Microsoft Patch Tuesday September 2022: CLFS Driver EoP, IP packet causes RCE, Windows DNS Server DoS, Spectre-BHB

Hello everyone! Let's take a look at Microsoft's September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239101&gt;

$ cat comments_links.txt 
Qualys|September 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/09/13/september-2022-patch-tuesday
ZDI|THE SEPTEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/9/13/the-september-2022-security-update-review
Kaspersky|Patches for 64 vulnerabilities in Microsoft products released|https://www.kaspersky.com/blog/microsoft-patch-tuesday-september-2022/45501/

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "September" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
MS PT Year: 2022
MS PT Month: September
MS PT Date: 2022-09-13
MS PT CVEs found: 63
Ext MS PT Date from: 2022-08-10
Ext MS PT Date to: 2022-09-12
Ext MS PT CVEs found: 27
ALL MS PT CVEs: 90
...

• Urgent: 0
• Critical: 1
• High: 41
• Medium: 44
• Low: 4

Exploitable vulnerabilities

There are no vulnerabilities with public exploits yet. There are 3 vulnerabilities for which there is a Proof-of-Concept Exploit according to data from CVSS.

1. Elevation of Privilege- Kerberos (CVE-2022-33679). An unauthenticated attacker could perform a man-in-the-middle network exploit to downgrade a client's encryption to the RC4-md4 cypher, followed by cracking the user's cypher key. The attacker could then compromise the user's Kerberos session key to elevate privileges.
2. Elevation of Privilege- Azure Guest Configuration and Azure Arc-enabled servers (CVE-2022-38007). An attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons.
3. Elevation of Privilege - Windows GDI (CVE-2022-34729). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

But the likelihood that these exploits will be used in real attacks seems low.

Exploitation in the wild

There are 3 vulnerabilities with a sign of exploitation in the wild:

• Elevation of Privilege - Windows Common Log File System Driver (CVE-2022-37969). An attacker must already have access and the ability to run code on the target system. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability affects many versions of Windows, there are patches even for EOL versions. In addition to this vulnerability, there was a bunch of EoPs in Windows with no signs of exploitation in the wild, for exampleElevation of Privilege - Windows Kernel (CVE-2022-37956, CVE-2022-37957, CVE-2022-37964)
• Security Feature Bypass - Microsoft Edge (CVE-2022-2856, CVE-2022-3075). Edge vulnerabilities are actually Chromium vulnerabilities. This is the downside of using the same engine. Chrome vulnerabilities also affect Edge, Opera, Brave, Vivaldi, etc.

IP packet causes RCE

Remote Code Execution - Windows TCP/IP (CVE-2022-34718). An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. IPsec and IPv6 are evil. But seriously, it's bad that this is even possible.

And that's not all, there's more. Remote Code Execution - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721, CVE-2022-34722). The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.

Windows DNS Server DoS

Denial of Service - Windows DNS Server (CVE-2022-34724). This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.

Spectre-BHB

Memory Corruption - ARM processor (CVE-2022-23960). This is yet another variation of the Spectre vulnerability (this time Specter-BHB), which interferes with a processor’s speculative execution of instructions mechanism. In other words, the probability of its use in real attacks is extremely small — the danger is somewhat theoretical. But almost all Patch Tuesday reviewers paid attention to this vulnerability.

Full Vulristics report: ms_patch_tuesday_september2022