Introducing Qualys Threat Research Thursdays

2022-09-01T21:00:00

Description

Welcome to the first edition of the Qualys Research Team’s “Threat Research Thursday” where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants. ![](https://blog.qualys.com/wp-content/uploads/2022/09/ThreatThursday_WebinarBanners_990x350_v1.png) ## Threat Intelligence from the Qualys Blog Here is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks: * New Qualys Research Report: [Evolution of Quasar RAT](<https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat>) – This free downloadable report gives a sneak peek of the detailed webinar topic that Qualys Threat Research team’s Linux EDR expert Viren Chaudari will be presenting on our upcoming [Threat Thursdays webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>). * Here’s a [Simple Script to Detect the Stealthy Nation-State BPFDoor](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor>) – In this blog we explain how a simple script can detect a BPFDoor. * Introducing [Qualys CyberSecurity Asset Management 2.0](<https://www.qualys.com/apps/cybersecurity-asset-management/>) with natively integrated [External Attack Surface Management](<https://blog.qualys.com/qualys-insights/2022/07/28/attack-surface-management-a-critical-pillar-of-cybersecurity-asset-management>) – This is big news! We offer one of only a few solutions on the market that empower cybersecurity teams to manage internal and external assets at the same time! For our existing customers, [Qualys CSAM API Best Practices](<https://blog.qualys.com/product-tech/2022/08/05/qualys-api-best-practices-cybersecurity-asset-management-api>) should be a good starting point for playing with our extensive list of APIs. * [August 2022 Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday>) – Microsoft and the second Tuesday of the month are inseparable (except that one time in 2017 just before the Equation Group leak!) This is our regular monthly coverage of the vulnerabilities that Microsoft and Adobe fixed this month. ## New Threat Hunting Tools & Techniques **Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53**: This is a major update to Sysmon that adds a new `event ID 27 - FileBlockExecutable` that prevents processes from creating executable files in specified locations. What this means is if you want to block certain files from executing in a certain directory, you can do so. [Get these tools & updates](<https://docs.microsoft.com/en-us/sysinternals/downloads/>). **Bomber: **All of us know how important software bills of materials (SBOMs) are, and the vulnerabilities that affect them even more so. This open-source repository tool that we’ve evaluated will help you scan JSON formatted SBOM files to point out any vulnerabilities they may have. [Check out Bomber](<https://github.com/devops-kung-fu/bomber>). **Alan C2 Framework:** Until recently, this command & control (C2) framework – even though it was hosted on GitHub – was closed source. You could download it and test it for free, but not inspect its source code unless you decompiled it. Now the source code has been made available. For example, you can now look at the [certificate information](<https://github.com/enkomio/AlanFramework/blob/8134494037435c5e6478409447efe41f563e0688/src/client/mbedtls/tests/data_files/dir-maxpath/c20.pem>) and add it to your detection pipeline if you have not already done so. [Access the Alan C2 Framework source code](<https://github.com/enkomio/AlanFramework>). **FISSURE**: This interesting Radio Frequency (RF) framework was released as open source at the recently concluded DEFCONference. With this reverse engineering RF framework, you can detect, classify signals, execute attacks, discover protocols, and analyze vulnerabilities. A lot can be done with this tool! [Check out FISSURE](<https://github.com/ainfosec/FISSURE>). **Sub7 Legacy**: The source code to your favorite trojan from the not-so-recent past is now available. Well, not really. This is a complete remake of the trojan from the early 2000’s. The look & feel is still the same – minus the malicious features, but it does make one nostalgic. Here’s hoping that threat actor groups don’t use this Delphi source code for new and nefarious use cases! [Check out the new Sub7 Legacy](<https://github.com/DarkCoderSc/SubSeven>). **Hashview**: What do you do when you dump a hash via Mimikatz and want to crack it? In a team engagement, a tool like Hashview can help. It allows you to automate hashcat, retroactively crack hashes, and get notifications on a particular event. [Check out the Hashview source code](<https://github.com/hashview/hashview>). **Center for Internet Security: **CIS published their August update for the [End-of-Support Software Report List](<https://www.cisecurity.org/insights/blog/end-of-support-software-report-list>). Use it coupled with Qualys CSAM to stay updated on software that’s no longer vendor supported. ## New Vulnerabilities [**CVE-2022-34301**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34301>)/[**CVE-2022-34302**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34302>)/[**CVE-2022-34303**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34303>) – Not much was known about these bootloader vulnerabilities when they were first disclosed as part of Microsoft Patch Tuesday. New research about these vulnerabilities was [presented at DEFCON](<https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/>) pointing towards weaknesses in third-party code signed by Microsoft. Special care must be given to fixing these vulnerabilities, as manual intervention is required for complete remediation. [**CVE-2022-30209**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30209>) – Fresh off of its disclosure at Black Hat USA 2022, this _IIS authentication bypass vulnerability_ discovered by Devcore, is [introduced](<https://twitter.com/orange_8361/status/1557504677050478594?s=20&t=KnnUPgzWitsV-dCEdSeCjA>) because of a logic error as a result of improper copy/pasting of variable names. Qualys VMDR customers can find unpatched devices in their networks by looking for QID 91922 in their results. [**CVE-2022-22047**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>) - This Windows client/server runtime subsystem (CSRSS) _elevation of privilege vulnerability_ affects almost all Windows versions, including v7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022! QIDs 91922 and 91927 should be of interest to current Qualys VMDR customers. [**CVE-2022-26138**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26138>) – The Confluence Questions app, when installed will create a `disabledsystemuser `user with a known and now _publicized hardcoded password_. Post exploitation, bad actors can read the pages accessible by the confluence-users group. [**CVE-2022-26501**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26501>) – Proof-of-concept code for this _unauthenticated remote code execution_ vulnerability affecting Veeam Distribution Service (VDS) has been available for more than four months now. When last checked on Shodan, there were more than 18,000 publicly facing devices that host Veeam Backup Services. ## Introducing the Monthly Threat Thursdays Webinar Please join us for the first [Threat Thursdays monthly webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) where the Qualys Threat Research Team will present the latest threat intelligence… each and every month! [REGISTER NOW](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>)

{"id": "QUALYSBLOG:AE4AA7402829D66599C8A25E83DD0FD2", "vendorId": null, "type": "qualysblog", "bulletinFamily": "blog", "title": "Introducing Qualys Threat Research Thursdays", "description": "Welcome to the first edition of the Qualys Research Team\u2019s \u201cThreat Research Thursday\u201d where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants. \n\n![](https://blog.qualys.com/wp-content/uploads/2022/09/ThreatThursday_WebinarBanners_990x350_v1.png)\n\n## Threat Intelligence from the Qualys Blog\n\nHere is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks: \n\n * New Qualys Research Report: [Evolution of Quasar RAT](<https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat>) \u2013 This free downloadable report gives a sneak peek of the detailed webinar topic that Qualys Threat Research team\u2019s Linux EDR expert Viren Chaudari will be presenting on our upcoming [Threat Thursdays webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>). \n * Here\u2019s a [Simple Script to Detect the Stealthy Nation-State BPFDoor](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor>) \u2013 In this blog we explain how a simple script can detect a BPFDoor. \n * Introducing [Qualys CyberSecurity Asset Management 2.0](<https://www.qualys.com/apps/cybersecurity-asset-management/>) with natively integrated [External Attack Surface Management](<https://blog.qualys.com/qualys-insights/2022/07/28/attack-surface-management-a-critical-pillar-of-cybersecurity-asset-management>) \u2013 This is big news! We offer one of only a few solutions on the market that empower cybersecurity teams to manage internal and external assets at the same time! For our existing customers, [Qualys CSAM API Best Practices](<https://blog.qualys.com/product-tech/2022/08/05/qualys-api-best-practices-cybersecurity-asset-management-api>) should be a good starting point for playing with our extensive list of APIs. \n * [August 2022 Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday>) \u2013 Microsoft and the second Tuesday of the month are inseparable (except that one time in 2017 just before the Equation Group leak!) This is our regular monthly coverage of the vulnerabilities that Microsoft and Adobe fixed this month. \n\n## New Threat Hunting Tools & Techniques\n\n**Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53**: This is a major update to Sysmon that adds a new `event ID 27 - FileBlockExecutable` that prevents processes from creating executable files in specified locations. What this means is if you want to block certain files from executing in a certain directory, you can do so. [Get these tools & updates](<https://docs.microsoft.com/en-us/sysinternals/downloads/>). \n\n**Bomber: **All of us know how important software bills of materials (SBOMs) are, and the vulnerabilities that affect them even more so. This open-source repository tool that we\u2019ve evaluated will help you scan JSON formatted SBOM files to point out any vulnerabilities they may have. [Check out Bomber](<https://github.com/devops-kung-fu/bomber>). \n\n**Alan C2 Framework:** Until recently, this command & control (C2) framework \u2013 even though it was hosted on GitHub \u2013 was closed source. You could download it and test it for free, but not inspect its source code unless you decompiled it. Now the source code has been made available. For example, you can now look at the [certificate information](<https://github.com/enkomio/AlanFramework/blob/8134494037435c5e6478409447efe41f563e0688/src/client/mbedtls/tests/data_files/dir-maxpath/c20.pem>) and add it to your detection pipeline if you have not already done so. [Access the Alan C2 Framework source code](<https://github.com/enkomio/AlanFramework>). \n\n**FISSURE**: This interesting Radio Frequency (RF) framework was released as open source at the recently concluded DEFCONference. With this reverse engineering RF framework, you can detect, classify signals, execute attacks, discover protocols, and analyze vulnerabilities. A lot can be done with this tool! [Check out FISSURE](<https://github.com/ainfosec/FISSURE>). \n\n**Sub7 Legacy**: The source code to your favorite trojan from the not-so-recent past is now available. Well, not really. This is a complete remake of the trojan from the early 2000\u2019s. The look & feel is still the same \u2013 minus the malicious features, but it does make one nostalgic. Here\u2019s hoping that threat actor groups don\u2019t use this Delphi source code for new and nefarious use cases! [Check out the new Sub7 Legacy](<https://github.com/DarkCoderSc/SubSeven>). \n\n**Hashview**: What do you do when you dump a hash via Mimikatz and want to crack it? In a team engagement, a tool like Hashview can help. It allows you to automate hashcat, retroactively crack hashes, and get notifications on a particular event. [Check out the Hashview source code](<https://github.com/hashview/hashview>). \n\n**Center for Internet Security: **CIS published their August update for the [End-of-Support Software Report List](<https://www.cisecurity.org/insights/blog/end-of-support-software-report-list>). Use it coupled with Qualys CSAM to stay updated on software that\u2019s no longer vendor supported. \n\n## New Vulnerabilities \n\n[**CVE-2022-34301**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34301>)/[**CVE-2022-34302**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34302>)/[**CVE-2022-34303**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34303>) \u2013 Not much was known about these bootloader vulnerabilities when they were first disclosed as part of Microsoft Patch Tuesday. New research about these vulnerabilities was [presented at DEFCON](<https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/>) pointing towards weaknesses in third-party code signed by Microsoft. Special care must be given to fixing these vulnerabilities, as manual intervention is required for complete remediation. \n\n[**CVE-2022-30209**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30209>) \u2013 Fresh off of its disclosure at Black Hat USA 2022, this _IIS authentication bypass vulnerability_ discovered by Devcore, is [introduced](<https://twitter.com/orange_8361/status/1557504677050478594?s=20&t=KnnUPgzWitsV-dCEdSeCjA>) because of a logic error as a result of improper copy/pasting of variable names. Qualys VMDR customers can find unpatched devices in their networks by looking for QID 91922 in their results. \n\n[**CVE-2022-22047**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>) - This Windows client/server runtime subsystem (CSRSS) _elevation of privilege vulnerability_ affects almost all Windows versions, including v7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022! QIDs 91922 and 91927 should be of interest to current Qualys VMDR customers. \n\n[**CVE-2022-26138**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26138>) \u2013 The Confluence Questions app, when installed will create a `disabledsystemuser `user with a known and now _publicized hardcoded password_. Post exploitation, bad actors can read the pages accessible by the confluence-users group. \n\n[**CVE-2022-26501**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26501>) \u2013 Proof-of-concept code for this _unauthenticated remote code execution_ vulnerability affecting Veeam Distribution Service (VDS) has been available for more than four months now. When last checked on Shodan, there were more than 18,000 publicly facing devices that host Veeam Backup Services. \n\n## Introducing the Monthly Threat Thursdays Webinar \n\nPlease join us for the first [Threat Thursdays monthly webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) where the Qualys Threat Research Team will present the latest threat intelligence\u2026 each and every month! \n\n[REGISTER NOW](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>)", "published": "2022-09-01T21:00:00", "modified": "2022-09-01T21:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "reporter": "Mayuresh Dani", "references": [], "cvelist": ["CVE-2022-22047", "CVE-2022-26138", "CVE-2022-26501", "CVE-2022-30209", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"], "immutableFields": [], "lastseen": "2022-09-13T00:03:22", "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["CONFSERVER-79483"]}, {"type": "attackerkb", "idList": ["AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "AKB:5FAD5EC2-E77A-4F4A-B3DC-61A700F1B059", "AKB:8049CCA9-ACA9-4288-8493-4153794BD621"]}, {"type": "avleonov", "idList": ["AVLEONOV:37BE727F2D0C216B8B10BD6CBE6BD061", "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:B87691B304EF70215B926F66B871260A"]}, {"type": "cert", "idList": ["VU:309662"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0362", "CPAI-2022-0467"]}, {"type": "cisa", "idList": ["CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2022-22047", "CISA-KEV-CVE-2022-26138"]}, {"type": "cve", "idList": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-26138", "CVE-2022-26501", "CVE-2022-30209", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"]}, {"type": "githubexploit", "idList": ["120220D8-2281-57EE-BD84-1A33B8841E56", "E443E98A-3304-54B8-97FD-0FEF9DA283B3"]}, {"type": "hivepro", "idList": ["HIVEPRO:D92A8F5DF20362E41FF86142A0BECE42"]}, {"type": "kaspersky", "idList": ["KLA12580", "KLA12581", "KLA12602"]}, {"type": "krebs", "idList": ["KREBS:4D5B2D5FA1A6E077B46D7F3051319E72"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A"]}, {"type": "mmpc", "idList": ["MMPC:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "mscve", "idList": ["MS:CVE-2022-22026", "MS:CVE-2022-22047", "MS:CVE-2022-22049", "MS:CVE-2022-30209", "MS:CVE-2022-34301", "MS:CVE-2022-34302", "MS:CVE-2022-34303"]}, {"type": "mskb", "idList": ["KB5012170", "KB5015874", "KB5015877"]}, {"type": "mssecure", "idList": ["MSSECURE:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-79483.NASL", "CONFLUENCE_CVE-2022-26138.NASL", "SMB_NT_MS22_AUG_5016616.NASL", "SMB_NT_MS22_AUG_5016627.NASL", "SMB_NT_MS22_AUG_5016629.NASL", "SMB_NT_MS22_JUL_5015807.NASL", "SMB_NT_MS22_JUL_5015808.NASL", "SMB_NT_MS22_JUL_5015811.NASL", "SMB_NT_MS22_JUL_5015814.NASL", "SMB_NT_MS22_JUL_5015827.NASL", "SMB_NT_MS22_JUL_5015832.NASL", "SMB_NT_MS22_JUL_5015862.NASL", "SMB_NT_MS22_JUL_5015870.NASL", "SMB_NT_MS22_JUL_5015875.NASL", "SMB_NT_MS22_JUL_5015877.NASL", "WEB_APPLICATION_SCANNING_113328"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:B54637535A9D368B19D4D9881C6C34B3", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D"]}, {"type": "redhatcve", "idList": ["RH:CVE-2022-34301", "RH:CVE-2022-34302", "RH:CVE-2022-34303"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27", "TALOSBLOG:F032D3BBC6D695272384D4A3821130BF"]}, {"type": "thn", "idList": ["THN:49CD77302B5D845459BA34357D9C011C", "THN:659E57C980959B9830361E6D3C4D2687", "THN:8C2FBC83F6EC62900F1887F00903447F", "THN:908A39F901145B6FD175B16E95137ACC", "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "THN:F050B7CE35D52E330ED83AACF83D6B29"]}, {"type": "threatpost", "idList": ["THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "vulnersScore": -0.2}, "_state": {"dependencies": 1663027688, "score": 1663027685}, "_internal": {"score_hash": "105c6936360755df75f5a240b88fdd14"}}

