Microsoft has released patches for 84 flaws, including four rated critical and one that had an unknown status, on its monthly Patch Tuesday. The other patches were all rated as important.
Commenting on the vulnerabilities, Satnam Narang, staff research engineer at security firm Tenable, said: “Microsoft patched CVE-2022-22047, an elevation of privilege vulnerability in the Windows Client Server Run-Time Subsystem (CSRSS). The flaw was assigned a CVSSv3 score of 7.8 and is rated important.
“According to Microsoft, this vulnerability has been exploited in the wild, though no details were available at the time patches became available. Elevation of privilege flaws are valuable for attackers that have already gained access to a vulnerable system with limited privileges through other means, including social engineering or exploitation of a separate vulnerability. They could potentially gain administrative privileges by running a specially crafted application that exploits this flaw.”
Narang said July’s patches also included fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226.
“We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527) as researchers continue to identify flaws in the service,” he pointed out.
“These four flaws are elevation of privilege vulnerabilities, which provide attackers with the ability to delete files or gain SYSTEM privileges on a vulnerable system.
“Microsoft also patched several vulnerabilities in its Azure Site Recovery, a disaster recovery service. These include CVE-2022-33675, an elevation of privilege flaw that was discovered by Tenable researcher Jimi Sebree.
“The flaw exists in Azure Site Recovery due to a directory permission error that could allow an attacker to leverage DLL hijacking to elevate privileges to SYSTEM. More details about this discovery can be found on the Tenable Techblog.”
Mike Walters, cyber security executive and co-founder of remote monitoring and management software provider Action1 Corporation, said one patch of particular interest addressed a Windows Network File System Remote Code Execution Vulnerability, tracked as CVE-2022-22029.
“This patch continues a series on NFS vulnerabilities that started in May. The previous patch was for NFSv4.1, and this patch is for NFSv3,” he said.
“That’s very strange, since Microsoft wrote that they fixed version 3 in the May update. It turns out that the May update fixed only NFSv2. This vulnerability has a severity of ‘critical’ because of multi-month history and because it could be exploited over the network to trigger remote code execution (RCE). Its CVSS score is only 8.1 because execution is rather complex and time-consuming; nevertheless, if you are using NFS3, patching is a must.
Walter said another patch was for Windows Server Service Tampering Vulnerability (tracked as CVE-2022-30216), which had a CVSS score of 8.8.
“For successful exploitation of this vulnerability, a malicious certificate needs to be imported on an affected system,” he explained. “An authenticated attacker could remotely upload a certificate to the server service.
“This is very bad because the certificate could allow malicious code to be run on the server. This attack’s complexity is low, and it puts the integrity, availability, and confidentiality of Windows Server and Windows 10/11 at risk. The exploit is not yet publicly available, but exploitation is likely, according to Microsoft.
“A Remote Procedure Call Runtime Remote Code Execution Vulnerability, tracked as CVE-2022-22038, is another critical vulnerability. Its CVSS score is just 8.1 due to high attack complexity — there is no exploit yet, just a PoC. The score could be increased if an exploit is delivered to the darknet.”