Hello everyone! Let's take a look at Microsoft's September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual.
Alternative video link (for Russia): <https://vk.com/video-149273431_456239101>
$ cat comments_links.txt
Qualys|September 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/09/13/september-2022-patch-tuesday
ZDI|THE SEPTEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/9/13/the-september-2022-security-update-review
Kaspersky|Patches for 64 vulnerabilities in Microsoft products released|https://www.kaspersky.com/blog/microsoft-patch-tuesday-september-2022/45501/
$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "September" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
...
MS PT Year: 2022
MS PT Month: September
MS PT Date: 2022-09-13
MS PT CVEs found: 63
Ext MS PT Date from: 2022-08-10
Ext MS PT Date to: 2022-09-12
Ext MS PT CVEs found: 27
ALL MS PT CVEs: 90
...
There are no vulnerabilities with public exploits yet. There are 3 vulnerabilities for which there is a Proof-of-Concept Exploit according to data from CVSS.
But the likelihood that these exploits will be used in real attacks seems low.
There are 3 vulnerabilities with a sign of exploitation in the wild:
Remote Code Execution - Windows TCP/IP (CVE-2022-34718). An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. IPsec and IPv6 are evil. But seriously, it's bad that this is even possible.
And that's not all, there's more. Remote Code Execution - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721, CVE-2022-34722). The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.
Denial of Service - Windows DNS Server (CVE-2022-34724). This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.
Memory Corruption - ARM processor (CVE-2022-23960). This is yet another variation of the Spectre vulnerability (this time Specter-BHB), which interferes with a processor’s speculative execution of instructions mechanism. In other words, the probability of its use in real attacks is extremely small — the danger is somewhat theoretical. But almost all Patch Tuesday reviewers paid attention to this vulnerability.
Full Vulristics report: ms_patch_tuesday_september2022