{"mskb": [{"lastseen": "2023-01-13T10:54:31", "description": "None\n## **Applies to**\n\nThis security update applies only to the following Windows versions:\n\n * * Windows Server 2012\n * Windows 8.1 and Windows Server 2012 R2\n * Windows 10, version 1507\n * Windows 10, version 1607 and Windows Server 2016\n * Windows 10, version 1809 and Windows Server 2019\n * Windows 10, version 20H2\n * Windows 10, version 21H1\n * Windows 10, version 21H2\n * Windows 10, version 22H2\n * Windows Server 2022\n * Windows 11, version 21H2\n * Windows 11, version 22H2\n * Azure Stack HCI, version 1809\n * Azure Stack Data Box, version 1809 (ASDB)\n\n## **Summary**\n\nThis security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the \"Applies to\" section. Key changes include the following: \n\n * * Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX. \n \nA security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software. \n \nThis security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.\nTo learn more about this security vulnerability, see the following advisory:\n * * [ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB](<https://msrc.microsoft.com/update-guide/vulnerability/ADV200011>)\nFor additional information about this security vulnerability, see the following resources: \n * * [CVE-2022-34301 | Eurosoft Boot Loader Bypass](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34301>)\n * [CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34302>)\n * [CVE-2022-34303 | Crypto Pro Boot Loader Bypass](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34303>)\n\n## **Known issues**\n\n**Issue**| **Next step** \n---|--- \nSome original equipment manufacturer (OEM) firmware might not allow for the installation of this update.| To resolve this issue, contact your firmware OEM. \nIf BitLocker Group Policy **Configure TPM platform validation profile for native UEFI firmware configurations** is enabled and PCR7 is selected by policy, it may result in the update failing to install.To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.| To workaround this issue, do one of the following before you deploy this update:\n\n * On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:`\n \n \rManage-bde \u2013Protectors \u2013Disable C: -RebootCount 1\n\n`Then, deploy the update and restart the device to resume the BitLocker protection.\n * On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:`\n \n \rManage-bde \u2013Protectors \u2013Disable C: -RebootCount 3\t\t\t\t\n\n`Then, deploy the update and restart the device to resume the BitLocker protection. \nWhen attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.**Note** This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.| This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install this update.We are presently investigating and will provide an update in an upcoming release. \nSome devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.| This issue is addressed in the servicing stack updates (SSU) and the latest cumulative updates (LCU) dated July 12, 2022 and later. \n \n## **How to get this update**\n\n**Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog ](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5012170>)website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically synchronize with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, version 1903 and later, Windows 11, Azure Stack HCI, Azure Data Box**Classification**: Security Updates \n**Prerequisites**Make sure you have the lastest servicing stack update (SSU) installed. For information about the latest SSU for your operating system, see [ADV990001 | Latest Servicing Stack Updates](<https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001>).**Restart information** Your device does not have to restart when you apply this update. If you have Windows Defender Credential Guard (Virtual Secure Mode) enabled, your device might request a restart. **Update replacement information **This update replaces previously released update [KB4535680](<https://support.microsoft.com/help/4535680>).\n\n## **File information**\n\nThe English (United States) version of this security update installs files that have the attributes that are listed in the following tables. \n\n### **Azure Stack HCI, version 1809**\n\n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 13-Jul-2022| 18:12| 3 \ndbxupdate.bin| Not versioned| 13-Jul-2022| 18:12| 13,778 \nTpmTasks.dll| 10.0.17784.2602| 20-Jul-2022| 21:53| 114,688 \n \n### **Azure Stack Data Box, version 1809**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File version** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 13-Jun-2022| 21:46| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 17:50| 6,002 \nTpmTasks.dll| 10.0.17763.10933| 20-Jul-2022| 21:13| 84,992 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 13-Jul-2022| 18:07| 3 \ndbxupdate.bin| Not versioned| 13-Jul-2022| 18:07| 13,778 \nTpmTasks.dll| 10.0.17763.10933| 20-Jul-2022| 21:32| 110,592 \n \n### **Windows 11, version 22H2**\n\n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 16-Jun-2022| 19:56| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:18| 13,778 \nTpmTasks.dll| 10.0.19041.1880| 11-Jul-2022| 21:05| 296,960 \n \n### \n\n__\n\nFor all supported Arm64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 6-Jun-2022| 18:24| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:16| 4,370 \nTpmTasks.dll| 10.0.19041.1880| 11-Jul-2022| 20:43| 324,096 \n \n### **Windows 11, version 21H2**\n\n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 23-Apr-2022| 14:18| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:06| 13,778 \nTpmTasks.dll| 10.0.22000.850| 11-Jul-2022| 20:34| 323,584 \n \n### \n\n__\n\nFor all supported Arm64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 23-Apr-2022| 14:18| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:04| 4,370 \nTpmTasks.dll| 10.0.22000.850| 11-Jul-2022| 20:50| 313,856 \n \n### **Windows Server 2022**\n\n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 23-Apr-2022| 14:18| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:06| 13,778 \nTpmTasks.dll| 10.0.22000.850| 11-Jul-2022| 20:34| 323,584 \n \n### \n\n__\n\nFor all supported Arm64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 23-Apr-2022| 14:18| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:04| 4,370 \nTpmTasks.dll| 10.0.22000.850| 11-Jul-2022| 20:50| 313,856 \n \n### **Windows 10, version 22H2**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 30-Dec-21| 18:29| 3 \ndbxupdate.bin| Not versioned| 21-Jul-22| 0:24| 6,002 \nTpmTasks.dll| 10.0.14393.5285| 21-Jul-22| 0:25| 59,904 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 30-Sep-21| 13:17| 3 \ndbxupdate.bin| Not versioned| 21-Jul-22| 1:38| 13,778 \nTpmTasks.dll| 10.0.14393.5285| 21-Jul-22| 1:42| 72,192 \n \n### \n\n__\n\nFor all supported Arm64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 6-Jun-2022| 18:24| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:16| 4,370 \nTpmTasks.dll| 10.0.19041.1880| 11-Jul-2022| 20:43| 324,096 \n \n### **Windows 10, version 20H2, 21H1, and 21H2**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 11-Jul-2022| 18:16| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:16| 6,002 \nTpmTasks.dll| 10.0.19041.1880| 11-Jul-2022| 20:38| 242,688 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 16-Jun-2022| 19:56| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:18| 13,778 \nTpmTasks.dll| 10.0.19041.1880| 11-Jul-2022| 21:05| 296,960 \n \n### \n\n__\n\nFor all supported Arm64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 6-Jun-2022| 18:24| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:16| 4,370 \nTpmTasks.dll| 10.0.19041.1880| 11-Jul-2022| 20:43| 324,096 \n \n### **Windows 10, version 1809 and Windows Server 2019**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 27-Jun-2022| 17:57| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 17:47| 6,002 \nTpmTasks.dll| 10.0.17763.3280| 11-Jul-2022| 21:36| 84,992 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 24-May-2022| 12:34| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 17:50| 13,778 \nTpmTasks.dll| 10.0.17763.3280| 11-Jul-2022| 21:40| 110,592 \n \n### \n\n__\n\nFor all supported Arm64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 24-May-2022| 12:33| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 17:49| 4,370 \nTpmTasks.dll| 10.0.17763.3280| 11-Jul-2022| 21:30| 115,712 \n \n### **Windows 10, version 1607 and Windows Server 2016**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 30-Dec-2021| 18:29| 3 \ndbxupdate.bin| Not versioned| 12-Jul-2022| 20:44| 6,002 \nTpmTasks.dll| 10.0.14393.5281| 12-Jul-2022| 20:44| 59,904 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 30-Sep-2021| 13:17| 3 \ndbxupdate.bin| Not versioned| 14-Jul-2022| 2:15| 13,778 \nTpmTasks.dll| 10.0.14393.5281| 14-Jul-2022| 2:17| 72,192 \n \n### **Windows 10, version 1507**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 11-Jul-2022| 18:41| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:41| 6,002 \nTpmTasks.dll| 10.0.10240.19297| 2-May-2022| 16:52| 46,080 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 11-Jul-2022| 18:41| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:41| 13,778 \nTpmTasks.dll| 10.0.10240.19297| 2-May-2022| 16:56| 56,320 \n \n### **Windows 8.1 and Windows Server 2012 R2**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 28-Oct-2021| 12:35| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:51| 6,002 \nTpmTasks.dll| 6.3.9600.20512| 11-Jul-2022| 20:50| 152,576 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 1-Jan-2022| 0:00| 3 \ndbxupdate.bin| Not versioned| 12-Jul-2022| 12:36| 13,778 \nTpmTasks.dll| 6.3.9600.20512| 12-Jul-2022| 14:57| 181,760 \n \n### \n\n__\n\nFor all supported Arm-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 14-Oct-2021| 18:42| 3 \ndbxupdate.bin| Not versioned| 7-Jun-2022| 12:03| 7,085 \nTpmTasks.dll| 6.3.9600.20512| 11-Jul-2022| 20:38| 137,216 \n \n### **Windows Server 2012**\n\n### \n\n__\n\nFor all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 11-Jul-2022| 18:14| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:14| 6,002 \nTpmTasks.dll| 6.2.9200.23709| 21-Apr-2022| 12:26| 81,408 \n \n### \n\n__\n\nFor all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \ndbupdate.bin| Not versioned| 17-Jun-2022| 18:01| 3 \ndbxupdate.bin| Not versioned| 11-Jul-2022| 18:07| 13,778 \nTpmTasks.dll| 6.2.9200.23709| 21-Apr-2022| 12:45| 99,328 \n \n## **References**\n\nLearn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T07:00:00", "type": "mskb", "title": "KB5012170: Security update for Secure Boot DBX", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"], "modified": "2022-08-09T07:00:00", "id": "KB5012170", "href": "https://support.microsoft.com/en-us/help/5012170", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-24T11:36:34", "description": "None\n## **Summary**\n\nLearn more about this security-only update, including improvements, any known issues, and how to get the update. \n\n**REMINDER** [Windows 8.1](<https://docs.microsoft.com/lifecycle/products/windows-81>) will reach end of support on January 10, 2023, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization\u2019s exposure to security risks or impact its ability to meet compliance obligations.For more information, see [Windows 8.1 support will end on January 10, 2023](<https://support.microsoft.com/windows/windows-8-1-support-will-end-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93>).[Windows Server 2012 R2](<https://docs.microsoft.com/lifecycle/products/windows-server-2012-r2>) will reach end of support on October 10, 2023 for Datacenter, Essentials, Embedded Systems, Foundation, and Standard.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements**\n\nThis security-only update includes new improvements for the following issues:\n\n * Starting with this release, we are displaying a dialog box to remind users about the End of Support (EOS) for Windows 8.1 in January 2023. If you click **Remind me later**, the dialog box will appear once every 35 days. If you click **Remind me after the end of support date**, the dialog box will not appear again until after the EOS date. This reminder does not appear on the following:\n * Managed Pro and Enterprise devices.\n * Windows Embedded 8.1 Industry Enterprise and Windows Embedded 8.1 Industry Pro devices.\n * When you use [Encrypting File System (EFS)](<https://docs.microsoft.com/windows/win32/fileio/file-encryption>) files over a remote [Web Distributed Authoring and Versioning (WebDAV) protocol](<https://docs.microsoft.com/openspecs/windows_protocols/ms-wdv/bfde1057-4214-4ca5-a431-fab36ff625bc>) connection, the connection might be unsuccessful.\n * Applications might not run after an AppLocker publisher rule is deployed.\n * Addresses a known issue that might prevent you from using the Wi-Fi hotspot feature. When attempting to use the hotspot feature, the host device might lose the connection to the Internet after a client device connects.\n * Addresses a known issue in which Windows Servers that use the Routing and Remote Access Service (RRAS) might be unable to correctly direct Internet traffic. Devices which connect to the server might not connect to the Internet, and servers can lose connection to the Internet after a client device connects.\nFor more information about the resolved security vulnerabilities, please refer to the new [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [July 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nWe are working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5016264](<https://support.microsoft.com/help/5016264>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **REMINDER** If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer ([KB5015805](<https://support.microsoft.com/help/5015805>)).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other options below. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5015877>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Update \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update KB5015877](<https://download.microsoft.com/download/7/6/8/768153e1-b292-43b4-9d3a-400fe6813b63/5015877.csv>). \n\n## **References**\n\nFor information about the security updates released on July 14, 2022, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).Learn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mskb", "title": "July 12, 2022\u2014KB5015877 (Security-only update)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T07:00:00", "id": "KB5015877", "href": "https://support.microsoft.com/en-us/help/5015877", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T11:08:55", "description": "None\n## **Summary**\n\nLearn more about this cumulative security update, including improvements, any known issues, and how to get the update. \n\n**REMINDER**[Windows 8.1](<https://docs.microsoft.com/lifecycle/products/windows-81>) will reach end of support on January 10, 2023 for all editions, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization\u2019s exposure to security risks or impact its ability to meet compliance obligations.For more information, see [Windows 8.1 support will end on January 10, 2023](<https://support.microsoft.com/windows/windows-8-1-support-will-end-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93>).[Windows Server 2012 R2](<https://docs.microsoft.com/lifecycle/products/windows-server-2012-r2>) will reach end of support on October 10, 2023 for Datacenter, Essentials, Embedded Systems, Foundation, and Standard.\n\n**Note** For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following [article](<https://support.microsoft.com/help/824684>). To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history [home page](<https://support.microsoft.com/help/4009470>).\n\n## **Improvements**\n\nThis cumulative security update includes improvements that are part of update [KB5014738](<https://support.microsoft.com/help/5014738>) (released June 14, 2022) and includes new improvements for the following issues:\n\n * Starting with this release, we are displaying a dialog box to remind users about the End of Support (EOS) for Windows 8.1 in January 2023. If you click **Remind me later**, the dialog box will appear once every 35 days. If you click **Remind me after the end of support date**, the dialog box will not appear again until after the EOS date. This reminder does not appear on the following:\n * Managed Pro and Enterprise devices.\n * Windows Embedded 8.1 Industry Enterprise and Windows Embedded 8.1 Industry Pro devices.\n * When you use [Encrypting File System (EFS)](<https://docs.microsoft.com/windows/win32/fileio/file-encryption>) files over a remote [Web Distributed Authoring and Versioning (WebDAV) protocol](<https://docs.microsoft.com/openspecs/windows_protocols/ms-wdv/bfde1057-4214-4ca5-a431-fab36ff625bc>) connection, the connection might be unsuccessful.\n * [NTLM authentication](<https://docs.microsoft.com/troubleshoot/windows-server/windows-security/ntlm-user-authentication>) through an external trust is unsuccessful when serviced by a domain controller that has the January 11, 2022 or later Windows update installed. This issue occurs if the DC is in a non-root domain and does not hold the [global catalog](<https://docs.microsoft.com/windows/win32/ad/global-catalog>) (GC) role. Impacted operations may log the following errors:\n * The security database has not been started.\n * The domain was in the wrong state to perform the security operation.\n * 0xc00000dd (STATUS_INVALID_DOMAIN_STATE)\n * Applications might not run after an AppLocker publisher rule is deployed.\n * Addresses a known issue that might prevent you from using the Wi-Fi hotspot feature. When attempting to use the hotspot feature, the host device might lose the connection to the Internet after a client device connects.\n * Addresses a known issue in which Windows Servers that use the Routing and Remote Access Service (RRAS) might be unable to correctly direct Internet traffic. Devices which connect to the server might not connect to the Internet, and servers can lose connection to the Internet after a client device connects.\nFor more information about the resolved security vulnerabilities, please refer to the [Security Update Guide](<https://msrc.microsoft.com/update-guide>) website and the [July 2022 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>).\n\n## **Known issues in this update**\n\n**Symptom**| **Next step** \n---|--- \nCertain operations, such as **rename**, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \u201cSTATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\u201d. This occurs when you perform the operation on a CSV owner node from a process that doesn\u2019t have administrator privilege.| Do one of the following:\n\n * Perform the operation from a process that has administrator privilege.\n * Perform the operation from a node that doesn\u2019t have CSV ownership.\nWe are working on a resolution and will provide an update in an upcoming release. \n \n## **How to get this update**\n\n**Before installing this update**We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates>) and [Servicing Stack Updates (SSU): Frequently Asked Questions](<https://support.microsoft.com/help/4535697>).If you use Windows Update, the latest SSU ([KB5016264](<https://support.microsoft.com/help/5016264>)) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). **Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5015874>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro**Classification**: Security Updates \n \n## **File information**\n\nFor a list of the files that are provided in this update, download the [file information for update 5015874](<https://download.microsoft.com/download/8/6/e/86eb07bd-caad-4045-ab27-08b4eb12d28a/5015874.csv>). \n\n## **References**\n\nFor information about the security updates released on July 12, 2022, see [Deployments - Security Update Guide](<https://msrc.microsoft.com/update-guide/deployments>).Learn about the [standard terminology](<https://docs.microsoft.com/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) that is used to describe Microsoft software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mskb", "title": "July 12, 2022\u2014KB5015874 (Monthly Rollup)", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T07:00:00", "id": "KB5015874", "href": "https://support.microsoft.com/en-us/help/5015874", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2022-09-28T17:23:30", "description": "### Overview\n\nA security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.\n\n### Description\n\nUEFI firmware is software written by vendors in the [UEFI ecosystem](<https://uefi.org/node/4046>) to provide capabilities in the early start up phases of a computer. [Secure Boot](<https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot>) is a UEFI standard that can be enabled and used to verify firmware and to protect a system against malicious code being loaded and executed early in the boot process, prior to the loading of the operating system. \n\nSecurity researchers at [Eclypsium](<https://eclypsium.com>) have found three specific UEFI bootloaders that are signed and authenticated by Microsoft to be vulnerable to a security feature bypass vulnerability allowing an attacker to bypass Secure Boot when it is enabled. The vulnerable bootloaders can be tricked to bypass Secure Boot via a custom installer (CVE-2022-34302) or an EFI shell (CVE-2022-34301 and CVE-2022-34303). As a vulnerable bootloader executes unsigned code prior to initialization of the the Operating System's (OS) boot process, it cannot be easily monitored by the OS or common Endpoint Detection and Response (EDR) tools.\n\nThe following vendor-specific bootloaders were found vulnerable:\n\n * Inherently vulnerable bootloader to bypass Secure Boot\n * New Horizon Datasys Inc (CVE-2022-34302) \n * UEFI Shell execution to bypass Secure Boot\n * CryptoPro Secure Disk (CVE-2022-34301)\n * Eurosoft (UK) Ltd (CVE-2022-34303)\n\n### Impact\n\nAn attacker can bypass a system's Secure Boot feature at startup and execute arbitrary code before the operating system (OS) loads. Code executed in these early boot phases can provide persistence to an attacker, potentially loading arbitrary kernel extensions that survive both reboot and re-installation of an OS. It may also evade common OS-based and EDR security defenses.