Microsoft Patch Tuesday March 2022

Hello everyone! I am glad to greet you from the most sanctioned country in the world. Despite all the difficulties, we carry on. I even have some time to release new episodes. This time it will be about Microsoft Patch Tuesday for March 2022.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239076&gt;

I do the analysis as usual with my open source tool Vulristics. You can still download it on github. I hope that github won't block Russian repositories and accounts, but for now it looks possible. Most likely, I will just start hosting the sources of my projects on avleonov.com in this case. Or on another domain, if it gets even tougher. Stay tuned.

This month there have been issues with getting Patch Tuesday blog posts from VM vendors. Qualys' site search broke and DuckDuckGo didn't index the ZDI blog well. Therefore, I added the links to them in mspt-comments-links-path manually.

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "March" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"

$ cat comments_links.txt 
Qualys|March 2022 Patch Tuesday: Microsoft Releases 92 Vulnerabilities with 3 Critical; Adobe Releases 3 Advisories, 6 Vulnerabilities with 5 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/03/08/march-2022-patch-tuesday
ZDI|THE MARCH 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/3/8/the-march-2022-security-update-review$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "March" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"

I made a change to Vulristics so now it can take into account the Exploit Code Maturity from the CVSS Temporal Score of the Microsoft object. Such a mark will be less critical than the presence of an exploit in any exploit pack, but still.

On March 8, Microsoft published 71 CVEs. Another 30 have been published before since last February's Patch Tuesday, all in Microsoft Edge. In total, 101 vulnerabilities. If we look at CVSS, 50 of them will have a "High" level. According to my Vulristics metric, only 26 of them will have a "High" level. I think it shows that my prioritization is better.

1. The most critical vulnerability in my report is Remote Code Execution - Microsoft Defender for IoT (CVE-2022-23265). It may not be the most common product, but according to Microsoft, there is a Functional Exploit for this vulnerability. "The code works in most situations where the vulnerability exists". Agree that for such a vulnerability it is interesting. No VM vendors have highlighted this vulnerability.
2. In second place, Remote Code Execution - Windows Remote Desktop Client (CVE-2022-21990). "If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client". It's certainly hard to imagine anyone actually using such a scenario, but having a Proof-of-Concept Exploit, according to Microsoft, is interesting.
3. The following vulnerability was published prior to March Patch Tuesday. Memory Corruption - Microsoft Edge (CVE-2022-0609). Why is this vulnerability here? Because this vulnerability is actively exploited in the wild and has even been included in the CISA Known Exploited Vulnerabilities Catalog.
4. The next is Remote Code Execution - Windows SMBv3 Client/Server (CVE-2022-24508). "Authentication is required here, but since this affected both clients and servers, an attacker could use this for lateral movement within a network". The need for authentication makes this vulnerability less critical, but of course it's worth patching.
5. Security Feature Bypass - Windows HTML Platforms (CVE-2022-24502). Another vulnerability that no one highlighted, but there is a Proof-of-Concept Exploit for it somewhere. Perhaps it will develop into something critical.
6. This vulnerability is the first one that catches the eye, since it is in software that is usually available on the network perimeter. Remote Code Execution - Microsoft Exchange (CVE-2022-23277). "The vulnerability would allow an authenticated attacker to execute their code with elevated privileges through a network call. Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible." Seems like it needs to be patched first. But while there is no public exploit, there is time to do it without much haste. Also, due to the need to get credentials, this vulnerability will most likely not be exploited in broadcast attacks.
7. And the last vulnerability that I would like to mention is Elevation of Privilege - Windows Fax and Scan Service (CVE-2022-24459). Also, not much is known about it, except that according to Microsoft there is a Proof-of-Concept Exploit for it.

You can see the full version of the report here:
ms_patch_tuesday_march2022_report_with_comments_ext_img.html