-2022-30141, and CVE-2022-30143 provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value. A system with the default value for the policy would not be affected. In the case of both CVE-2022-30139 and CVE-2022-30141, no user interaction is required, however, an attacker must prepare the target environment to improve exploit reliability.

The remainder of the CVEs all require some form of user interaction to exploit the vulnerability.

MSDT RCE Vulnerability

CVE-2022-30190, also known as Follina the RCE vulnerability in the Microsoft Windows Support Diagnostic Tool that was disclosed in late May and exploited in the wild has now received patches for affected Windows systems. While Microsoft had provided mitigation guidance in an advisory on May 30, patches were not released until June 14.

Internet Explorer 11 End Of Support

Support for Internet Explorer (IE) 11 will end for certain versions of Windows 10. Microsoft recommends switching to Microsoft Edge and notes that IE 11 is the last major version of Internet Explorer. Tenable customers can utilize Plugin ID 22024 – Microsoft Internet Explorer Unsupported Version Detection to identify systems that have an unsupported version of IE. An update to the plugin will be released on June 15 to account for these updates from Microsoft.

Updates Summary