\n\n### Solution\n\n#### Apply a patch\n\nApply your vendor-provided security updates that address these vulnerabilities to block vulnerable firmware from bypassing Secure Boot. Microsoft has provided details with their [KB5012170](<https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15>) article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated [Secure Boot Forbidden Signature Database (DBX) ](<https://uefi.org/revocationlistfile>). \n\n#### Enterprise and Product Developers\n\nAs DBX file changes can cause a system to become [unstable](<https://www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/>), Vendors are urged to verify the DBX updates do not cause the machine to be unusable. Enterprises and Cloud Providers that manage large number of computers are also urged to do the required security updates and ensure DBX files are implemented reliably without any risk of boot failure.\n\n### Acknowledgements\n\nThanks to Mickey Shkatov and Jesse Michael of Eclypsium who researched and reported these vulnerabilities.\n\nThis document was written by Brad Runyon & Vijay Sarvepalli.\n\n### Vendor Information\n\n309662\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2022-05-24 Updated: 2022-08-11\n\n**Statement Date: June 01, 2022**\n\n**CVE-2022-34301**| Affected \n---|--- \n**Vendor Statement:** \nMicrosoft has worked closely with the vendor, Eurosoft (UK) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release. \n**CVE-2022-34302**| Affected \n**Vendor Statement:** \nMicrosoft has blocked the certificate previously issued to New Horizon Datasys Inc. with the July 2022 Security Update Release. \n**CVE-2022-34303**| Affected \n**Vendor Statement:** \nMicrosoft has worked closely with the vendor, CryptoPro Secure Disk (CPSD) to remedy the vulnerable bootloader issue, and has blocked the certificate previously issued with the July 2022 Security Update Release. \n \n### Red Hat __ Affected\n\nNotified: 2022-08-02 Updated: 2022-08-25\n\n**Statement Date: August 16, 2022**\n\n**CVE-2022-34301**| Affected \n---|--- \n**CVE-2022-34302**| Affected \n**CVE-2022-34303**| Affected \n \n#### Vendor Statement\n\nRed Hat has evaluated this issue and determined we are affected by this vulnerability. Although Red Hat doesn't ship any of the affected shim versions, it would still be bootable in machines installed with Red Hat Enterprise Linux as the shim signatures are still not listed in the DBX. Red Hat is working to provide a DBX update disallowing the affected shims to be booted.\n\n### Fujitsu __ Not Affected\n\nNotified: 2022-09-21 Updated: 2022-09-28\n\n**Statement Date: September 23, 2022**\n\n**CVE-2022-34301**| Not Affected \n---|--- \n**CVE-2022-34302**| Not Affected \n**CVE-2022-34303**| Not Affected \n \n#### Vendor Statement\n\nFujitsu is aware of the vulnerabilities in third party UEFI bootloaders by New Horizon Datasys Inc, CryptoPro Secure Disk and Eurosoft (UK) Ltd.\n\nFujitsu commenced an analysis, inquired manufacturer Insyde, and simultaneously resorted to CERT/CC intelligence.\n\nBased on that, UEFI-BIOS manufacturers will provide a Secure Boot Forbidden Signature Database (DBX) update, along with future firmware releases. These updates will be integrated timely into Fujitsu UEFI-BIOS firmware.\n\nThe Fujitsu PSIRT has no plans to issue a dedicated Security Notice or similar. Due to the mitigation by OEM vendors and OS vendors at the same time, the issue is therefore considered resolved.\n\nIn case of questions, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).\n\n### Insyde Software Corporation Not Affected\n\nNotified: 2022-08-09 Updated: 2022-08-25\n\n**Statement Date: August 17, 2022**\n\n**CVE-2022-34301**| Not Affected \n---|--- \n**CVE-2022-34302**| Not Affected \n**CVE-2022-34303**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Phoenix Technologies Not Affected\n\nNotified: 2022-08-09 Updated: 2022-08-11\n\n**Statement Date: August 09, 2022**\n\n**CVE-2022-34301**| Not Affected \n---|--- \n**CVE-2022-34302**| Not Affected \n**CVE-2022-34303**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Toshiba Corporation Not Affected\n\nNotified: 2022-08-02 Updated: 2022-08-25\n\n**Statement Date: August 16, 2022**\n\n**CVE-2022-34301**| Not Affected \n---|--- \n**CVE-2022-34302**| Not Affected \n**CVE-2022-34303**| Not Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Intel __ Unknown\n\nNotified: 2022-08-02 Updated: 2022-09-12\n\n**Statement Date: August 26, 2022**\n\n**CVE-2022-34301**| Unknown \n---|--- \n**Vendor Statement:** \nIntel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners. \n**CVE-2022-34302**| Unknown \n**Vendor Statement:** \nIntel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners. \n**CVE-2022-34303**| Unknown \n**Vendor Statement:** \nIntel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners. \n \n#### Vendor Statement\n\nIntel is aware of reports around a vulnerability within signed bootloaders and is actively investigating if our products are impacted. If products are found to be impacted, a security advisory will be published coordinated with our ecosystem partners.\n\n### Acer Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Amazon Unknown\n\nUpdated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AMD Unknown\n\nNotified: 2022-08-11 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### American Megatrends Incorporated (AMI) Unknown\n\nNotified: 2022-08-09 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ASUSTeK Computer Inc. Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Debian GNU/Linux Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dynabook Inc. Unknown\n\nNotified: 2022-08-24 Updated: 2022-08-25 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Gamma Tech Computer Corp. Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### GETAC Inc. Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Google Unknown\n\nUpdated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HP Inc. Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lenovo Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ReactOS Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Star Labs Online Limited Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### UEFI Security Response Team Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### VAIO Corporation Unknown\n\nNotified: 2022-08-02 Updated: 2022-08-11 **CVE-2022-34301**| Unknown \n---|--- \n**CVE-2022-34302**| Unknown \n**CVE-2022-34303**| Unknown \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 25 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022>\n * <https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15>\n * <https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot>\n * <https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot>\n * <https://uefi.org/sites/default/files/resources/Insyde%20HPE%20NSA%20and%20UEFI%20Secure%20Boot%20Guidelines_FINAL%20v2.pdf>\n * <https://eclypsium.com/2022/07/26/firmware-security-realizations-part-1-secure-boot-and-dbx/>\n * <https://www.zdnet.com/article/microsoft-pulls-security-update-after-reports-of-issues-affecting-some-pcs/>\n * <https://uefi.org/revocationlistfile>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2022-34301 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-34301>) [CVE-2022-34302 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-34302>) [CVE-2022-34303 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-34303>) \n---|--- \n**API URL: ** | VINCE JSON | CSAF \n**Date Public:** | 2022-08-11 \n**Date First Published:** | 2022-08-11 \n**Date Last Updated: ** | 2022-09-28 15:32 UTC \n**Document Revision: ** | 5 \n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T00:00:00", "type": "cert", "title": "Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"], "modified": "2022-09-28T15:32:00", "id": "VU:309662", "href": "https://www.kb.cert.org/vuls/id/309662", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-08-13T16:15:16", "description": "[![Boot Loaders](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiOTFfjdzI6BxlMGVqOYdMZInBX6v1uUwksEPq02Vmc8CaGff1La_jrz3Guok3LsuDryJGYZaBlMcpTTDVEnACkrudTS2Kbr5stlqs1IPkIZC3sK3Z9nbnndimw5Diu_FFkitgRbk8pS_WHIainQnT7v1GJ9-IxDiYU-rhtC0dpt_-QaMUM9vh4CsUe/s728-e1000/bootloader.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiOTFfjdzI6BxlMGVqOYdMZInBX6v1uUwksEPq02Vmc8CaGff1La_jrz3Guok3LsuDryJGYZaBlMcpTTDVEnACkrudTS2Kbr5stlqs1IPkIZC3sK3Z9nbnndimw5Diu_FFkitgRbk8pS_WHIainQnT7v1GJ9-IxDiYU-rhtC0dpt_-QaMUM9vh4CsUe/s728-e100/bootloader.jpg>)\n\nA security feature bypass vulnerability has been uncovered in three signed third-party Unified Extensible Firmware Interface ([UEFI](<https://en.wikipedia.org/wiki/UEFI>)) boot loaders that allow bypass of the UEFI Secure Boot feature.\n\n\"These vulnerabilities can be exploited by mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or modifying a UEFI variable to load the vulnerable loader instead of the existing one,\" hardware security firm Eclypsium [said](<https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022>) in a report shared with The Hacker News.\n\nThe following [vendor-specific boot loaders](<https://kb.cert.org/vuls/id/309662>), which were signed and authenticated by Microsoft, have been found vulnerable to the bypass and have been patched as part of the tech giant's [Patch Tuesday update](<https://thehackernews.com/2022/08/microsoft-issues-patches-for-121-flaws.html>) released this week -\n\n * Eurosoft Boot Loader ([CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>))\n * New Horizon Data Systems Inc Boot Loader ([CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>)), and\n * Crypto Pro Boot Loader ([CVE-20220-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>))\n\nSecure Boot is a [security standard](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot>) designed to thwart malicious programs from loading when a computer starts up (boots) and ensure only the software that is trusted by the Original Equipment Manufacturer (OEM) is launched.\n\n\"The firmware boot loaders boot the UEFI environment and hands over control to UEFI applications written by the SoC vendor, Microsoft, and OEMs,\" Microsoft [notes](<https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/boot-and-uefi>) in its documentation. \"The UEFI environment launches the Windows Boot Manager, which determines whether to boot to Full Flash Update (FFU) image flashing or device reset mode, to the update OS, or to the main OS.\"\n\n[![Boot Loaders](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0KiXfCZpGUNDe4cHiRS5wgEY-34NpfN1PrLm7mC8ZWq6-QtMO6uCsfId8hWYoapUykp4vMwSSXNityVgwVCpS5TEbH3dHHuaxz3O_E9NTeg4hJeXCwnrWIHx2tftRqpYbe9T_4af6LJLQjJTVYsCmuIGsGVboYDHfBg9HVRK5HyRr1YfZITxfGAlL/s728-e1000/exploit.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0KiXfCZpGUNDe4cHiRS5wgEY-34NpfN1PrLm7mC8ZWq6-QtMO6uCsfId8hWYoapUykp4vMwSSXNityVgwVCpS5TEbH3dHHuaxz3O_E9NTeg4hJeXCwnrWIHx2tftRqpYbe9T_4af6LJLQjJTVYsCmuIGsGVboYDHfBg9HVRK5HyRr1YfZITxfGAlL/s728-e100/exploit.jpg>)\n\nIn a nutshell, [successful exploitation of the flaws](<https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15>) identified by Eclypsium could permit an adversary to circumvent security guardrails at startup and execute arbitrary unsigned code during the boot process.\n\nThis can have further knock-on effects, enabling a bad actor to gain entrenched access and [establish persistence](<https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.html>) on a host through in a manner that can survive operating system reinstalls and hard drive replacements, not to mention completely bypassing detection by security software.\n\nCalling CVE-2022-34302 \"far more stealthy,\" Eclypsium noted the New Horizon Datasys vulnerability is not only trivial to exploit in the wild, but can also \"enable even more complex evasions such as disabling security handlers.\"\n\nSecurity handlers, for instance, can [include](<https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation>) Trusted Platform Module (TPM) measurements and signature checks, Eclypsium researchers Mickey Shkatov and Jesse Michael said. \n\nIt's worth noting that exploiting these vulnerabilities requires an attacker to have administrator privileges, although gaining local privilege escalation is not considered insurmountable owing to the fact that Microsoft doesn't treat User Account Control ([UAC](<https://en.wikipedia.org/wiki/User_Account_Control>)) bypass as a [security risk](<https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria>).\n\n\"Much like [BootHole](<https://thehackernews.com/2020/07/grub2-bootloader-vulnerability.html>), these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together,\" the researchers concluded, adding \"these issues highlight how simple vulnerabilities in third-party code can undermine the entire process.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-08-12T20:02:00", "type": "thn", "title": "Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"], "modified": "2022-08-13T12:24:29", "id": "THN:659E57C980959B9830361E6D3C4D2687", "href": "https://thehackernews.com/2022/08/researchers-uncover-uefi-secure-boot.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-02T07:00:49", "description": "[![Atlassian Confluence Hard-Coded Credential Bug](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEecCIZ-XaRJ4zcsuHaTxv40ceAY7a-zwUbCwG5pavcIkynNfkEL5b0bk3LuyI1j93_OpxDVhmeq2JIDgf2F5gePc20N6z3BLfb8ACE-Hs8BRt0o_lGbsdvT1pJhsBkfeBjvP-oakItq7nm9H28Bo9TQREhjN8EA14vZTuUU3vCCGPWgZ9DEstAMmf/s728-e1000/cisa.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEecCIZ-XaRJ4zcsuHaTxv40ceAY7a-zwUbCwG5pavcIkynNfkEL5b0bk3LuyI1j93_OpxDVhmeq2JIDgf2F5gePc20N6z3BLfb8ACE-Hs8BRt0o_lGbsdvT1pJhsBkfeBjvP-oakItq7nm9H28Bo9TQREhjN8EA14vZTuUU3vCCGPWgZ9DEstAMmf/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/07/29/cisa-adds-one-known-exploited-vulnerability-catalog>) the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.\n\nThe vulnerability, tracked as [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.\n\n\"A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,\" CISA [notes](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in its advisory.\n\n[![Atlassian Confluence](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0HlXLLx13DKw6KdL9aiyLzkfseKk26WHbECW9EuVAK8HemGF60r4yqvMLbBNmg2C7pxYyzORkxlDkvZNDNlX8XiSd69Eafk_2BLHONWx_a48pMVrF_79sQCg0dubLIL_rH6rjdVuD0lmtcPt11KVakdJCUlX6MSu833QUV4IexS8mTDkDoUAvH8HUaA/s728-e1000/cisa.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0HlXLLx13DKw6KdL9aiyLzkfseKk26WHbECW9EuVAK8HemGF60r4yqvMLbBNmg2C7pxYyzORkxlDkvZNDNlX8XiSd69Eafk_2BLHONWx_a48pMVrF_79sQCg0dubLIL_rH6rjdVuD0lmtcPt11KVakdJCUlX6MSu833QUV4IexS8mTDkDoUAvH8HUaA/s728-e100/cisa.jpg>)\n\nDepending on the page restrictions and the information a company has in Confluence, successful exploitation of the shortcoming could lead to the disclosure of sensitive information.\n\nAlthough the bug was addressed by the Australian software company last week in versions 2.7.38 and 3.0.5, it has since come [under active exploitation](<https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html>), cybersecurity firm Rapid7 disclosed this week.\n\n\"Exploitation efforts at this point do not seem to be very widespread, though we expect that to change,\" Erick Galinkin, principal AI researcher at Rapid7, told The Hacker News.\n\n\"The good news is that the vulnerability is in the Questions for Confluence app and _not_ in Confluence itself, which reduces the attack surface significantly.\"\n\nWith the flaw now added to the catalog, Federal Civilian Executive Branch (FCEB) in the U.S. are mandated to apply patches by August 19, 2022, to reduce their exposure to cyberattacks.\n\n\"At this point, the vulnerability has been public for a relatively short amount of time,\" Galinkin noted. \"Coupled with the absence of meaningful post-exploitation activity, we don't yet have any threat actors attributed to the attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-30T03:54:00", "type": "thn", "title": "CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-02T06:42:46", "id": "THN:908A39F901145B6FD175B16E95137ACC", "href": "https://thehackernews.com/2022/07/cisa-warns-of-atlassian-confluence-hard.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-29T03:59:30", "description": "[![Atlassian Confluence](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkxSAMgSsFZhb4DyOrv7jlV3A4nb55euT83HxRQMejOiw7UHuT9uTYns_ngLd4U6KF7vN-KarRobTWnwkATG6Q2ql1xpYPHfSvB-iJn8pY0T3rfaRpCwyerROalVbwZK4317SC19907zo6BS65jDRzsVx18rjEfxA_oVj6wzdoEkyJJAI4Q1JxsbJl/s728-e1000/Atlassian-Confluence.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkxSAMgSsFZhb4DyOrv7jlV3A4nb55euT83HxRQMejOiw7UHuT9uTYns_ngLd4U6KF7vN-KarRobTWnwkATG6Q2ql1xpYPHfSvB-iJn8pY0T3rfaRpCwyerROalVbwZK4317SC19907zo6BS65jDRzsVx18rjEfxA_oVj6wzdoEkyJJAI4Q1JxsbJl/s728-e100/Atlassian-Confluence.jpg>)\n\nA week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild.\n\nThe bug in question is [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), which concerns the use of a hard-coded password in the app that could be exploited by a remote, unauthenticated attacker to gain unrestricted access to all pages in Confluence.\n\nThe real-world exploitation follows the release of the hard-coded credentials on Twitter, prompting the Australian software company to prioritize patches to mitigate potential threats targeting the flaw.\n\n\"Unsurprisingly, it didn't take long [...] to observe exploitation once the hard-coded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,\" Rapid7 security researcher Glenn Thorpe [said](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n\n[![Atlassian Confluence Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQF8uoUiufKEleM-yHfQ0lN3WghNEStj2b_QKvuWRV2YnIQm1QmcjsY7RPKKQWQgQ1fuvJ67SI7p4fiY6xW052wY4BZC3Wi5JyVU3EL-XCESStOGZLE2kSoL9gGC-Mz_xbNZ5SrfcW22ED9SF4L5pJUBB1xCQn5zYlws4mPxknxGGYChZ9xJ4m625R/s728-e1000/app.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQF8uoUiufKEleM-yHfQ0lN3WghNEStj2b_QKvuWRV2YnIQm1QmcjsY7RPKKQWQgQ1fuvJ67SI7p4fiY6xW052wY4BZC3Wi5JyVU3EL-XCESStOGZLE2kSoL9gGC-Mz_xbNZ5SrfcW22ED9SF4L5pJUBB1xCQn5zYlws4mPxknxGGYChZ9xJ4m625R/s728-e100/app.jpg>)\n\nIt's worth noting that the bug only exists when the Questions for Confluence app is enabled. That said, uninstalling the Questions for Confluence app does not remediate the flaw, as the created account does not get automatically removed after the app has been uninstalled.\n\nUsers of the affected product are advised to update their on-premise instances to the latest versions (2.7.38 and 3.0.5) as soon as possible, or take steps to disable/delete the account.\n\nThe development also arrives as Palo Alto Networks, in its [2022 Unit 42 Incident Response Report](<https://www.paloaltonetworks.com/unit42/2022-incident-response-report>), found that threat actors are scanning for vulnerable endpoints within 15 minutes of public disclosure of a new security flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-29T03:19:00", "type": "thn", "title": "Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T03:22:24", "id": "THN:49CD77302B5D845459BA34357D9C011C", "href": "https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-18T04:09:35", "description": "[![Veeam Backup and Replication](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhipTgszlTYwFj_AONo9C2lRQxAg6vTcz7G6oFzXNL4ZItrznU-iYvUjSAWkRj8093vFBfqAazb-yWVTWaHuyW6X8r2dpMoPmK6G_LY9NpZBuKptb90Nkq9UEXeMhtop80yQXpZxE4XP2tdhfYTNqmh0tO8oTLRFKBgiaAg-EBQSGVEYLvv3uwxu4Xp/s728-e100/veeam.png>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/12/13/cisa-adds-five-known-exploited-vulnerabilities-catalog>) two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) Catalog, citing evidence of active exploitation in the wild.\n\nThe now-patched critical flaws, tracked as **CVE-2022-26500 and CVE-2022-26501**, are both rated 9.8 on the CVSS scoring system, and could be leveraged to gain control of a target system.\n\n\"The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions,\" Veeam [noted](<https://www.veeam.com/kb4288>) in an advisory published in March 2022. \"A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.\"\n\nBoth the issues that impact product versions 9.5, 10, and 11 have been addressed in versions 10a and 11a. Users of Veeam Backup & Replication 9.5 are advised to upgrade to a supported version.\n\nNikita Petrov, a security researcher at Russian cybersecurity firm Positive Technologies, has been credited with discovering and reporting the weaknesses.\n\n\"We believe that these vulnerabilities will be exploited in real attacks and will put many organizations at significant risk,\" Petrov [said](<https://www.ptsecurity.com/ww-en/about/news/vulnerabilities-in-veeam-backup-solutions-dangerous-for-data-centers-and-windows-systems-eliminated-thanks-to-positive-technologies/>) on March 16, 2022. \"That is why it is important to install updates as soon as possible or at least take measures to detect abnormal activity associated with these products.