Patch Tuesday – September 2022

Today, September 13, is Patch Tuesday. Patch Tuesday is the second Tuesday of each month when Microsoft and other vendors, such as Adobe, release security updates to their products to patch discovered vulnerabilities. This month there was patches released for 64 new vulnerabilities with five rated with a severity of Critical, 57 Important, and two Moderate.

One of the vulnerabilities patched this month includes CVE-2022-37969, a privilege escalation vulnerability in the Windows Common Log File System Driver. The Common Log File System (CLFS) API provides a general-purpose log file subsystem that client applications can use to Windows to optimize log access. This vulnerability does require an attacker to already have local access to run application on the targeted system; however, it stands out from the rest in that according to Microsoft, CVE-2022-37969 has already been exploited in the wild. Details are still sparse, but this seems similar to previous CLFS privilege escalation vulnerabilities such as CVE-2022-22000 which was patched in February 2022, CVE-2017-8624 which was patched in August 2017, and others. Microsoft acknowledged Zscalar, CrowdStrike, Mandiant, and DBAPPSecurity for providing information on CVE-2022-37969.

The five critical vulnerabilities patched this month are all remote code execution (RCE) vulnerabilities. CVE-2022-34700 and CVE-2022-35805 are RCE vulnerabilities in Microsoft Dynamics 365. According to Microsoft, both vulnerabilities require an already authenticated user to run a maliciously crafted trust solution package that would then be able to execute arbitrary SQL commands which would include the ability to execute commands as “db_owner” within their database. Both vulnerabilities have a base CVSS score of 8.8 and are considered “less likely” to be exploited. CVE-2022-34721 and CVE-2022-34722 are both RCE vulnerabilities in the Windows Internet Key Exchange (IDE) protocol extensions. These vulnerabilities only affect Windows systems with IPSec enabled, and then it only impacts IKEv1, IKEv2 is not impacted. IPSec is a suite of network protocols commonly used for security connections, such as VPNs. Details are also sparse on these vulnerabilities, but we do know that they require an attacker to craft a malicious IP packet targeting a Windows host with IPSec using IKEv1. Microsoft gave both vulnerabilities a base CVSS score of 9.8 and marked them both, “Exploitation Less Likely.” CVE-2022-34718 is an RCE in the Windows TCP/IP stack. This vulnerability has been given a base CVSS score of 9.8 and Microsoft marked it, “Exploitation More Likely.” CVE-2022-34718 allows an unauthenticated attacker to send a maliciously crafted IPv6 packet to a Windows host with IPSec enabled that could allow the attacker to remotely execute code on the target.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.