Skip links

Microsoft patches critical remote-code-exec hole in Exchange Server and others

Patch Tuesday Microsoft has addressed 71 security flaws, including three critical remote code execution vulnerabilities, in its monthly Patch Tuesday update. The IT giant is confident none of the bugs have been actively exploited. 

One of those critical RCEs is in Microsoft Exchange Server, and labeled CVE-2022-23277. It can be exploited by an authenticated user to “trigger malicious code in the context of the server’s account through a network call,” said Redmond.

Yes, an attacker needs to be authenticated, though Sophos Lab threat researcher Christopher Budd noted: “Given what we’ve seen recently around attacks against Exchange vulnerabilities, the critical severity rating and the nature of the vulnerability makes this an issue that should be patched as soon as possible.”

The other two critical RCEs affect Microsoft’s Video Extensions products. One, CVE-2022-24501, exists in the VP9 Video Extensions app available on the Microsoft Store. An attacker could exploit this flaw by convincing a user to open a malicious video file, which would cause code stashed within the footage to execute on the victim’s machine. Microsoft will automatically update — and patch — affected customers.

Similarly, CVE-2022-22006, is an HEVC Video Extensions remote code execution vulnerability that could be exploited the same way. Microsoft pushed an automatic patch for this software.

Microsoft also issued fixes for several other products including Office, Windows, Internet Explorer, Defender, and Azure Site Recovery. Dustin Childs at the Zero Day Initiative highlighted a number of their vulnerabilities, such as:

  • CVE-2022-21990: Remote-code execution, non-critical. It’s possible to hijack a PC via its RDP client when connecting to a malicious server. Details of this flaw are public, and Childs said this bug should be treated as critical.
  • CVE-2022-24508: Remote-code execution, non-critical. An authenticated user can execute malicious code on Windows 10 version 2004 and newer systems via SMBv3. “This is another one I would treat as critical and mitigate quickly,” said Childs.
  • CVE-2022-24512: Remote-code execution, non-critical. This is in .NET and Visual Studio, and details of the bug are public.
  • And a ton of elevation-of-privilege flaws, particularly CVE-2022-24459 in the Windows Fax and Scan Service of which details are public; CVE-2022-21967 in the Xbox Live Auth Manager for Windows; and CVE-2022-23266 in Defender for IoT (which also has an RCE, CVE-2022-23265.)

Test Microsoft’s patches as necessary, and deploy them as soon as you are able to avoid exploitation.

And the rest

In addition to Microsoft’s relatively light Patch Tuesday, Adobe issued three security updates for Photoshop and rated all of them “priority 3,” its lowest-level ranking bestowed on holes in products that have “historically not been a target for attackers.”

SAP’s March patch day proved slightly more exciting with 17 new and updated security notes. Most of the critical fixes are still Log4j patches. 

SAP Security Note #3154684, which received a perfect 10.0 CVSS score, is one of these Log4j patches. It affects on-premises versions of the SAP Work Manager and SAP Inventory app, both of which run on the SAP Mobile Platform.

Additionally, SAP Security Note #3145987, with a CVSS score of 9.3, patches a missing authentication vulnerability in the SAP Simple Diagnostics Agent. Onapsis Research Labs detected this critical vulnerability, which could allow an attacker to access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations.

“The only thing that prevents it from being tagged with a CVSS score of 10 is that, for a successful exploit to occur, local OS access to the SAP Focused Run system — or to one of the managed systems — is required,” according to the threat researchers. “However, a successful exploit can lead to a complete compromise of the affected system.” 

Meanwhile, Cisco patched three flaws — one critical, one high, and one medium impact — but said it’s not aware of any of these being actively exploited. 

CVE-2021-1577 is a critical vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller and Cisco Cloud Application Policy Infrastructure Controller. This flaw could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system.

The second “high impact” vulnerability, CVE-2021-1579, affects the same two Cisco products. It could allow an authenticated, remote attacker with administrator read-only credentials to elevate privileges on an affected system.

Intel has patched two issues in its products: CVE-2021-33150 in Trace Hub, which can be exploited to achieve elevation of privilege; and CVE-2022-0001 and CVE-2022-0002, which can be potentially exploited by software to leak information via the processor’s branch predictor.

Similarly, we’ve spotted AMD is addressing an issue in its processor families in which chips “may transiently execute instructions following an unconditional direct branch that may result in detectable cache activity.” In other words, another Spectre-Meltdown-style data-leaking side-channel via the cache. This is tracked as CVE-2021-26341 and explained in detail, here.

And finally Google announced details about a slew of flaws affecting Android devices in its March security bulletin. The vendor said it will issue source code patches for these vulnerabilities to the Android Open Source Project (AOSP) repository in the next 48 hours.

The most severe Android flaw is a critical security vulnerability in the system component that could lead to remote escalation of privilege with no additional execution privileges or user interaction needed. There’s no sign that kernel privilege-escalation flaw CVE-2022-0847, aka Dirty Pipe, has been addressed, we note. Many Android devices aren’t likely to be vulnerable, anyway, as the bug is present in Linux kernel versions 5.8 and higher. ®