\"\n\nDetails on the attacks exploiting these vulnerabilities are unknown as yet, but cybersecurity company CloudSEK [disclosed](<https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/>) in October that it observed multiple threat actors advertising a \"fully weaponized tool for remote code execution\" that abuse the two flaws.\n\nSome of the possible consequences of successful exploitation are infection with ransomware, data theft, and denial-of-service, making it imperative that users apply the updates.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-16T05:45:00", "type": "thn", "title": "CISA Alert: Veeam Backup and Replication Vulnerabilities Being Exploited in Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26500", "CVE-2022-26501"], "modified": "2022-12-18T03:31:24", "id": "THN:00E123D81D03F891E789A76E9D559499", "href": "https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-22T03:59:04", "description": "[![Atlassian Confluence Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgwDyGaM4FdPe7m1y8beGIF9lst24L3fkt-FcrOap-X3fu09AhyO7t96mPZ_Q18jTQk8eFV8Z51Gfcp2Ryc_rvunTZbKZlMR3V32iWdinfxc04Gi4-7Y00aCE5kd4OLdU_CVTDy9G5mG9nh8rknBtsXbXwgwYWh-zeyeSlzCme-VBas1mHIY53IAJWH/s728-e1000/Atlassian-Confluence-Vulnerability.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgwDyGaM4FdPe7m1y8beGIF9lst24L3fkt-FcrOap-X3fu09AhyO7t96mPZ_Q18jTQk8eFV8Z51Gfcp2Ryc_rvunTZbKZlMR3V32iWdinfxc04Gi4-7Y00aCE5kd4OLdU_CVTDy9G5mG9nh8rknBtsXbXwgwYWh-zeyeSlzCme-VBas1mHIY53IAJWH/s728-e100/Atlassian-Confluence-Vulnerability.jpg>)\n\nAtlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting [the Questions For Confluence](<https://marketplace.atlassian.com/apps/1211644/questions-for-confluence>) app for Confluence Server and Confluence Data Center.\n\nThe flaw, tracked as **CVE-2022-26138**, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username \"disabledsystemuser.\"\n\nWhile this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.\n\n\"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the [confluence-users group](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>) has access to,\" the company [said](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) in an advisory, adding that \"the hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app.\"\n\nQuestions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5. Alternatively, users can [disable or delete](<https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html>) the disabledsystemuser account.\n\nWhile Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account. \"If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it,\" it said.\n\nSeparately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Fisheye and Crucible\n * Jira Server and Data Center, and\n * Jira Service Management Server and Data Center\n\nSuccessful exploitation of the bugs, tracked as CVE-2022-26136 and CVE-2022-26137, could enable an unauthenticated, remote attacker to bypass authentication used by third-party apps, execute arbitrary JavaScript code, and circumvent the cross-origin resource sharing ([CORS](<https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>)) browser mechanism by sending a specially crafted HTTP request.\n\n\"Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,\" the company [cautioned](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>) in its advisory regarding CVE-2022-26137.\n\n**_Update:_** Atlassian on Thursday warned that the critical Questions For Confluence app vulnerability is likely to be exploited in the wild after the hard-coded password became publicly known, urging its customers to remediate the issue as soon as possible.\n\n\"An external party has discovered and publicly disclosed the hardcoded password on Twitter,\" the company said. \"It is important to remediate this vulnerability on affected systems immediately.\"\n\nThe software firm also emphasized that uninstalling the Questions for Confluence app does not address the vulnerability, as the created account does not get automatically removed after the app has been uninstalled. It's instead recommending that users either update to the latest version of the app or manually disable or delete the account.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-21T08:41:00", "type": "thn", "title": "Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-22T02:37:51", "id": "THN:F050B7CE35D52E330ED83AACF83D6B29", "href": "https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-29T03:59:29", "description": "[![Windows and Adobe Zero-Days](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e1000/windows-hacker.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e100/windows-hacker.jpg>)\n\nA cyber mercenary that \"ostensibly sells general security and information analysis services to commercial customers\" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.\n\nThe company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called [DSIRF](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) that's linked to the development and attempted sale of a piece of cyberweapon referred to as **Subzero**, which can be used to hack targets' phones, computers, and internet-connected devices.\n\n\"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,\" the tech giant's cybersecurity teams [said](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) in a Wednesday report.\n\nMicrosoft is [tracking](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>) the actor under the moniker KNOTWEED, continuing its trend of terming PSOAs using names given to trees and shrubs. The company previously designated the name [SOURGUM](<https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html>) to Israeli spyware vendor Candiru.\n\nKNOTWEED is known to dabble in both access-as-a-service and [hack-for-hire](<https://thehackernews.com/2022/06/google-blocks-dozens-of-malicious.html>) operations, offering its toolset to third parties as well as directly associating itself in certain attacks.\n\nWhile the former entails the sales of end-to-end hacking tools that can be used by the purchaser in their own operations without the involvement of the offensive actor, hack-for-hire groups run the targeted operations on behalf of their clients.\n\nThe deployment of Subzero is said to have transpired through the exploitation of numerous issues, including an attack chain that abused an unknown Adobe Reader remote code execution (RCE) flaw and a zero-day privilege escalation bug ([CVE-2022-22047](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>)), the latter of which was addressed by Microsoft as part of its July Patch Tuesday updates.\n\n\"The exploits were packaged into a PDF document that was sent to the victim via email,\" Microsoft explained. \"CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution.\"\n\nSimilar attack chains observed in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe reader flaw (CVE-2021-28550). The three vulnerabilities were [resolved](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) in June 2021.\n\nThe deployment of Subzero subsequently occurred through a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>)), which was closed by Microsoft in August 2021.\n\nBeyond these exploit chains, Excel files masquerading as real estate documents have been used as a conduit to deliver the malware, with the files containing [Excel 4.0 macros](<https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html>) designed to kick-start the infection process.\n\nRegardless of the method employed, the intrusions culminate in the execution of shellcode, which is used to retrieve a second-stage payload called Corelump from a remote server in the form of a JPEG image that also embeds a loader named Jumplump that, in turn, loads Corelump into memory.\n\nThe evasive implant comes with a wide range of capabilities, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from the remote server.\n\nAlso deployed during the attacks were bespoke utilities like Mex, a command-line tool to run open source security software like Chisel, and PassLib, a tool to dump credentials from web browsers, email clients, and the Windows credential manager.\n\nMicrosoft said it uncovered KNOTWEED actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, alongside identifying subdomains that are used for malware development, debugging Mex, and staging the Subzero payload.\n\nMultiple links have also been unearthed between DSIRF and the malicious tools used in KNOTWEED's attacks.\n\n\"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,\" Redmond noted.\n\nSubzero is no different from off-the-shelf malware such as [Pegasus](<https://thehackernews.com/2022/07/pegasus-spyware-used-to-hack-devices-of.html>), [Predator](<https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html>), [Hermit](<https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html>), and [DevilsTongue](<https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html>), which are capable of infiltrating phones and Windows machines to remotely control the devices and siphon off data, sometimes without requiring the user to click on a malicious link.\n\nIf anything, the latest findings highlight a burgeoning international market for such sophisticated surveillance technologies to carry out targeted attacks aimed at members of civil society.\n\nAlthough companies that sell commercial spyware advertise their wares as a means to tackle serious crimes, evidence gathered so far has found [several instances](<https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html>) of these tools being misused by authoritarian governments and private organizations to snoop on human rights advocates, journalists, dissidents, and politicians.\n\nGoogle's Threat Analysis Group (TAG), which is tracking over 30 vendors that hawk exploits or surveillance capabilities to state-sponsored actors, said the booming ecosystem underscores \"the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments.\"\n\n\"These vendors operate with deep technical expertise to develop and operationalize exploits,\" TAG's Shane Huntley [said](<https://blog.google/threat-analysis-group/googles-efforts-to-identify-and-counter-spyware/>) in a testimony to the U.S. House Intelligence Committee on Wednesday, adding, \"its use is growing, fueled by demand from governments.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T11:18:00", "type": "thn", "title": "Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-22047"], "modified": "2022-07-29T02:58:07", "id": "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "href": "https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-13T05:57:21", "description": "[![Microsoft](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMMVV60incjQemAA8K9lAWSescsqjqG2a3UdVc4GiCMmXBd6175xW7cZiTJONSGUB1N9s-MMZARqaZP7h-OdKy4jUdvvT_H-aPCCLF9TKLu1S1Xcj8NZh673Hir7VOwNMNdOLjEU6LSXewzYkJXyX0Y0dpIn7L1WK7IuD61f1iG8uajyHoBwST8KVh/s728-e1000/windows-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMMVV60incjQemAA8K9lAWSescsqjqG2a3UdVc4GiCMmXBd6175xW7cZiTJONSGUB1N9s-MMZARqaZP7h-OdKy4jUdvvT_H-aPCCLF9TKLu1S1Xcj8NZh673Hir7VOwNMNdOLjEU6LSXewzYkJXyX0Y0dpIn7L1WK7IuD61f1iG8uajyHoBwST8KVh/s728-e100/windows-update.jpg>)\n\nMicrosoft released its monthly round of Patch Tuesday updates to address [84 new security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.\n\nOf the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are [two other bugs](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Edge browser, one of which plugs another [zero-day flaw](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) that Google disclosed as being actively exploited in real-world attacks.\n\nTop of the list of this month's updates is [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ([CSRSS](<https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem>)) that could be abused by an attacker to gain SYSTEM permissions.\n\n\"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,\" Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. \"With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.\"\n\nVery little is known about the nature and scale of the attacks other than an \"Exploitation Detected\" assessment from Microsoft. The company's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.\n\nBesides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component \u2014 [CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) (CVSS score: 8.8) and [CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) (CVSS score: 7.8) \u2014 that were reported by Google Project Zero researcher Sergei Glazunov.\n\n\"A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from [AppContainer](<https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation>) to SYSTEM,\" Microsoft said in an advisory for CVE-2022-22026.\n\n\"Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.\"\n\nAlso remediated by Microsoft include a number of remote code execution bugs in Windows Network File System ([CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>)), Windows Graphics ([CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>)), Remote Procedure Call Runtime ([CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>)), and Windows Shell ([CVE-2022-30222](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30222>)).\n\nThe update further stands out for patching as many as 32 issues in the [Azure Site Recovery](<https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview>) business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.\n\n\"Successful exploitation [...] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,\" the company said, adding the flaws do not \"allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.\"\n\nOn top of that, Microsoft's July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module ([CVE-2022-22022](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22022>), [CVE-2022-22041](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22041>), [CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>), and [CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>)) after a [brief respite in June 2022](<https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html>), underscoring what appears to be a never-ending stream of flaws plaguing the technology.\n\nRounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service ([CVE-2022-30216](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216>)) and Microsoft Defender for Endpoint ([CVE-2022-33637](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33637>)) and three denial-of-service (DoS) flaws in Internet Information Services ([CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) and [CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>)) and Security Account Manager ([CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>)).\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/security/bulletin/2022-07-01>)\n * [Apache Projects](<https://blogs.apache.org/foundation/date/20220712>)\n * [Cisco](<https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Fortinet](<https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html>)\n * [GitLab](<https://about.gitlab.com/releases/2022/07/04/gitlab-15-1-2-released/>)\n * [Google Chrome](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/July-2022>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2022-bulletin.html>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-13T04:15:00", "type": "thn", "title": "Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22022", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30216", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30226", "CVE-2022-33637"], "modified": "2022-07-13T05:36:49", "id": "THN:8C2FBC83F6EC62900F1887F00903447F", "href": "https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-11-21T14:47:55", "description": "An authentication bypass vulnerability exists in Veeam Backup and Replication. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-06T00:00:00", "type": "checkpoint_advisories", "title": "Veeam Backup and Replication Authentication Bypass (CVE-2022-26501)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26501"], "modified": "2022-11-21T00:00:00", "id": "CPAI-2022-0781", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T23:29:47", "description": "A hardcoded credentials vulnerability exists in Atlassian Questions for Confluence App. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Questions for Confluence App Hardcoded Credentials (CVE-2022-26138)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-10T00:00:00", "id": "CPAI-2022-0467", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-16T17:58:18", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Client/Server Runtime Subsystem Elevation of Privilege (CVE-2022-22047)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T00:00:00", "id": "CPAI-2022-0362", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-12-13T23:04:43", "description": "Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-17T00:00:00", "type": "attackerkb", "title": "CVE-2022-26501", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26501"], "modified": "2022-03-17T00:00:00", "id": "AKB:6F0AFCB6-92AD-477A-A650-103570DEC393", "href": "https://attackerkb.com/topics/cECWeY1iHh/cve-2022-26501", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-24T11:08:26", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T00:00:00", "type": "attackerkb", "title": "CVE-2022-26138", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-20T00:00:00", "id": "AKB:8049CCA9-ACA9-4288-8493-4153794BD621", "href": "https://attackerkb.com/topics/BUK2DJ8uhl/cve-2022-26138", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-08T22:25:53", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22047.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-22049", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-07-12T00:00:00", "id": "AKB:5FAD5EC2-E77A-4F4A-B3DC-61A700F1B059", "href": "https://attackerkb.com/topics/fIVjvZJTUN/cve-2022-22049", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-23T08:04:25", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-22047", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-07-12T00:00:00", "id": "AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "href": "https://attackerkb.com/topics/SzYymWZIy5/cve-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-12-13T21:05:33", "description": "The Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can send input to the internal API which may lead to uploading and executing of malicious code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-13T00:00:00", "type": "cisa_kev", "title": "Veeam Backup & Replication Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26501"], "modified": "2022-12-13T00:00:00", "id": "CISA-KEV-CVE-2022-26501", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-11T18:51:48", "description": "Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-29T00:00:00", "type": "cisa_kev", "title": "Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T00:00:00", "id": "CISA-KEV-CVE-2022-26138", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Windows CSRSS contains an unspecified vulnerability which allows for privilege escalation to SYSTEM privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T00:00:00", "id": "CISA-KEV-CVE-2022-22047", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-24T20:44:55", "description": "Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-17T21:15:00", "type": "cve", "title": "CVE-2022-26501", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26501"], "modified": "2022-03-24T19:02:00", "cpe": ["cpe:/a:veeam:backup_\\&_replication:10.0.1.4854", "cpe:/a:veeam:backup_\\&_replication:11.0.1.1261"], "id": "CVE-2022-26501", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26501", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:veeam:backup_\\&_replication:10.0.1.4854:p20220304:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:10.0.1.4854:p20201202:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:11.0.1.1261:p20220302:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:11.0.1.1261:p20211123:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:11.0.1.1261:p20211211:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:10.0.1.4854:-:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:11.0.1.1261:-:*:*:*:*:*:*", "cpe:2.3:a:veeam:backup_\\&_replication:10.0.1.4854:p20210609:*:*:*:*:*:*"]}, {"lastseen": "2022-09-01T20:18:02", "description": "A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T18:15:00", "type": "cve", "title": "CVE-2022-34302", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-34302"], "modified": "2022-09-01T19:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:redhat:enterprise_linux:9.0", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:redhat:enterprise_linux:8.0", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:microsoft:windows_10:20h2"], "id": "CVE-2022-34302", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34302", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-09-01T20:18:01", "description": "A flaw was found in Eurosoft bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T18:15:00", "type": "cve", "title": "CVE-2022-34303", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-34303"], "modified": "2022-09-01T19:16:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:redhat:enterprise_linux:9.0", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:redhat:enterprise_linux:8.0", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:microsoft:windows_10:20h2"], "id": "CVE-2022-34303", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34303", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-09-01T20:18:02", "description": "A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T18:15:00", "type": "cve", "title": "CVE-2022-34301", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-34301"], "modified": "2022-09-01T19:13:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:redhat:enterprise_linux:9.0", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:redhat:enterprise_linux:8.0", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:microsoft:windows_10:20h2"], "id": "CVE-2022-34301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34301", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-20T17:05:50", "description": "Windows IIS Server Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-30209", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30209"], "modified": "2022-07-20T14:31:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1809"], "id": "CVE-2022-30209", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30209", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-08-04T16:34:20", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T18:15:00", "type": "cve", "title": "CVE-2022-26138", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T14:13:00", "cpe": ["cpe:/a:atlassian:questions_for_confluence:2.7.35", "cpe:/a:atlassian:questions_for_confluence:3.0.2", "cpe:/a:atlassian:questions_for_confluence:2.7.34"], "id": "CVE-2022-26138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26138", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*"]}, {"lastseen": "2022-09-28T20:41:54", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22047, CVE-2022-22049.