Microsoft addresses exploited-in-the-wild bug among others • The Register
Patch Tuesday For its final Patch Tuesday of the year, Microsoft fixed one bug that’s already been exploited in the wild – and another that’s publicly known.
That brings its total for December to 49 patched vulnerabilities, six of which are rated critical.
The bug that’s listed as exploited-in-the-wild is tracked as CVE-2022-44698. It’s a Windows SmartScreen security feature bypass vulnerability, and it received a 5.4 CVSS rating.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Redmond explained in today’s security update.
Security guru Will Dormann is credited as reporting this particular bug, and has been tweeting about these types of flaws since July. It is likely related to another MOTW bug that Microsoft fixed last month.
A second vulnerability, CVE-2022-44710, while not under active exploit (at least not that we know about) is listed as publicly known, although Microsoft described it as “exploitation less likely.”
It’s a DirectX Graphics Kernel elevation of privilege flaw, and received a CVSS rating of 7.8. Successful exploitation requires an attacker to win a race condition — although, per usual, Redmond didn’t elaborate on what that race condition is. However, assuming that a miscreant did win said race condition, they could gain system privileges, so we’d suggest taking this bug seriously.
Of the six critical bugs, we’d suggest patching first, CVE-2022-41076, a PowerShell remote code execution (RCE) vulnerability. According to Microsoft, exploitation is “more likely.” It could allow an authenticated user to escape the PowerShell Remoting Session Configuration and then run unapproved commands on the infected system.
“Threat actors often try to ‘live off the land’ after an initial breach – meaning they use tools already on a system to maintain access and move throughout a network,” explained the Zero Day Initiative’s Dustin Childs. “PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.”
Two other critical-rated flaws, CVE-2022-44690 and CVE-2022-44693, are a pair of SharePoint server RCEs.
Kev Breen, director of cyber threat research at Immersive Labs, told The Register that patching these “should be high on the list for anyone using SharePoint internally.”
“Attackers might exploit this vulnerability to steal confidential information to use in ransomware attacks, replace documents with new versions that contain malicious code, or create macros to infect other systems,” he explained.
Of the other three critical RCEs, one (CVE-2022-41127) affects Microsoft Dynamics, and two others, (CVE-2022-44670) and (CVE-2022-44676), affect Windows Secure Socket Tunneling Protocol.
Adobe fixes 37 CVEs
Also in its final 2022 Patch Tuesday, Adobe released three patches that fix 37 flaws in Illustrator, Experience Manager and Campaign Classic. None of the bugs are listed as under exploit or publicly known.
The security updates for Campaign Classic addresses an important vulnerability that could result in privilege escalation. The fixes for Experience Manager resolve flaws rated important and moderate that could result in arbitrary code execution and security feature bypass. And finally, the Illustrator patches fix important bugs that could lead to memory leak.
SAP releases 22 new and updated patches
SAP today released 22 new and updated patches, including five Hot News Notes and five High Priority notes.
The most severe, Security Note 2622660, which received a 10 out of 10 CVSS score, is an update for an April 2018 patch that fixes Google Chromium delivered with SAP Business Client.
Of the newly released patches,Security Notes 3273480 (CVSS score of 9.9) and 3267780 (CVSS score of 9.4) address two critical vulnerabilities in SAP NetWeaver Process Integration (PI).
“The ORL detected that the Messaging System and the User Defined Search in SAP PI expose services through the P4 protocol that do not require user authentication, allowing attackers to make use of an open naming and directory API to access services to perform unauthorized operations,” explained Thomas Fritsch, an SAP security researcher at Onapsis.
Additionally, Security Note 3239475 fixes a critical, 9.9-rated server-side request forgery vulnerability in SAP BusinessObjects Business Intelligence Platform.
“Attackers with ‘normal BI user privileges’ are able to upload and replace any file on the Business Objects server at the operating system level, enabling attackers to take full control of the system and has a significant impact on confidentiality, integrity, and availability of the application,” according to Fritsch.
VMware patches critical bugs
Also today, VMware issued two critical security advisories along with one other deemed important.
CVE-2022-31705 is a critical heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion. It received a maximum 9.3 CVSS score in some of the buggy products, and could allow an attacker with local admin privileges to execute code as the virtual machine’s VMX process running on the host.
“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” according to VMware.
The other critical bug is a 9.8-rated command injection vulnerability tracked as CVE-2022-31702 in VMware vRealize Network Insight. “A malicious actor with network access to the vRNI REST API can execute commands without authentication,” the virtualization giant noted.
Meanwhile, the important security update addresses two vulnerabilities (CVE-2022-31700, CVE-2022-31701) in VMware Workspace ONE Access and Identity Manager with a 7.2 CVSS score. CVE-2022-31700 is an authenticated RCE vulnerability with a 7.2 CVSS score, while CVE-2022-31701 is a broken authentication bug that received a 5.3 severity rating.
There’s a PoC exploit for this unpatched Cisco bug
Cisco issued security updates for a couple of high-severity vulnerabilities this month, including a patch released today that plugs a 7.1-rated hole in the web-based management interface of Cisco Identity Services Engine (ISE). It’s tracked as CVE-2022-20822, and could allow an authenticated attacker to list, download, and delete files on an infected device.
The second, a stack overflow bug in the the Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware, won’t be fixed until January. It’s tracked as CVE-2022-20968 and received an 8.1 severity score.
It’s especially troubling because, as Cisco warned, proof-of-concept exploit code is already available for this bug. While the networking giant’s security response team says it’s “not aware of any malicious use of the vulnerability,” in addition to no patch, there’s also no workarounds. We suggest praying for a Christmas miracle.
And the rest
Citrix also released updates to fix a “critical” RCE flaw (CVE-2022-27518) in Citrix ADA and Gateway that’s already been found and exploited by miscreants.
“We are aware of a small number of targeted attacks in the wild using this vulnerability,” the vendor noted in a blog that accompanied the security bulletin.
Fortinet also under attack
Fortinet released updates for a critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN, which can be exploited to crash or possibly hijack equipment. The security vendor noted it’s aware of “an instance” where this bug has been exploited, and it recommended “immediately validating your systems” against a list of indicators of compromise for the 9.3-rated flaw, tracked as CVE-2022-42475.
Finally, wrapping up the monthly patch party, Google’s December Android security update fixed 81 bugs in these devices.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” it noted. ®