Patch Tuesday September’s Patch Tuesday is here and it brings, among other things, fixes from Microsoft for one security bug that miscreants have used to fully take over Windows systems along with details of a second vulnerability that, while not yet under attack, has already been publicly disclosed.
In total, Redmond patched or addressed 62 security flaws today. This batch includes five “critical” remote code execution (RCE) vulnerabilities, and Microsoft ranked the rest as “important.”
The bug that’s already being exploited in the wild, tracked as CVE-2022-37969, is in Windows’ Common Log File System and it received a CVSS score of 7.8 out of 10 in severity, which Microsoft thus deems “important.” Exploit code for this privilege-escalation flaw is also publicly available.
An authenticated user, or malware already running on a box, can exploit this bug to execute code and escalate privileges all the way to SYSTEM level, enabling them to fully takeover the machine. The goodish news is that an attacker must already have access into the system to exploit this vulnerability, thus its lower rating, though it’s under attack and needs fixing.
“This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system,” the software giant noted.
However, as we’ve seen, it’s not too hard to get users to click on a malicious link or open a malware-laced file. “Once they do, additional code executes with elevated privileges to take over a system,” warned the Zero Day Initiative’s Dustin Childs, in stating how the bug could be used to commandeer a system.
Plus, while we usually don’t get much — if any — detail on how widespread an attack is from Microsoft’s monthly patching event, in this case Redmond credited multiple security researchers from various organizations with reporting the bug. This includes Quan Jin with DBAPPSecurity, Genwei Jiang with Mandiant, CrowdStrike, and Zscaler’s ThreatLabz.
“Seeing as this vulnerability was reported to Microsoft by four different cybersecurity companies, it is highly likely that it is being leveraged extensively in the wild — specifically by APT groups and malware authors — to gain elevated privileges,” Bharat Jogi, director of vulnerability and threat research at Qualys, told The Register.
The other vulnerability with publicly available exploit code, tracked as CVE-2022-23960, is a data-leaking speculation execution side-channel bug in Arm processors known a Spectre-BHB. It’s a variant of the earlier Spectre v2 vulnerability, which can be abused by malware to steal data from memory that should otherwise be off limits.
Academics at VU Amsterdam discovered this bug in March, and today Microsoft directed folks to the Arm Developer Spectre-BHB resources page for additional information on how to handle CVE-2022-23960 as well as providing a Windows 11 update.
“This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening,” Jogi said. “If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.”
Of the five critical RCE vulnerabilities in this month’s patchapalooza, CVE-2022-34718, a Windows TCP/IP bug which received a 9.8 CVSS score, deserves high priority in terms of what to fix next.
Microsoft flagged it as “exploitation more likely,” which isn’t good as it could allow a remote, unauthenticated attacker to run code without any user interaction required.
“However, only systems with IPv6 enabled and IPSec configured are vulnerable,” Childs noted. “While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”
Supporting info, please
Speaking of CVEs labeled “exploitation more likely,” here’s a wish-list item for Redmond: how about giving organizations a little more detail about the bugs and how to mitigate them?
As Immersive Labs Director of Cyber Threat Research Kev Breen pointed out, there’s five CVEs this month listed as “exploitation more likely,” but Microsoft didn’t provide “supporting information” to back this up.
“It’s important to encourage patches,” he told The Register. “At the same time, large organizations with critical services are not always able to deploy patches quickly at scale, especially anything that may carry a risk to business-critical operations.
“With an absence of detail or mitigation options, the challenge falls to security teams to increase the protective monitoring or separation of key assets until patches can be deployed.”
Back to the other critical vulnerabilities: Microsoft patched two more RCE bugs in Windows Internet Key Exchange (IKE) Protocol that seem to be related to CVE-2022-34718. This duo, CVE-2022-34721 and CVE-2022-34722, also only affect services running IPSec.
The final two critical RCE vulnerabilities fixed today, CVE-2022-34700 and CVE-2022-35805, plug holes in on-premises versions of Microsoft Dynamics CRM.
Adobe’s fixes 63 flaws
Adobe patched 63 vulnerabilities across seven of its products running on both Windows and macOS machines, and noted it’s not aware of any of these being exploited in the wild. However, the software provider rated 35 of these bugs as critical, so it’s best to patch now before Exploit Wednesday.
Ten of the 12 fixes for Bridge are deemed critical. These include out-of-bounds read, out-of-bounds write, use-after-free, and heap-based buffer overflow vulnerabilities that could lead to arbitrary code execution. Meanwhile, two “important” use-after-free bugs could lead to memory leak.
While none of them achieved the critical severity rating, 11 important vulnerabilities in Bridge could also lead to arbitrary code execution and security feature bypass.
InDesign‘s September patches plug holes in eight critical bugs and 10 labeled important. Successful exploitation of these could lead to arbitrary code execution, arbitrary file system read and memory leak, according to the software maker.
A security update for Photoshop, running on both Windows and macOS machines, fixes nine critical and one important vulnerability that could also lead to arbitrary code execution and memory leak.
And finally, seven CVEs (five critical and two important), in InCopy, two critical vulnerabilities in Animate and three in Illustrator (one critical, two important) could allow attackers to execute malicious code and lead to memory leak.
SAP issues 6 ‘high priority’ fixes
SAP also added 16 new and updated patches, including one HotNews Note and six high priority notes.
According to Thomas Fritsch, SAP security researcher at Onapsis, Security Note #3223392 is the most critical of the three new high priority fixes. It plugs an unquoted service path vulnerability in SAP Business One, which received a 7.8 CVSS score.
“An unquoted service path vulnerability can be exploited to execute an arbitrary binary file when the vulnerable service starts, which could allow it to escalate privileges to SYSTEM,” he explained.
Another high priority note, #3217303, which received a 7.7 severity rating fixes an information disclosure bug in BusinessObject. “Under certain conditions, the vulnerability allows an attacker to gain access to unencrypted sensitive information in the Central Management Console of SAP BusinessObjects Business Intelligence Platform,” Fritsch said.
Additionally, an updated high priority note, #2998510, fixes the same type of vulnerability that earned a 7.8 CVSS score. The update clarified the affected operating systems and other prerequisites for exploit.
Don’t forget your Android OS
And finally, Google’s September Android security update addressed 46 CVEs. One, that affects Qualcomm closed-source components, is considered critical. Meanwhile 44 are high-severity vulnerabilities and one is moderate.
While Google doesn’t publish information about specific bugs in its monthly Android bulletin, it did note “the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed.”
And considering this Android vuln was serious enough for the Center for Internet Security to weigh in, we’d suggest patching your Android device OS ASAP.
“Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights,” the advisory noted. ®