In the security patch bundle released this Tuesday by Microsoft, fixes for 63 vulnerabilities and exposures were provided. Five of the vulnerabilities are considered “Critical,” 57 of them are “Important,” and one is rated “Moderate.”
Specifically, the flaws are composed of one Security Feature Bypass Vulnerabilities, seven Information Disclosure Vulnerabilities, seven Denial of Service Vulnerabilities, 18 Elevation of Privilege Vulnerabilities, and 30 Remote Code Execution Vulnerabilities. If the vulnerabilities patched in Microsoft Edge before this Patch Tuesday are added, the total number of CVEs rises to 79.
Two of those vulnerabilities were publicly disclosed zero-day vulnerabilities, with one of them (tracked as “CVE-2022-37969 – Windows Common Log File System Driver Elevation of Privilege Vulnerability”) described as “exploited.”
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in an advisory. Nonetheless, the tech giant considers the vulnerability severity “Low” since the “technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.” Other security experts, nonetheless, are not satisfied with Microsoft’s statement and expressed their concerns.
“The vulnerability [CVE-2022-37969] is rated as Important, but with multiple vendors acknowledged for the coordinated disclosure and confirmed exploits in the wild this vulnerability should be treated as a Critical severity due to the risk,” Chris Goettl, Vice President of Product Management for security products at Ivanti, told Redmond Magazine.
Mike Walters, cybersecurity executive and co-founder of remote monitoring and management software Action1 Corporation, also said that the “low complexity” of CVE-2022-37969 can be a problem.
“No other technical details [about CVE-2022-37969] are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats,” Walters told Redmond Mag.
Meanwhile, Microsoft Dynamics 365 is affected by two (CVE-2022-34700 and CVE-2022-35805) of the five critical vulnerabilities that can allow remote code execution. Two of them (CVE-2022-34721 and CVE-2022-34722) are linked to Windows Internet Key Exchange Protocol Extensions, while the last one (CVE-2022-34718) has something to do with Windows and TCP/IP.
The last of the five critical vulnerabilities, CVE-2022-34718, is described as “the most serious vulnerability” by security researchers at Cisco Talos since it has a CVSS rating of 9.8 out of 10. Microsoft also described it as “exploitation more likely.” Nonetheless, Dustin Childs of vendor-agnostic bug bounty program Trend Micro’s Zero Day Initiative said that systems with IPv6 enabled and IPSec configured are the only ones affected. “While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly,” Childs added.
On the other hand, while the two critical vulnerabilities, CVE-2022-34721 and CVE-2022-34722, affect all Windows Server products and have 9.8 CVSS scores, Walters said they “both have low complexity for exploitation.”