Microsoft Patch Tuesday – August 2022

Microsoft patched 118 CVEs in its August 2022 Patch Tuesday release, with 17 rated as critical and 101 rated as important. Including two zero day fixes.

Patch categories

• 64 Elevation of Privilege Vulnerabilities
• 6 Security Feature Bypass Vulnerabilities
• 31 Remote Code Execution Vulnerabilities
• 12 Information Disclosure Vulnerabilities
• 7 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerability

This month’s update includes patches for:

• .NET Core
• Active Directory Domain Services
• Azure Batch Node Agent
• Azure Real Time Operating System
• Azure Site Recovery
• Azure Sphere
• Microsoft ATA Port Driver
• Microsoft Bluetooth Driver
• Microsoft Chromium Edge
• Microsoft Exchange Server
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Windows Support Diagnostic Tool
• Remote Access Service Point-to-Point Tunneling Protocol
• Role: Windows Fax Service
• Role: Windows Hyper-V
• System Center Operations Manager
• Visual Studio
• Windows Bluetooth Service
• Windows Canonical Display Driver
• Windows Cloud Files Mini Filter Driver
• Windows Defender Credential Guard
• Windows Digital Media
• Windows Error Reporting
• Windows Hello
• Windows Internet Information Services
• Windows Kerberos
• Windows Kernel
• Windows Local Security Authority
• Windows Network File System
• Windows Partition Management Driver
• Windows Point-to-Point Tunneling Protocol
• Windows Print Spooler Components
• Windows Secure Boot
• Windows Secure Socket Tunneling Protocol
• Windows Storage Spaces Direct
• Windows Unified Write Filter
• Windows Web Browser Control
• Windows Win32K

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerabilities

CVE-2022-34713 and CVE-2022-35743 are RCE vulnerabilities in the Microsoft Windows Support Diagnostic Tool (MSDT) for troubleshooting. Both CVEs received a CVSS score of 7.8 and are rated important.

CVE-2022-34713 first disclosed the flaw in January 2020. At the time, Microsoft chose not to patch the flaw. However, following renewed interest in MSDT spurred by the discovery and exploitation of CVE-2022-30190, Microsoft patched the flaw this month.

Microsoft Exchange Server Elevation of Privilege Vulnerabilities

CVE-2022-21980, CVE-2022-24516 andCVE-2022-24477 are EoP vulnerabilities in Microsoft Exchange Server. All three received a CVSSv3 score of 8.0 and were rated Exploitation More Likely.

All three vulnerabilities require authentication and user interaction to exploit — an attacker would need to entice a target to visit a specially crafted Exchange server, likely through phishing. Microsoft also notes that Extended Protection needs to be enabled to fully mitigate these vulnerabilities.

Windows Print Spooler Elevation of Privilege Vulnerabilities

CVE-2022-35755 andCVE-2022-35793 are EoP vulnerabilities in Windows Print Spooler Components that both received a CVSSv3 score of 7.3 and were rated Exploitation More Likely. Tracing back to the original PrintNightmare (CVE-2021-34527). CVE-2022-35755 can be exploited using a specially crafted “input file,” while exploitation of CVE-2022-35793 requires a user to click on a specially crafted URL. Both would give the attacker SYSTEM privileges.

SMB Client and Server Remote Code Execution Vulnerability

CVE-2022-35804 is an RCE vulnerability affecting both the Server Message Block (SMB) client and server on Windows 11 systems using Microsoft SMB 3.1.1 (SMBv3). Microsoft rated this as Exploitation More Likely and assigned an 8.8 CVSSV3 score.

This vulnerability is reminiscent of past SMB vulnerabilities such as the EternalBlue SMBv1 flaw patched in MS17-010 in March of 2017 that was exploited as part of the WannaCry incident in addition to the more recent CVE-2020-0796 “EternalDarkness” RCE flaw in SMB 3.1.1.

Both vulnerabilities can be mitigated by disabling the Print Spooler service, but CVE-2022-35793 can also be mitigated by disabling inbound remote printing via Group Policy.

Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2022-34691 is an EoP vulnerability affecting Active Directory Domain Services. With an 8.8 CVSSv3 score, this vulnerability could be exploited by an authenticated attacker to manipulate attributes of accounts and possibly acquire a certificate from Active Directory Certificate Services. This certificate would allow the attacker to elevate their privileges. The advisory notes that exploitation is only possible when Active Directory Certificate Services is running on the domain.

Windows Secure Socket Tunneling Protocol (SSTP) RCE Vulnerability

This vulnerability has a CVSSv3 score of 8.1 and rated exploitation less likely.

Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to RCE on the RAS server machine.

Windows Point-to-Point Protocol RCE Vulnerability

This vulnerability tracked as CVE-2022-30133, CVE-2022-35744  has a CVSSv3 score of 9.8 and is rated as exploitation likely.

This vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable.

Warning: Disabling Port 1723 could affect communications over your network.

Elevation of Privilege Vulnerabilities in Azure Site Recovery

Azure Site Recovery, a suite of tools used for disaster recovery, had a significant number of CVEs patched in this month’s release, including 31 EoP vulnerabilities and  CVSS scores ranging from 4.4 to 8.1, and all the flaws were rated as Important and “Exploitation Less Likely.”

Microsoft Chromium Edge Security Feature Bypass Vulnerability

Tracked as CVE-2022-33649, vulnerability has a CVSSv3.1 score of 9.6 and is rated as exploitation less likely.

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to act, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.

Microsoft Chromium Edge RCE Vulnerability

This vulnerability was tracked as CVE-2022-33636, CVE-2022-35796 with a CVSSv3 score of 8.3 and rated exploitation less likely

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to act, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.

Windows Server 20H2 End of Support

Windows Server, version 20H2 has now reached its end of service and will no longer receive security updates. A Tenable plugin to identify systems using this version of Windows server will be released soon and we will update this post with the plugin ID once it is available.