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22026", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-09-28T19:58:00", "cpe": ["cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:21h2"], "id": "CVE-2022-22026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22026", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*"]}, {"lastseen": "2022-09-28T20:41:53", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22047.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22049", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-09-28T19:58:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:20h2"], "id": "CVE-2022-22049", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22049", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*"]}, {"lastseen": "2022-07-16T16:05:35", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22047", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-07-16T13:50:00", "cpe": ["cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-22047", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*"]}], "redhatcve": [{"lastseen": "2022-09-20T16:21:58", "description": "A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-23T14:41:30", "type": "redhatcve", "title": "CVE-2022-34302", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34302"], "modified": "2022-09-20T15:13:43", "id": "RH:CVE-2022-34302", "href": "https://access.redhat.com/security/cve/cve-2022-34302", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-20T16:21:59", "description": "A flaw was found in Eurosoft bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-23T15:09:56", "type": "redhatcve", "title": "CVE-2022-34303", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34303"], "modified": "2022-09-20T15:13:53", "id": "RH:CVE-2022-34303", "href": "https://access.redhat.com/security/cve/cve-2022-34303", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-20T16:21:57", "description": "A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-23T15:09:46", "type": "redhatcve", "title": "CVE-2022-34301", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-34301"], "modified": "2022-09-20T15:13:43", "id": "RH:CVE-2022-34301", "href": "https://access.redhat.com/security/cve/cve-2022-34301", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2023-01-10T22:20:56", "description": "A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T07:00:00", "type": "mscve", "title": "CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34302"], "modified": "2022-08-09T07:00:00", "id": "MS:CVE-2022-34302", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34302", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T22:20:59", "description": "A flaw was found in Eurosoft bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T07:00:00", "type": "mscve", "title": "CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34303"], "modified": "2022-08-09T07:00:00", "id": "MS:CVE-2022-34303", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34303", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T22:20:59", "description": "A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T07:00:00", "type": "mscve", "title": "CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2022-34301"], "modified": "2022-08-09T07:00:00", "id": "MS:CVE-2022-34301", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34301", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T22:21:35", "description": "Windows IIS Server Elevation of Privilege Vulnerability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows IIS Server Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30209"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-30209", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30209", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-01-10T22:21:29", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22047, CVE-2022-22049.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22026", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22026", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T22:21:25", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22047", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T22:21:25", "description": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22047.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22047", "CVE-2022-22049"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22049", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22049", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-08-05T13:56:42", "description": "Atlassian has released a security advisory to address a vulnerability (CVE-2022-26138) affecting Questions for Confluence App. An attacker could exploit this vulnerability to obtain sensitive information. Atlassian reports that the vulnerability is likely to be exploited in the wild.\n\nCISA encourages users and administrators to review Atlassian\u2019s security advisory, [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), and apply the necessary updates immediately. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Questions for Confluence App, CVE-2022-26138", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-22T00:00:00", "id": "CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-09-21T23:10:01", "description": "# Confluence-Question-CVE-2022-26138\nAtlassian Confluence Server...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:48:21", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-09-21T21:50:55", "id": "E443E98A-3304-54B8-97FD-0FEF9DA283B3", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-02T02:01:54", "description": "# CVE-2022-26138\n\n# 1.\u7b80\u4ecb\nConfluence Hardcoded Password POC\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-30T07:14:52", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-09-02T01:39:22", "id": "120220D8-2281-57EE-BD84-1A33B8841E56", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}], "talosblog": [{"lastseen": "2022-08-04T19:59:46", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s16000/threat-source-newsletter.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[![](https://blogger.googleusercontent.com/img/a/AVvXsEj-mJ-nkfcUqAs6gZvX8xS2acg2Gomq1k9sbhaev8z9XCZnVEc3hnBv_CAEBr5YFPKbzeHm615Hm1J6VmtXbPW-VDGf1Y6GkVCjPTnH973CDJSSnSoxB93Nru0Ohx-w8atdDxbRuYdx1wk5h-eUvHihWfJ9aTwOLINT1HzhDqTPflICljFmGplz6bX9=w114-h42)](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nAfter what seems like forever and honestly has been a really long time, we\u2019re heading back to BlackHat in-person this year. We\u2019re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security. \n\n \n\n\nThroughout the two days of the main conference, we\u2019ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it\u2019s probably worthwhile running through all the cool stuff we\u2019ll have going on at Hacker Summer Camp. \n\n \n\n\nOur [booth should be easy enough to find](<https://www.expocad.com/host/fx/ubm/22bhusa/exfx.html>) \u2014 it\u2019s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you\u2019ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade. Attendees who watch a lightning talk can grab a never-before-seen [Snort 3](<https://snort.org/snort3>)-themed Snorty and our malware mascot stickers, which were a [big hit at Cisco Live this year](<https://twitter.com/TalosSecurity/status/1536821931097305088>). \n\n \n\n\nWe\u2019ll also be over at the Career Center if you want to [come work with us](<https://talosintelligence.com/careers>). Or even if you don\u2019t, word on the street is there\u2019ll be silver and gold Snortys there. And on Thursday the 11th between 10 a.m. and noon local time a Talos hiring manager will be on site reviewing resumes and taking questions. \n\n \n\n\nIf you want more in-depth talks, we\u2019ll have five sponsored sessions between the 10th and 11th. If you want the latest schedule and location on those talks, be sure to [follow us on Twitter](<https://twitter.com/TalosSecurity>) or check out Cisco\u2019s BlackHat event page [here](<https://www.cisco.com/c/en/us/products/security/black-hat-usa.html>). Our sponsored talks cover Talos\u2019 latest work in Ukraine, the growing threat of business email compromise and current trends from state-sponsored actors. Make sure to catch all five of them. \n\n \n\n\nAnd if you liked our speakeasy at Cisco Live, you'll love the next secret we have in store at the BlackHat booth. Swing by and ask us about it. \n\n \n\n\nFor anyone sticking around for DEF CON, we\u2019ll also have a presence there with Blue Team Village. Drop any questions in the [Blue Team Village Discord](<https://www.blueteamvillage.org/>) for us, and be sure to attend the BTV Pool Party on Aug. 12 from 8 \u2013 11 p.m. local time. \n\n \n\n\nTo stay up to date on all things Talos at both conferences, be sure to follow us on social media. - \n\n\n \n\n## The one big thing \n\n> \n\n\nCisco Talos recently discovered [a new attack framework called \"Manjusaka\"](<https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html>) being used in the wild that could be the next evolution of Cobalt Strike \u2014 and is even advertised as so. This framework is advertised as an imitation of the Cobalt Strike framework. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. \n\n\n> ### Why do I care? \n> \n> Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that\u2019s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you\u2019re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it\u2019s safe to assume any evolution of it is going to draw some interest. \n> \n> ### So now what? \n> \n> Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka. \n\n> \n> \n\n## Other news of note\n\n \n\n\nEverything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.\u2019 highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi\u2019s actions and launched several kinetic warfare exercises. ([Reuters](<https://www.reuters.com/technology/7-11s-train-stations-cyber-attacks-plague-taiwan-over-pelosi-visit-2022-08-04/>), [Washington Post](<https://www.washingtonpost.com/politics/2022/08/03/those-pelosi-inspired-cyberattacks-taiwan-probably-werent-all-they-were-cracked-up-be/>)) \n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA\u2019s new guidance. ([Dark Reading](<https://www.darkreading.com/cloud/patch-now-atlassian-confluence-bug-active-exploit>), [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-confluence-bug-exploited-in-attacks/>)) \n\nNorth Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users\u2019 Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country\u2019s weapons program. ([Ars Technica](<https://arstechnica.com/information-technology/2022/08/north-korea-backed-hackers-have-a-clever-way-to-read-your-gmail/>), [Bloomberg](<https://www.bloomberg.com/news/articles/2022-08-01/north-koreans-suspected-of-using-fake-resumes-to-steal-crypto>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Talos Takes Ep. #106: The top attacker trends from the past quarter](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/106>)_\n * _[Beers with Talos Ep. #124: There's no such thing as \"I have nothing to hide\"](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/124>)_\n * _[BlackHat \u2014 A poem](<https://blog.talosintelligence.com/2022/08/poems-0xCCd.html>)_\n * _[Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution](<https://blog.talosintelligence.com/2022/05/vuln-spotlight-alyac-est.html>)_\n * _[Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities](<https://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misusing.html>)_\n * _[Researcher Spotlight: You should have been listening to Lurene Grenier years ago](<https://blog.talosintelligence.com/2022/08/researcher-spotlight-you-should-have.html>)_\n * _[Manjusaka, a new attack tool similar to Sliver and Cobalt Strike](<https://securityaffairs.co/wordpress/133953/hacking/manjusaka-attack-tool.html>)_\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S.A 2022 **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n_[USENIX Security '22](<https://www.usenix.org/conference/usenixsecurity22#registration>) _**(Aug. 10 - 12, 2022)** \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[Security Insights 101 Knowledge Series](<https://aavar.org/securityinsights101/>) (Aug. 25, 2022)**\n\nVirtual \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02 \n\n \n\n\n**SHA 256:** [f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121](<https://www.virustotal.com/gui/file/f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121/details>) \n\n**MD5:** 9066dff68c1d66a6d5f9f2904359876c \n\n**Typical Filename:** dota-15_id3622928ids1s.exe \n\n**Claimed Product:** N/A \n\n**Detection Name:** W32.F21B040F7C.in12.Talos \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0](<https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details>) \n\n**MD5: **311d64e4892f75019ee257b8377c723e \n\n**Typical Filename: **ultrasurf-21-32.exe ** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **W32.DFC.MalParent", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Aug. 4, 2022) \u2014 BlackHat 2022 preview", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T18:00:00", "id": "TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27", "href": "http://blog.talosintelligence.com/2022/08/threat-source-newsletter-aug-4-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-21T20:00:40", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s16000/threat-source-newsletter.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[![](https://blogger.googleusercontent.com/img/a/AVvXsEj-mJ-nkfcUqAs6gZvX8xS2acg2Gomq1k9sbhaev8z9XCZnVEc3hnBv_CAEBr5YFPKbzeHm615Hm1J6VmtXbPW-VDGf1Y6GkVCjPTnH973CDJSSnSoxB93Nru0Ohx-w8atdDxbRuYdx1wk5h-eUvHihWfJ9aTwOLINT1HzhDqTPflICljFmGplz6bX9=w114-h42)](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nI could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. \n\n \n\n\nOne recent event, though, was so crushing to me that I had to call it out specifically. [Former Japanese Prime Minister Shinzo Abe was assassinated](<https://www.nytimes.com/live/2022/07/08/world/japan-shinzo-abe-shooting>) earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world\u2019s most influential countries. It was the top story in the world for several days and was even more shocking given Japan\u2019s strict gun laws and the relative infrequency of any global leaders being the target of violence. \n\n \n\n\nIt took no time for the internet at large to take this tragedy and immediately try to spin it to their whims to spread false narratives, disinformation and downright harmful fake stories that mar Abe\u2019s death and make a mockery of the 24/7 news cycle and the need for everyone to immediately have their own \u201ctake\u201d on social media. \n\n \n\n\nShortly after Abe\u2019s murder, a far-right French politician took a false claim from the infamous online forum 4chan that video game developer Hideo Kojima was the suspect who killed Abe and [shared it on Twitter.](<https://www.bbc.com/news/newsbeat-62121650>) The politician, Damien Rieu, even went as far to connect Kojima to the \u201cfar left,\u201d linking to pictures of the \u201cMetal Gear Solid\u201d creator wearing a shirt depicting the Joker and a bag with Che Guevara\u2019s face on it. Rieu\u2019s tweet was [taken as fact by a Greek television news station](<https://kotaku.com/shinzo-abe-assassin-killer-kojima-greek-news-confusion-1849157839>), which also [aired a report](<https://youtu.be/MfQPJggD1Us>) that Kojima was the assassin. \n\n \n\n\nThankfully, this claim was quickly debunked and the [politician issued an apology](<https://twitter.com/DamienRieu/status/1545460974592970752>), but Kojima and his company have [threatened legal action](<https://www.videogameschronicle.com/news/legal-action-threatened-as-hideo-kojima-falsely-linked-to-shinzo-abe-assassination/>) over the ordeal (as they should). This is an appalling scenario in which social media was quick to assign blame for Abe\u2019s assassination, then picked up by an influential person and even making it to a reputable international news station. This goes beyond the realm of the typical \u201cRussian bot\u201d fake news we think of this was a failure to run any simple fact checks before reporting a damning claim about someone. Imagine if it was just anyone who was blamed for Abe\u2019s assassination, and not someone like Kojima who has a very public platform and the funds to fight these claims. \n\n \n\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptqreL2kFkNoBxL-NGrBPSwlnAY8sv3eiiN0bwTAACJXRiQB69a8jp752bncymBYSD_SC9JV3jCHn73HzQMV3s950OgaXzIbQM_4Kpd4_f2245CG2E1IXo8f7zW0qGxNO2hQ6F9fA3G4J1piu7ue3esWeL2eWi-0dXgDfUl3U4YH4QKkwPiCnZxfo/w210-h400/Screenshot_20220720-135745.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptqreL2kFkNoBxL-NGrBPSwlnAY8sv3eiiN0bwTAACJXRiQB69a8jp752bncymBYSD_SC9JV3jCHn73HzQMV3s950OgaXzIbQM_4Kpd4_f2245CG2E1IXo8f7zW0qGxNO2hQ6F9fA3G4J1piu7ue3esWeL2eWi-0dXgDfUl3U4YH4QKkwPiCnZxfo/s2053/Screenshot_20220720-135745.png>)\n\nPeople also took the opportunity within the first few hours of Abe\u2019s death to try and craft their own narrative using fake news and misleading information. A viral claim that he was killed over his COVID-19-related policies made the rounds, though these claims were later proven [verifiably false](<https://www.statesman.com/story/news/politics/politifact/2022/07/13/fact-check-was-shinzo-abe-assassinated-over-covid-19-response/65372187007/>). Another completely fake and manipulated screenshot claimed to show that Abe had tweeted shortly before his death that he had incriminating news about [U.S. politician Hillary Clinton](<https://apnews.com/article/Fact-Check-Fake-Shinzo-Abe-Tweet-499806264509>). \n\n \n\n\nI went on Instagram and [found a still-active post](<https://www.instagram.com/p/Cf2CODKutKG/?igshid=YmMyMTA2M2Y=>) from an account with more than 54,000 followers that indicates that Abe was assassinated because he had less-than-strict COVID policies that did not align with the \u201cglobal agenda.