Microsoft Patch Tuesday: A ‘Unusually Large Patch Release

Table of Contents

• Application Security, Governance & Risk Management, Incident & Breach Response.
• Log4j – Stress Relief
• Notable Vulnerabilities CVE-2022-21907
• CVE-2022-21907 & CVE-2022-21840
• RCE Vulnerabilities
• Other vulnerabilities
• Zero-Days
• CVE-2022-21919
• CVE-2021-36976
• CVE-2022-21836
• CVE-2022-21839
• CVE-2022-21874
• CVE-2021-22947

Application Security, Governance & Risk Management, Incident & Breach Response.

122 CVEs, including 96 New, 9 Critical, and 6 Zero-Days Prajeet Nair (@prajeetspeaks). * January 12, 2022, Microsoft Patch Wednesday: An ‘Unusually Large’ Patch Release.

Microsoft released Tuesday its first rollout of 2022 patches. It covers 96 CVEs plus 24 CVEs that were patched earlier in the month by Microsoft Edge (Chromium-based), and two CVEs that were previously fixed in open-source projects. There are now 122 CVEs in January. Nine of these CVEs are considered critical in severity while 89 are important. Six are also zero-day vulnerabilities.

The Toll of Identity Sprawl in the Complex Enterprise

“This is a very large update for January. Dustin Childs, Zero Day Initiative’s Dustin Childs, says that over the past few years the average January patch release has been about half as many.

Tuesday’s update addresses privilege escalation flaws and remote code execution exploits. It also fixes spoofing issues and information disclosure vulnerabilities in Microsoft Windows, Windows Components and Microsoft Edge (Chromium-based), Exchange Server, and Microsoft Office and Office Components.

Microsoft released a workaround earlier this month to correct a fatal error in email delivery that was caused by a date check failure due to the change of the years to 2022. (see: Microsoft Exchange Fixes the Disruptive “Y2K22” Bug).

Log4j – Stress Relief

Bharat Jogi is Qualys’ director of vulnerability research and threat analysis. He says Microsoft’s monster Patch Tuesday occurs during chaos in the security sector as professionals work overtime on Log4Shell (or the Apache Log4j vulnerability) which is reportedly one of the most serious vulnerabilities in recent decades.

Jogi tells ISMG that unpredictable events like Log4Shell can add stress to security professionals who have to deal with these outbreaks. This makes it imperative to keep an automated inventory of all items used by organizations in their environment. Security professionals should automate the deployment of patches for events according to a set schedule, such as MSFT Patch Tuesday. This will allow them to focus on responding to unpredictable events efficiently.

Notable Vulnerabilities CVE-2022-21907

CVE-2022-21907 is a remote code execution vulnerability in the HTTP protocol stack. It has a CVSS score of 9.8 out of 10. An attacker could use this bug to execute code on affected systems by sending specially crafted packets. This vulnerability is available to all systems that utilize the HTTP Protocol Stack (http.Sys).

“A wormable bug is one that requires no user interaction, does not require privileges, and has an elevated service. This bug is more server-centric than usual, but Windows clients can run HTTP.Sys as well, so it affects all versions. Childs states that the patch can be quickly deployed and tested.

“Kev Breen, Immersive Labs’ director of cyber threat analysis, says that wormable nature has been labeled as more likely to exploit. Breen claims that Windows Server 2019 and Windows 10 Version 1809 are not automatically vulnerable. They require a registry key to make them vulnerable.

Breen says that, if the affected version is not available for patching immediately, the Microsoft advisory can be used to apply the mitigation. He advises that you always verify the potential impact on any business-critical applications before applying mitigation.

Chris Morgan, senior analyst in cyberthreat intelligence at Digital Shadows, said that this vulnerability is alarming, but there are no working proofs or exploitable wild evidence. He says that it should be addressed as a top priority.

CVE-2022-21907 & CVE-2022-21840

CVE-2022-21907 is the most serious vulnerability, according to Rapid7’s product manager Greg Wiseman. It affects the Windows HTTP protocol layer. Microsoft believes it is potentially wormable. However, similar vulnerabilities, such as CVE-2021-3166, have not been proven to be wormable.

Wiseman states that CVE-2022-21840 is a vulnerability in all versions of Microsoft Office and Sharepoint Server. He says that to exploit the vulnerability, one would need to use social engineering to get a victim to open an attachment or go to a malicious site. Fortunately, the Windows preview pane does not provide this opportunity.

