Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches

Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239094&gt;

On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 vulnerabilities in the report.

$ cat comments_links.txt 
Qualys|June 2022 Patch Tuesday Microsoft Releases 55 Vulnerabilities with 3 Critical; Adobe Releases 6 Advisories, 46 Vulnerabilities with 40 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/06/14/june-2022-patch-tuesday
ZDI|THE JUNE 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/6/14/the-june-2022-security-update-review

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "June" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2022
MS PT Month: June
MS PT Date: 2022-06-14
MS PT CVEs found: 56
Ext MS PT Date from: 2022-05-11
Ext MS PT Date to: 2022-06-13
Ext MS PT CVEs found: 38
ALL MS PT CVEs: 94
...

• Urgent: 1
• Critical: 1
• High: 32
• Medium: 55
• Low: 4

The urgent one is Remote Code Execution in Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190). Also known as “Follina”. It was observed being exploited in the wild at the end of May. MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something goes wrong with Windows. The tool can be called up from other applications (Microsoft Word being the most popular example) through the special MSDT URL protocol. Attackers who successfully exploit this vulnerability can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user's rights. And now dozens of repositories with exploits for this vulnerability are available on Github. Therefore criticality is indeed Urgent. Vulristics prioritizes this correctly. While Microsoft had provided mitigation guidance in an advisory on May 30, patches were not released until June 14.

The critical vulnerability is Remote Code Execution in Windows Network File System (CVE-2022-30136). A vulnerability can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. Microsoft rated this as “Exploitation More Likely” according to its Exploitability Index. This bug looks very similar to CVE-2022-26937 – an NFS bug patched last month. The only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0. Microsoft has provided mitigation guidance to disable NFS v4.1, which should only be done if the May updates fixing previous NFS versions have been applied. The criticality of this vulnerability was increased by the advertisement of an exploit for this CVE in the github repository. Could this be a scam? Of course, but maybe it's not.

There were 7 High-level Remote Code Executions in Windows LDAP (CVE-2022-30153, CVE-2022-30161, CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149). For three of them (CVE-2022-30139, CVE-2022-30141 and CVE-2022-30143) vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. For two of them (CVE-2022-30139 and CVE-2022-30141), no user interaction is required, however an attacker must "prepare the target environment to improve exploit reliability".

Well, I would like to finish on patches that break servers. This time there were such problems too. This month's Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled. The vast majority of reports related to these problems coming in since Patch Tuesday have a common theme: losing Remote Desktop and VPN connectivity to servers with Routing and Remote Access Service (RRAS) enabled where the June Windows Server Updates have been installed. It is not clear what is causing these issues, maybe a fix for "Windows Network Address Translation (NAT) Denial of Service Vulnerability" tracked as CVE-2022-30152 that may have introduced bugs into RRAS connectivity. "We are aware of the issue and working to provide a resolution. Customers experiencing this issue can temporarily disable the NAT feature on their RRAS server," a Microsoft spokesperson told. So let's wait for new patches.

The full report is available here: ms_patch_tuesday_june2022_report