\u201d Instagram flagged the post as \u201cmissing context,\u201d but does not flag it as downright false and the content is still accessible as of Wednesday afternoon. \n\n \n\n\nWhat disturbs me the most about this whole event is that nothing is off limits for social media users to bend to their whim. I suppose I can't say I\u2019m surprised \u2014 ESPN even recently fell for something as silly as a fake TikTok video alleging to show a [UPS driver dunking a basketball](<https://www.snopes.com/fact-check/ups-driver-dunk-car/>) while jumping over a car. But it is a stark reminder that when breaking news occurs, no matter how serious or dangerous it is, there\u2019s always going to be people online who will be spreading fake news, disinformation and/or misinformation. This makes me miss the days when the biggest fake news story out there was [Balloon Boy](<https://www.latimes.com/entertainment/la-et-media-balloon-boy-pictures-photogallery.html>). \n\n \n\n\n \n\n## The one big thing \n\n> \n\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is asking all federal agencies to [patch for an actively exploited Microsoft vulnerability](<https://threatpost.com/cisa-urges-patch-11-bug/180235/>) disclosed last week. By adding CVE-2022-22047, an elevation of privilege vulnerability affecting the Windows Client Server Runtime Subsystem (CSRSS), to its [list of known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), agencies are compelled to patch for the issue by Aug. 2. Microsoft and CISA both say attackers are actively exploiting the issue in the wild. \n\n\n> ### Why do I care? \n> \n> This vulnerability is the only one disclosed as part of [last week\u2019s Patch Tuesday](<https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html>) that\u2019s been exploited in the wild. An attacker could exploit this vulnerability to execute code on the targeted machine as SYSTEM. However, they would need physical access to a machine to exploit the issue. That being said, if CISA is warning users that it\u2019s being actively exploited in the wild, it\u2019s good of a time as any to remember to patch. \n\n> \n> ### So now what? \n> \n> [Our Patch Tuesday blog post](<https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html>) contains links to Microsoft\u2019s updates for Patch Tuesday and a rundown of other vulnerabilities you should know about. Additionally, we have [multiple Snort rules](<https://snort.org/advisories/talos-rules-2022-07-12>) that can detect attempts to exploit CVE-2022-22047. \n\n> \n> \n\n## Other news of note\n\n \n\n\nThe U.S. Department of Homeland Security declared the Log4shell vulnerability is \u201cendemic\u201d and will present a risk to organizations for at least the next decade. A new report into the major vulnerability in Log4j declared that the open-source community does not have enough resources to properly secure its code and needs the public and private sector to assist with the implementation of patches. They also warned that there are still many instances of vulnerable software that attackers could take advantage of. The DHS report also says the original vulnerable code could have been detected in 2013 had the reviewers had the time had the appropriate cybersecurity knowledge to spot the flaw. That being said, the investigating panel said there were no major cyber attacks against U.S. critical infrastructure leveraging Log4shell. ([Dark Reading](<https://www.darkreading.com/application-security/dhs-review-board-deems-log4j-an-endemic-cyber-threat>), [Associated Press](<https://apnews.com/article/biden-technology-software-hacking-4361f6e9b386259609b05b389db4d7bf>), [ZDNet](<https://www.zdnet.com/article/log4j-flaw-why-it-will-still-be-causing-problems-a-decade-from-now/>)) \n\nThe European Union is warning that increased cyber attacks from Russian state-sponsored actors run the risk of unnecessary escalation and spillover effects to all of Europe. A formal EU declaration says that member nations \u201cstrongly condemn this unacceptable behaviour in cyberspace and express solidarity with all countries that have fallen victim.\u201d A Lithuanian energy firm was the recent target of a distributed denial-of-service attack that the country said was the largest cyber attack in a decade. Belgian leaders also say their country was recently targeted by several Chinese state-sponsored groups. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/eu-warns-of-russian-cyberattack-spillover-escalation-risks/>), [Council of the European Union](<https://www.consilium.europa.eu/en/press/press-releases/2022/07/19/declaration-by-the-high-representative-on-behalf-of-the-european-union-on-malicious-cyber-activities-conducted-by-hackers-and-hacker-groups-in-the-context-of-russia-s-aggression-against-ukraine/>), [Infosecurity Magazine](<https://www.infosecurity-magazine.com/news/lithuanian-energy-ddos-attack/>)) \n\nA relatively small botnet is suspected to be behind more than 3,000 recent distributed denial-of-service attacks. The Mantis botnet, which is suspected to be an evolution of Meris, has already targeted users in Germany, Taiwan, South Korea, Japan, the U.S. and the U.K. Most recently, it launched a malware campaign against Android users in France, using malicious SMS messages to lure victims into downloading malware that adds devices to the botnet\u2019s growing system. Security researchers say users have already downloaded the malware about 90,000 times. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/roaming-mantis-hits-android-and-ios-users-in-malware-phishing-attacks/>), [ZDNet](<https://www.zdnet.com/article/this-tiny-botnet-is-launching-the-most-powerful-ddos-attacks-yet/>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Vulnerability Spotlight: Issue in Accusoft ImageGear could lead to memory corruption, code execution](<https://blog.talosintelligence.com/2022/07/accusoft-vuln-spotlight-.html>)_\n * _[EMEAR Monthly Talos Update: Training the next generation of cybersecurity researchers](<https://blog.talosintelligence.com/2022/07/emear-monthly-talos-update-training.html>)_\n * _[Beers with Talos Ep. #123: Hunting for ransomware actors on *whispers* the dark web](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/123>)_\n * _[Talos Takes Ep. #104: The psychology of multi-factor authentication](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/104>)_\n * _[Pakistani Hackers Targeting Indian Students in Latest Malware Campaign](<https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html>)_\n \n\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n**[A New HOPE](<https://www.hope.net/index.html>) **(July 22 - 24, 2022) \nNew York City \n\n \n\n\n**[CTIR On Air](<https://www.linkedin.com/video/event/urn:li:ugcPost:6954879507132481537/>) **(July 28, 2022) \nTalos Twitter, LinkedIn and YouTube pages\n\n[ \n](<https://www.ciscolive.com/global.html>)[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S. **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details>) \n\n**MD5: **2915b3f8b703eb744fc54c81f4a9c67f \n\n**Typical Filename: **VID001.exe ** **\n\n**Claimed Product:** N/A** **\n\n**Detection Name: **Win.Worm.Coinminer::1201 \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3](<https://www.virustotal.com/gui/file/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3/details>)** **\n\n**MD5: **5741eadfc89a1352c61f1ff0a5c01c06** **\n\n**Typical Filename: **3.exe \n\n**Claimed Product: **N/A\n\n**Detection Name: **W32.DFC.MalParent \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (July 21, 2022) \u2014 No topic is safe from being targeted by fake news and disinformation", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-21T18:00:00", "id": "TALOSBLOG:F032D3BBC6D695272384D4A3821130BF", "href": "http://blog.talosintelligence.com/2022/07/threat-source-newsletter-july-21-2022.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-15T20:09:09", "description": "![Threat Source newsletter \$Dec. 15, 2022\$: Talos Year in Review is here](https://blog.talosintelligence.com/content/images/2022/12/threat-source-newsletter-1.jpg)\n\nWelcome to this week's edition of the Threat Source newsletter.\n\nIt's the most wonderful time of the year, and I'm not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it's taking over the final Threat Source newsletter of the year. Oh and did we mention we're on [Mastodon](<https://mstdn.social/invite/W3bToQCR>) now? Talos, the gift that keeps on giving. \n\n## The one big thing\n\nThe [2022 Talos Year in Review](<https://blog.talosintelligence.com/talos-year-in-review-2022/>) is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco's and the security community's most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help explain how the threat landscape changes from one year to the next. We hope you find this report as elucidating to read as it was to research and write, and that it arms the security community with the information and context needed to continue fighting the good fight.\n\n### Why do I care?\n\n[Talos' Year in Review](<https://blog.talosintelligence.com/year-in-review/>) takes a broad look not only at the major security events but looks at the major impacts and trends within the larger threat landscapes and takes a deep dive in to the top threats. We'll be hosting livestreams on four sub-sections of the report with researchers and report contributors to cover the full research and findings.\n\n### So now what? \n\nPour yourself a glass of your favorite beverage, start up the fire and get to reading! Mark your calendar for our next three livestreams in the new year:\n\n2022 Year in Review-APTs: Jan 10th, 12pm ET\n\n2022 Year in Review- Threat Landscape: Jan 24th, 12pm ET\n\n2022 Year in Review- Ransomware & Commodity Loaders: February 7th, 12pm ET\n\n## Top security headlines of the week\n\nIf you've yet to stumble upon ChatGPT or hear about it at the office water cooler you may be living under a rock (we've been there too). The AI chat bot developed by OpenAI and released last week, creates human like responses to user-generated prompts. While it has the ability to take on mundane tasks the evolution of AI still raises eyebrows in security communities with concerns of deep fakes and fake news campaigns. ([CNET](<https://www.cnet.com/science/chatgpt-is-a-stunning-ai-but-human-jobs-are-safe-for-now/>))\n\nThe U.S. Department of Justice announced this week the take down of leading global distributed denial-of-service sites for-hire websites. The takedowns were part of a joint operation, "Operation PowerOFF", between the US, the U.K.'s National Crime Agency, Dutch police, and Europol. The sites were involved in attacks against varied victims in the U.S. and abroad, spanning educational institutions, government agencies, and gaming platforms. ([TechCrunch](<https://techcrunch.com/2022/12/15/ddos-booter-justice-department-seized/>))\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) added new flaws to its Known Exploited Vulnerabilities Catalog including Veeam, Fortinet, Microsoft and Citrix products. Vulnerabilities, [CVE-2022-26500 and CVE-2022-26501](<https://www.veeam.com/kb4288>), are rated 'critical' and impact Veeam's Backup & Replication enterprise backup solutions. Used by 70% of Fortune 2000 companies, Veeam products continue to be tempting targets for malicious actors. ([SecurityWeek](<https://www.securityweek.com/cisa-warns-veeam-backup-replication-vulnerabilities-exploited-attacks>))\n\n## Can't get enough Talos?\n\n*[Talos 2022 Year in Review](<https://blog.talosintelligence.com/talos-year-in-review-2022/>)\n\n*[Beers with Talos](<https://blog.talosintelligence.com/beers-with-talos-ep-129/>)\n\n*[Microsoft Patch Tuesday for December 2022](<https://blog.talosintelligence.com/microsoft-patch-tuesday-for-december-2022/>)\n\n## Upcoming events where you can find Talos\n\n[CactusCon](<https://www.cactuscon.com/cc11>) (Jan 27-28)\n\nMesa, AZ\n\n[Cisco Live Amsterdam](<https://www.ciscolive.com/emea.html>) (Feb 6-10)\n\nAmsterdam, Netherlands\n\n## Most prevalent malware files from Talos telemetry over the past week\n\nSHA 256: [1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d](<https://www.virustotal.com/gui/file/1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d>)\n\nMD5: 26f927fb7560c11e509f0b8a7e787f79 \n26f927fb7560c11e509f0b8a7e787f79\n\nTypical Filename: VID001.exe\n\nDetection Name: W32.File.MalParent\n\nSHA 256: [9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details>)\n\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f\n\nTypical Filename: VID001.exe\n\nDetection Name: Simple_Custom_Detection\n\nSHA 256: [e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c>)\n\nMD5: a087b2e6ec57b08c0d0750c60f96a74c\n\nTypical Filename: AAct.exe\n\nDetection Name: W32.File.MalParent\n\nSHA 256: [125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645>)\n\nMD5: \n2c8ea737a232fd03ab80db672d50a17a\n\nTypical Filename: LwssPlayer.scr\n\nDetection Name: Auto.125E12.241442.in02\n\nSHA 256: [a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91](<https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details>)\n\nMD5: 7bdbd180c081fa63ca94f9c22c457376\n\nTypical Filename: IMG001.exe\n\nDetection Name: Trojan.GenericKD.33515991", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-15T19:10:59", "type": "talosblog", "title": "Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26500", "CVE-2022-26501"], "modified": "2022-12-15T19:10:59", "id": "TALOSBLOG:9C2657CF40D5AE086C96097F3F46E1AC", "href": "https://blog.talosintelligence.com/threat-source-newsletter-dec-15-2022-christmas-came-early/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-20T16:52:31", "description": "The remote confluence web application uses a known set of hard-coded default credentials of the 'Questions for Confluence' marketplace application. An attacker can exploit this to gain administrative access to the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T00:00:00", "type": "nessus", "title": "Questions for Confluence App Default Credentials (CVE-2022-26138)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26138.NASL", "href": "https://www.tenable.com/plugins/nessus/164091", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164091);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Questions for Confluence App Default Credentials (CVE-2022-26138)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The application hosted on the remote web server uses a default set of known credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote confluence web application uses a known set of hard-coded default credentials of the\n'Questions for Confluence' marketplace application. An attacker can exploit this to gain \nadministrative access to the remote host.\");\n # https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56edf34e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the application's default credentials.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('url_func.inc');\ninclude('vcf.inc');\ninclude('debug.inc');\n\nvar app_name = 'confluence';\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvar url = build_url(port:port, qs:app_info['path']);\n\n##\n# Try to authenticate with default disabledsystemuser/disabled1system1user6708 creds\n#\n# @param port - the port the application exists on\n# @return TRUE for successful authentication, otherwise FALSE\n##\nfunction try_default_creds(port)\n{\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[trying default creds]');\n var res, post;\n post = 'os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Findex.action';\n # Authenticate\n res = http_send_recv3(\n port : port,\n method : 'POST',\n item : '/dologin.action',\n data : post,\n content_type : \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Attempted to login with: ' + http_last_sent_request());\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Response was: ' + obj_rep(res));\n if ('HTTP/1.1 302' >< res[0] && 'X-Seraph-LoginReason: OK' >< res[1])\n {\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login confirmed][ ' + res[0] + '][' + res[1] + ']');\n return TRUE;\n }\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login failed][ ' + res[0] + '][' + res[1] + ']');\n return FALSE;\n}\n\nvar can_auth = try_default_creds(port:port);\n\nvar report = NULL;\nif (can_auth)\n{\n report = 'Nessus was able to gain access to the remote confluence app\\n' +\n 'using the following set of credentials:\\n' +\n '\\n Username : disabledsystemuser' +\n '\\n Password : disabled1system1user6708';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:25:42", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.\n\nUninstalling the Questions for Confluence app does not remediate this vulnerability. The account does not automatically get removed after the app has been uninstalled.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T00:00:00", "type": "nessus", "title": "Atlassian Questions For Confluence 2.7.34 / 2.7.35 / 3.0.2 Hardcoded Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-19T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113328", "href": "https://www.tenable.com/plugins/was/113328", "sourceData": "No source data", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-20T04:41:50", "description": "The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential vulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version number. This plugin will only run in 'Parnoid' scans.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-08T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-79483.NASL", "href": "https://www.tenable.com/plugins/nessus/163327", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163327);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/08\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Atlassian Confluence host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x <\n7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential\nvulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in\nthe confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated\nattacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content\naccessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35,\nand 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version\nnumber. This plugin will only run in 'Parnoid' scans.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.6, 7.14.3, 7.15.2, 7.16.4, 7.17.2, 7.13.6, 7.14.3, 7.15.2, 7.16.4,\n7.17.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\n# The vuln is in the Questions for Confluence app, not Confluence itself\n# We cannot determin if this is installed and/or the offending user account is present\nif (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'Confluence', app_info.version);\n\nvar constraints = [\n { 'fixed_version' : '7.4.17', 'fixed_display' : '7.4.17 / 7.13.6 / 7.14.3 / 7.15.2 / 7.16.4 / 7.17.2' },\n { 'min_version' : '7.13.0', 'fixed_version' : '7.13.6' },\n { 'min_version' : '7.14.0', 'fixed_version' : '7.14.3' },\n { 'min_version' : '7.15.0', 'fixed_version' : '7.15.2' },\n { 'min_version' : '7.16.0', 'fixed_version' : '7.16.4' },\n { 'min_version' : '7.17.0', 'fixed_version' : '7.17.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-16T17:58:29", "description": "The version of Veeam Backup and Replication installed on the remote Windows host is a version prior to 10.0.1.4854 P20220304 or prior to 11.0.1.1261 P20220302 or prior to. It is, therefore, affected by multiple vulnerabilities:\n\n - Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.\n (CVE-2022-26500)\n\n - Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control. (CVE-2022-26501)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-20T00:00:00", "type": "nessus", "title": "Veeam Backup and Replication Multiple Vulnerabilities (KB4288)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26500", "CVE-2022-26501"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/a:veeam:backup_and_replication"], "id": "VEEAM_BACKUP_AND_REPLICATION_KB4288.NASL", "href": "https://www.tenable.com/plugins/nessus/168945", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168945);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\"CVE-2022-26500\", \"CVE-2022-26501\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/01/03\");\n\n script_name(english:\"Veeam Backup and Replication Multiple Vulnerabilities (KB4288)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Veeam Backup and Replication installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Veeam Backup and Replication installed on the remote Windows host is a version prior to 10.0.1.4854\nP20220304 or prior to 11.0.1.1261 P20220302 or prior to. It is, therefore, affected by multiple vulnerabilities:\n\n - Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote\n authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.