Childs of Zero Day Initiative says that there are several patches to fix this bug unless your computer is running Office 2019 for Mac or Microsoft Office LTSC For Mac 2021. These versions have no patches. He says, “Let’s all hope Microsoft makes these patches available soon.”

RCE Vulnerabilities

 

CVE-2022-221846, CVE-2022-221855, and CVE-2022-221969 were all remote code execution vulnerabilities. Each received a CVSS score of 9/10. These vulnerabilities affect Microsoft Exchange Server. These vulnerabilities were discovered by three different researchers, including the National Security Agency.

Breen states that “An important caveat is that they’re listed as ‘network-adjacent,’ which means an attacker must have access to the local networks via an existing compromised host.” “Attacks to exploit this component would be part of the phases of the lateral movement, not the initial infection vector.”

He claims that this isn’t the first time Microsoft Exchange Server has been affected by exploits or patches. In fact, the Hafnium APT team used a number of exploits in January 2021.

Other vulnerabilities

DirectX Graphics are affected by CVE-2022-291912 and CVE-2022-2898. CVE-2022-21917 refers to a vulnerability in Windows Codecs Library. While most systems should be patched automatically, Wiseman states that some organizations may have the vulnerable codec installed on their gold images. This could disable Windows Store updates.

Zero-Days

Microsoft’s most recent patch release includes six zero-day vulnerabilities, which were publicly disclosed by Microsoft. These vulnerabilities are not currently being exploited.

CVE-2022-21919

CVE-2022-2191919 is a Windows user profile vulnerability that allows for the elevation of privilege. It affects Windows 7 as well as server 2008, and later Windows versions.

An analysis shared by ISMG shows that Tyler Reguly (manager of security research at Tripwire) said this vulnerability was a bypass for CVE-2021-34484 released by researcher Abdelhamid Naci (see Report: No Patch to Microsoft Privilege Escalation Zero Day).

“The bypass was first reported by the researcher on October 22. He shared links to proof of concept. Naceri claims that the initial fix to CDirectoryRemove only removed it based on the proof of concept. Reguly states that it did not fix the underlying problem.

CVE-2021-36976

CVE-2021-36976 describes a Libarchive remote execution vulnerability. It involves an issue in the libarchive program, which Windows uses. Reguly states that the vulnerability was discovered by OSS-Fuzz on March 2021, and reported to Microsoft in June 2021.

CVE-2022-21836

CVE-2022-21836, a Windows certificate spoofing vulnerability, was first reported by Eclypsium in a blog post on September 23, 2021.

This vulnerability could be exploited by using expired or revoked certificates, which could be used for bypassing binary verification in Windows Platform Binary Table.

“Microsoft has fixed a spoofing vulnerability that affected Windows Server 2008 and Windows 7 as well as server 2008, and later Windows OS versions,” says Chris Goetttt. He has also added the certificates to the Windows kernel block list, driver.Stl. “Certificates on the driver.Stl” will be blocked, even if they are present in the Windows Platform Binary Table,” Chris Goettl (Vice President of Product Management at Ivanti).

CVE-2022-21839

CVE-20222-21839 refers to a Windows event that traces discretionary access control lists, or DACL denial-of-service vulnerability. It affects Windows 10 1809, and Server 2019 versions.

Reguly explains that DACLs are access control lists that identify who can access Windows objects and if an object doesn’t have a DACL, it will give everyone access.

CVE-2022-21874

CVE-2022-21874 refers to a remote code execution vulnerability in the Windows Security Center API. This vulnerability affects Windows 10 and Server 2016 as well as later Windows OS versions. Reguly informs ISMG that the vulnerability is local and requires user interaction. However, it could lead to a complete compromise of confidentiality integrity, and availability.

CVE-2021-22947

CVE-2021-22947, an open-source vulnerability in remote code execution using curl, was first discovered in 2009. It was fixed in September 2021. This vulnerability affects Windows 10/Server 2019 and later Windows OS versions.

Reguly claims it’s a “man-in-the-middle” flaw. Traffic that isn’t protected by TLS can be infected by communication between client and server. This traffic will then be processed by curl as it came from TLS-protected connections.

more information : venmo