\n (CVE-2022-26500)\n\n - Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control. (CVE-2022-26501)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.veeam.com/kb4288\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Veeam Backup & Replication version 10.0.1.4854 P20220304 / 11.0.1.1261 P20220302 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26501\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:veeam:backup_and_replication\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"veeam_backup_and_replication_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Veeam Backup and Replication\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Veeam Backup and Replication', win_local:TRUE);\n\nvar version = app_info['version'];\nvar patch_level = app_info['Patch'];\n\nif (empty_or_null(patch_level))\n patch_level = '0';\n\nvar fix = NULL;\n\n# 9.5.x\n# 10.0.x < 10.0.1.4854\n# 10.0.1.4854 < P20220304\nif (version =~ \"^9\\.5\\.\" || version =~ \"^10\\.0\\.\")\n{\n if (ver_compare(ver:version, fix:'10.0.1.4854', strict:FALSE) < 0 ||\n (version == '10.0.1.4854' && (ver_compare(ver:patch_level, fix:'20220304', strict:FALSE) < 0)))\n {\n fix = '10.0.1.4854 P20220304';\n }\n}\n\n# 11.0.x < 11.0.1.1261\n# 11.0.1.1261 < P20220302\nif (version =~ \"^11\\.0\\.\")\n{\n if (ver_compare(ver:version, fix:'11.0.1.1261', strict:FALSE) < 0 ||\n (version == '11.0.1.1261' && (ver_compare(ver:patch_level, fix:'20220302', strict:FALSE) < 0)))\n {\n fix = '11.0.1.1261 P20220302';\n }\n}\n\nif (!isnull(fix))\n{\n vcf::report_results(app_info:app_info, fix:fix, severity:SECURITY_HOLE);\n}\nelse\n{\n vcf::audit(app_info);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T19:26:48", "description": "The remote Windows host is missing security update 5016629. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016629: Windows 11 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797", "CVE-2022-35804", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016629.NASL", "href": "https://www.tenable.com/plugins/nessus/163945", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163945);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34301\",\n \"CVE-2022-34302\",\n \"CVE-2022-34303\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34712\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35797\",\n \"CVE-2022-35804\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016629\");\n script_xref(name:\"MSFT\", value:\"MS22-5016629\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016629: Windows 11 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016629. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016629\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016629\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016629\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-35804\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016629'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016629])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-16T17:49:40", "description": "The remote Windows host is missing security update 5015870 or cumulative update 5015866. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226). \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015870: Windows Server 2008 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015870.NASL", "href": "https://www.tenable.com/plugins/nessus/163051", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163051);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22037\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015866\");\n script_xref(name:\"MSKB\", value:\"5015870\");\n script_xref(name:\"MSFT\", value:\"MS22-5015866\");\n script_xref(name:\"MSFT\", value:\"MS22-5015870\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015870: Windows Server 2008 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015870 or \ncumulative update 5015866. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226). \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015866\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015870\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015866\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015870\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015870 or Cumulative Update 5015866\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22037\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015870',\n '5015866'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015870, 5015866])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T19:27:19", "description": "The remote Windows host is missing security update 5016616. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016616: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016616.NASL", "href": "https://www.tenable.com/plugins/nessus/163951", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163951);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30144\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34301\",\n \"CVE-2022-34302\",\n \"CVE-2022-34303\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34712\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35754\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35762\",\n \"CVE-2022-35763\",\n \"CVE-2022-35764\",\n \"CVE-2022-35765\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35792\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35797\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016616\");\n script_xref(name:\"MSFT\", value:\"MS22-5016616\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016616: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016616. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2022-30144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016616\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016616\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016616'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvar os_name = get_kb_item(\"SMB/ProductName\");\n\nif ( ( (\"enterprise\" >< tolower(os_name) || \"education\" >< tolower(os_name))\n &&\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016616]) \n )\n ||\n smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016616])\n || \n smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016616])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:27:16", "description": "The remote Windows host is missing security update 5016627. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "KB5016627: Windows Server 2022 Security Update (August 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-34715", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35820"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS22_AUG_5016627.NASL", "href": "https://www.tenable.com/plugins/nessus/163953", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163953);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\n \"CVE-2022-30133\",\n \"CVE-2022-30194\",\n \"CVE-2022-30197\",\n \"CVE-2022-33670\",\n \"CVE-2022-34301\",\n \"CVE-2022-34302\",\n \"CVE-2022-34303\",\n \"CVE-2022-34690\",\n \"CVE-2022-34691\",\n \"CVE-2022-34696\",\n \"CVE-2022-34699\",\n \"CVE-2022-34701\",\n \"CVE-2022-34702\",\n \"CVE-2022-34703\",\n \"CVE-2022-34704\",\n \"CVE-2022-34705\",\n \"CVE-2022-34706\",\n \"CVE-2022-34707\",\n \"CVE-2022-34708\",\n \"CVE-2022-34709\",\n \"CVE-2022-34710\",\n \"CVE-2022-34712\",\n \"CVE-2022-34713\",\n \"CVE-2022-34714\",\n \"CVE-2022-34715\",\n \"CVE-2022-35743\",\n \"CVE-2022-35744\",\n \"CVE-2022-35745\",\n \"CVE-2022-35746\",\n \"CVE-2022-35747\",\n \"CVE-2022-35748\",\n \"CVE-2022-35749\",\n \"CVE-2022-35750\",\n \"CVE-2022-35751\",\n \"CVE-2022-35752\",\n \"CVE-2022-35753\",\n \"CVE-2022-35755\",\n \"CVE-2022-35756\",\n \"CVE-2022-35757\",\n \"CVE-2022-35758\",\n \"CVE-2022-35759\",\n \"CVE-2022-35760\",\n \"CVE-2022-35761\",\n \"CVE-2022-35762\",\n \"CVE-2022-35763\",\n \"CVE-2022-35764\",\n \"CVE-2022-35765\",\n \"CVE-2022-35766\",\n \"CVE-2022-35767\",\n \"CVE-2022-35768\",\n \"CVE-2022-35769\",\n \"CVE-2022-35771\",\n \"CVE-2022-35792\",\n \"CVE-2022-35793\",\n \"CVE-2022-35794\",\n \"CVE-2022-35795\",\n \"CVE-2022-35820\"\n );\n script_xref(name:\"MSKB\", value:\"5016627\");\n script_xref(name:\"MSFT\", value:\"MS22-5016627\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n script_xref(name:\"IAVA\", value:\"2022-A-0320-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0319-S\");\n\n script_name(english:\"KB5016627: Windows Server 2022 Security Update (August 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5016627. It is, therefore, affected by multiple vulnerabilities\n\n - Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability (CVE-2022-35747, CVE-2022-35769)\n\n - Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability (CVE-2022-30133, CVE-2022-35744)\n\n - Windows WebBrowser Control Remote Code Execution Vulnerability (CVE-2022-30194)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5016627\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5016627\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5016627\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-34715\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-08';\nkbs = make_list(\n '5016627'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'08_2022',\n bulletin:bulletin,\n rollup_kb_list:[5016627])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-16T17:50:07", "description": "The remote Windows host is missing security update 5015875 or cumulative update 5015863. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015875: Windows Server 2012 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015875.NASL", "href": "https://www.tenable.com/plugins/nessus/163043", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163043);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015863\");\n script_xref(name:\"MSKB\", value:\"5015875\");\n script_xref(name:\"MSFT\", value:\"MS22-5015863\");\n script_xref(name:\"MSFT\", value:\"MS22-5015875\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015875: Windows Server 2012 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015875 or \ncumulative update 5015863. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015875\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015875 or Cumulative Update 5015863\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015875',\n '5015863'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015875, 5015863])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:50:20", "description": "The remote Windows host is missing security update 5015877 or cumulative update 5015874. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015877: Windows Server 2012 R2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015877.NASL", "href": "https://www.tenable.com/plugins/nessus/163042", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163042);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015874\");\n script_xref(name:\"MSKB\", value:\"5015877\");\n script_xref(name:\"MSFT\", value:\"MS22-5015874\");\n script_xref(name:\"MSFT\", value:\"MS22-5015877\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015877: Windows Server 2012 R2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015877\nor cumulative update 5015874. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015877\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015877\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015877 or Cumulative Update 5015874\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015877',\n '5015874'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015877, 5015874])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:50:08", "description": "The remote Windows host is missing security update 5015862 or cumulative update 5015866. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015862: Windows 7 and Windows Server 2008 R2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015862.NASL", "href": "https://www.tenable.com/plugins/nessus/163050", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163050);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015861\");\n script_xref(name:\"MSKB\", value:\"5015862\");\n script_xref(name:\"MSFT\", value:\"MS22-5015861\");\n script_xref(name:\"MSFT\", value:\"MS22-5015862\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015862: Windows 7 and Windows Server 2008 R2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015862 or \ncumulative update 5015866. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015862\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015862 or Cumulative Update 5015861\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22037\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015862',\n '5015861'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015862, 5015861])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:49:26", "description": "The remote Windows host is missing security update 5015832. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015832: Windows 10 LTS 1507 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015832.NASL", "href": "https://www.tenable.com/plugins/nessus/163053", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163053);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015832\");\n script_xref(name:\"MSFT\", value:\"MS22-5015832\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015832: Windows 10 LTS 1507 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015832. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015832\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015832\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015832\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015832'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:10240,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015832])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:49:26", "description": "The remote Windows host is missing security update 5015808.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30214, CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-22025, CVE-2022-22040, CVE-2022-22043, CVE-2022-30208)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30215, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21845, CVE-2022-22028, CVE-2022-22042, CVE-2022-22711, CVE-2022-30213, CVE-2022-30223)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015808: Windows 10 Version 1607 and Windows Server 2016 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015808.NASL", "href": "https://www.tenable.com/plugins/nessus/163052", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163052);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015808\");\n script_xref(name:\"MSFT\", value:\"MS22-5015808\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015808: Windows 10 Version 1607 and Windows Server 2016 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015808.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30214,\n CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-22025,\n CVE-2022-22040, CVE-2022-22043, CVE-2022-30208)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30215, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21845, CVE-2022-22028,\n CVE-2022-22042, CVE-2022-22711, CVE-2022-30213,\n CVE-2022-30223)\n\nNote that Nessus has not tested for these issues but has instead \nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015808\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015808\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015808\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30215\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015808'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:14393,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015808])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:49:55", "description": "The remote Windows host is missing security update 5015814. It is, therefore, affected by multiple vulnerabilities:\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22038, CVE-2022-30211, CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015814: Windows 11 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015814.NASL", "href": "https://www.tenable.com/plugins/nessus/163041", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163041);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30216\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015814\");\n script_xref(name:\"MSFT\", value:\"MS22-5015814\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015814: Windows 11 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015814. It is, therefore, affected by multiple vulnerabilities:\n \n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30220, CVE-2022-30224, CVE-2022-30225,\n CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22038, CVE-2022-30211,\n CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015814\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015814\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015814\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015814'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:22000,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015814])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:50:20", "description": "The remote Windows host is missing security update 5015811.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30214, CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30215, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015811: Windows 10 version 1809 / Windows Server 2019 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015811.NASL", "href": "https://www.tenable.com/plugins/nessus/163046", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163046);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015811\");\n script_xref(name:\"MSFT\", value:\"MS22-5015811\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015811: Windows 10 version 1809 / Windows Server 2019 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015811.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30214,\n CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30215, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015811\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015811\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015811\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30215\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015811'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:17763,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015811])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:49:55", "description": "The remote Windows host is missing security update 5015827. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22038, CVE-2022-30211, CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015827: Windows Server 2022 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-23816", "CVE-2022-23825", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015827.NASL", "href": "https://www.tenable.com/plugins/nessus/163045", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163045);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-23816\",\n \"CVE-2022-23825\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30216\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015827\");\n script_xref(name:\"MSFT\", value:\"MS22-5015827\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015827: Windows Server 2022 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015827. It is, therefore, affected by multiple vulnerabilities:\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30220, CVE-2022-30224, CVE-2022-30225,\n CVE-2022-30226)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22038, CVE-2022-30211,\n CVE-2022-30221, CVE-2022-30222)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015827\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015827\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015827'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:20348,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015827])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-01-16T17:49:25", "description": "The remote Windows host is missing security update 5015807. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30214, CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22045, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30215, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015807: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226", "CVE-2022-33644"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015807.NASL", "href": "https://www.tenable.com/plugins/nessus/163048", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163048);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22031\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22045\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-22711\",\n \"CVE-2022-27776\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30212\",\n \"CVE-2022-30213\",\n \"CVE-2022-30214\",\n \"CVE-2022-30215\",\n \"CVE-2022-30216\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30222\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\",\n \"CVE-2022-33644\"\n );\n script_xref(name:\"MSKB\", value:\"5015807\");\n script_xref(name:\"MSFT\", value:\"MS22-5015807\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015807: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015807. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30214,\n CVE-2022-30221, CVE-2022-30222)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22031,\n CVE-2022-22034, CVE-2022-22036, CVE-2022-22037,\n CVE-2022-22041, CVE-2022-22045, CVE-2022-22047,\n CVE-2022-22049, CVE-2022-22050, CVE-2022-30202,\n CVE-2022-30205, CVE-2022-30206, CVE-2022-30209,\n CVE-2022-30215, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015807\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015807\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015807\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30215\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015807'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvar os_name = get_kb_item(\"SMB/ProductName\");\n\nif (\n ( (\"enterprise\" >< tolower(os_name) || \"education\" >< tolower(os_name))\n &&\n smb_check_rollup(os:'10',\n os_build:19042,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015807]) \n )\n ||\n smb_check_rollup(os:'10',\n os_build:19043,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015807])\n || \n smb_check_rollup(os:'10',\n os_build:19044,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015807])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "atlassian": [{"lastseen": "2022-10-06T06:40:58", "description": "(i) *Update:* This advisory has been updated since its original publication.\r\n\r\n2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)\r\n * {color:#172b4d}Updated the\u00a0_Remediation_ section to note that if the {{disabledsystemuser}} account is manually deleted, the app must also be updated or uninstalled to ensure the account does not get recreated{color}\r\n\r\n2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note the email service provider for the {{dontdeletethisuser@email.com}}\u00a0account has confirmed the account has been blocked\u00a0\r\n\r\n2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note that instances that have not remediated this vulnerability per the\u00a0_Remediation_ section below may send email notifications from Confluence to a third party email address\r\n * Additional details are available in [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html]\r\n\r\n2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Remediation_ section to explain only option 2 can be used for Confluence Server and Data Center instances configured to use a read-only external directory\r\n * Added a link to a page of frequently asked questions about CVE-2022-26138\r\n\r\n2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)\r\n * An external party has discovered and publicly disclosed the hardcoded password on Twitter. *It is important to remediate this vulnerability on affected systems immediately.*\r\n * The Vulnerability Summary section has been updated to include this new information\r\n\r\nh3. Vulnerability Summary\r\n\r\nWhen the [Questions for Confluence app|https://marketplace.atlassian.com/apps/1211644/questions-for-confluence?hosting=server&tab=overview] is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username {{{}disabledsystemuser{}}}. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The {{disabledsystemuser}} account is created with a hardcoded password and is added to the {{confluence-users}} group, which allows viewing and editing all non-restricted pages within Confluence [by default|https://confluence.atlassian.com/doc/confluence-groups-139478.html]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.\r\n\r\nThe {{disabledsystemuser}} account is configured with a third party email address ({{{}dontdeletethisuser@email.com{}}}) that is not controlled by Atlassian. If this vulnerability has not been remediated per the _Fixes_\u00a0section below, an affected instance\u00a0configured\u00a0to send\u00a0[notifications|https://confluence.atlassian.com/doc/email-notifications-145162.html]\u00a0will email that address.\u00a0One example\u00a0of an email notification is\u00a0[Recommended Updates Notifications|https://confluence.atlassian.com/doc/configuring-the-recommended-updates-email-notification-281480712.html], which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the {{dontdeletethisuser@email.com}}\u00a0account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.\r\n\r\n(!) An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the _Remediation_ section below for guidance on how to remediate this vulnerability.\r\nh3. How To Determine If You Are Affected\r\n\r\nA Confluence Server or Data Center instance is affected if it has an active user account with the following information:\r\n * User: {{disabledsystemuser}}\r\n * Username: {{disabledsystemuser}}\r\n * Email: {{dontdeletethisuser@email.com}}\r\n\r\nIf this account does not show up in the list of active users, the Confluence instance is not affected.\r\nh3. Remediation\r\n\r\n(!) Uninstalling the Questions for Confluence app does *not* remediate this vulnerability. The {{disabledsystemuser}} account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. (!)\r\nh4. Option 1: Update to a non-vulnerable version of Questions for Confluence\r\n\r\nUpdate the Questions for Confluence app to a fixed version:\r\n * 2.7.x >= 2.7.38\r\n * Versions >= 3.0.5\r\n\r\nFor more information on how to update an app, refer to [Atlassian's documentation|https://confluence.atlassian.com/upm/updating-apps-273875710.html].\r\n\r\nFixed versions of the Questions for Confluence app stop creating the {{disabledsystemuser}} user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.\r\n\r\n(!) If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.\r\nh4. Option 2: Disable or delete the {{disabledsystemuser}} account\r\n\r\nSearch for the {{disabledsystemuser}} account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to [Atlassian's documentation|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html].\r\n\r\nIf you choose to delete the {{disabledsystemuser}} account, you must also [uninstall|https://confluence.atlassian.com/upm/uninstalling-apps-273875709.html] or upgrade the Questions for Confluence app to a non-vulnerable version. *Failure to do this could result in the account being recreated after it has been deleted.*\r\n\r\nIf Confluence is configured to use a read-only external directory, refer to the [Delete from a read-only external directory, or multiple external directories section|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html#DeleteorDisableUsers-Deletefromaread-onlyexternaldirectory,ormultipleexternaldirectories]\u00a0from the same document\r\nh3. Frequently Asked Questions\r\n\r\nWe'll update the\u00a0[FAQ for CVE-2022-26138|https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html]\u00a0with answers for commonly asked questions.\r\nh3. Security Advisory\r\n\r\nFor additional details, refer to [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html].\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T17:06:14", "type": "atlassian", "title": "Questions For Confluence App - Hardcoded Password", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-10-06T05:42:55", "id": "CONFSERVER-79483", "href": "https://jira.atlassian.com/browse/CONFSERVER-79483", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-07-18T12:20:51", "description": "A Windows 11 vulnerability, part of Microsoft\u2019s Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise patching of the elevation of privileges flaw by August 2.\n\nThe recommendation is directed at federal agencies and concerns [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047>), a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack.\n\n_[[**FREE On-demand Event**](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>): **Join Keeper Security\u2019s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **[WATCH HERE](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>)**.]_\n\nThe CSRSS bug is an elevation of privileges vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user. When the bug was first reported by Microsoft\u2019s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. That patch was made available on [Tuesday July 5](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047>).\n\nResearchers at FortiGuard Labs, a division of Fortinet, said the threat the bug poses to business is \u201cmedium\u201d. [In a bulletin, researchers explain](<https://www.fortiguard.com/threat-signal-report/4671/known-active-exploitation-of-windows-csrss-elevation-of-privilege-vulnerability-cve-2022-22047>) the downgraded rating because an adversary needs advanced \u201clocal\u201d or physical access to the targeted system to exploit the bug and a patch is available.\n\nThat said, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.\n\n\u201cAlthough there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,\u201d FortiGuard Labs wrote.\n\n## Office and Adobe Documents Entry Points\n\nWhile the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a [report by The Record](<https://therecord.media/cisa-adds-windows-bug-to-exploited-list-urges-agencies-to-patch-by-august-2/>).\n\n\u201cThe vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,\u201d wrote Trend Micro\u2019s [Zero Day Initiative (ZDI) in its Patch Tuesday](<https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review>) roundup last week.\n\n\u201cBugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default,\u201d wrote ZDI author Dustin Childs.\n\nMicrosoft recently said it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.\n\nCISA [added the Microsoft bug to its running list](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) of known exploited vulnerabilities on July 7 (search \u201cCVE-2022-22047\u201d to find the entry) and recommends simply, \u201capply updates per vendor instructions\u201d.\n\n_[[**FREE On-demand Event**](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>): **Join Keeper Security\u2019s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **[WATCH HERE](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>)**.]_\n\nImage: Courtesy of Microsoft\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-18T12:19:26", "type": "threatpost", "title": "CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-18T12:19:26", "id": "THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D", "href": "https://threatpost.com/cisa-urges-patch-11-bug/180235/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-08-19T00:02:03", "description": "Over the last few months, Atlassian Confluence has increasingly become a target for attackers. In June 2022, a critical severity OGNL Remote Code Execution vulnerability was disclosed (CVE-2022-26134). More recently, CVE-2022-26138 was disclosed on social media platforms in July 2022.\n\nIn CVE-2022-26138, a Confluence user account is created by the Questions for Confluence app with hardcoded credentials stored inside the plugin jar file available on [Atlassian packages](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>). An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. [Atlassian](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has rated the vulnerability "critical" and highlighted that the vulnerability is being exploited in the wild.\n\nDue to the nature of this vulnerability, it can only be verified remotely by logging into the Confluence application with the hardcoded credentials. Traditional open source scanners and scripts are checking for the Location HTTP response header and 302 status code to verify the credentials, which could result in false positives. [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released QID 150556 that confirms the vulnerability detection in two steps. The detection takes an additional step to verify the valid credentials by navigating to the user profile page and verifying that the correct page is returned. This check is much more efficient in comparison to open source scanners and eliminates any possibility of false positives.\n\n## About CVE-2022-26138\n\nAccording to Confluence's [Questions for Confluence Security Advisory](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), both Confluence Server and Confluence Data Center products using affected versions of the Questions for Confluence app are impacted by CVE-2022-26138.\n\nAffected versions :\n\nQuestions for Confluence 2.7.x| 2.7.34 \n2.7.35 \n---|--- \nQuestions for Confluence 3.0.x| 3.0.2 \n \n## Hardcoded Credentials Vulnerability\n\nAffected versions of the Questions for Confluence app, when installed on a Confluence application, create a user account with username `disabledsystemuser` and password `disabled1system1user6708` and the account is added to confluence-users group, which allows viewing and editing all non-restricted pages within Confluence [by default](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>). A remote attacker can easily leverage these credentials to browse sensitive contents within the Confluence application.\n\nThese hardcoded credentials are stored in `default.properties` file inside a [`confluence-questions-X.X.X.jar` file](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>), as shown below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/decompile.jpg)\n\n## Detecting the Vulnerability with Qualys Web Application Scanning\n\nExisting Qualys customers can detect CVE-2022-26138 on their target Confluence instance with Qualys Web Application Scanning (WAS) using the following Qualys ID (QID):\n\n * 150556 : Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)\n\nThe QID is part of the core category. A vulnerability scan with a core or custom search list including the QID in the options profile will flag all vulnerable applications, as shown below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/kb.jpg)\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, the user will see similar results in the vulnerability scan report, as shown here:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/report.jpg)\n\n### Solution & Mitigation\n\nTo remediate this vulnerability, any organization using the Questions for Confluence app is advised to ensure the following:\n\n * Upgrade to Version 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)\n * Disable or delete the disabledsystemuser account\n\nPlease note that uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. It is possible for this account to be present if the Questions for Confluence app was previously installed. It is advised to check the list of active users to ensure the Confluence instance is not affected.\n\n### Credit\n\n**Confluence Security Advisory:** <https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>\n\n### CVE Details:\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26138>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T10:12:53", "type": "qualysblog", "title": "Atlassian Confluence: Questions for Confluence App Hardcoded Credentials Vulnerability (CVE-2022-26138)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138"], "modified": "2022-08-17T10:12:53", "id": "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-14T00:03:27", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 121 vulnerabilities (aka flaws) in the August 2022 update, including 17 vulnerabilities classified as **_Critical_** as they allow Elevation of Privilege (EoP) and Remote Code Execution (RCE). This month's Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks ([CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>)*****,[ CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)). Earlier this month, August 5, 2022, Microsoft also released 20 Microsoft Edge (Chromium-Based) updates addressing Elevation of Privilege (EoP), Remote Code Execution (RCE), and Security Feature Bypass with severities of Low, Moderate, and Important respectively.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.\n\n## **The August 2022 Microsoft vulnerabilities are classified as follows:**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/August2022-ImpactSeverityRoundUp-1.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n\n# **Notable Microsoft Vulnerabilities Patched**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nIn May, Microsoft released a [blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as their research partners. _This CVE is a variant of the vulnerability publicly known as Dogwalk._\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n> ![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) Qualys director of vulnerability and threat research, [Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), said DogWalk had actually been reported back in 2019 but at the time was not thought to be dangerous as it required \u201csignificant user interaction to exploit,\u201d and there were other mitigations in place.\n> \n> - _Excerpt from [Surge in CVEs as Microsoft Fixes Exploited Zero Day Bug](<https://www.infosecurity-magazine.com/news/surge-cves-microsoft-fixes/>)_\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>) | Microsoft Exchange Information Disclosure Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.6/10.\n\nThis vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For more information, see [Exchange Server Sup](<https://aka.ms/ExchangeEPDoc>)[port for Windows Extended Protection](<https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/>) and/or [The Exchange Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Unlikely_**\n\n* * *\n\n## **Security Feature Bypass Vulnerabilities Addressed**\n\nThese are **standalone security updates**. These packages must be installed in addition to the normal security updates to be protected from this vulnerability.\n\nThese security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built-in pre-requisite logic to ensure the ordering.\n\nMicrosoft customers should ensure they have installed the latest Servicing Stack Update before installing these standalone security updates. See [ADV990001 | Latest Servicing Stack Updates](<https://msrc.microsoft.com/update-guide/security-guidance/advisory/ADV990001>) for more information.\n\nAn attacker who successfully exploited either of these three (3) vulnerabilities could bypass Secure Boot.\n\n### CERT/CC: [CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>) Eurosoft Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>) New Horizon Data Systems Inc Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>) Crypto Pro Boot Loader Bypass\n\nAt the time of publication, a CVSSv3.1 score has not been assigned.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Like_**ly\n\n* * *\n\n## **Microsoft Critical and Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Exchange Server, Microsoft Office, System Center,, and Windows.\n\nA total of 86 unique Microsoft products/versions are affected, including .NET, Azure, Edge (Chromium-based), Excel, Exchange Server (Cumulative Update), Microsoft 365 Apps for Enterprise, Office, Open Management Infrastructure, Outlook, and System Center Operations Manager (SCOM), Visual Studio, Windows Desktop, and Windows Server.\n\nDownloads include IE Cumulative, Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-35766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35766>), [CVE-2022-35794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nAn unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>), [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. **Warning**: Disabling Port 1723 could affect communications over your network.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) | Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.\n\nPlease see [Certificate-based authentication changes on Windows domain controllers](<https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16>) for more information and ways to protect your domain.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-33646](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33646>) | Azure Batch Node Agent Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.0/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in August, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>)[CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>), and [CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.6/10.\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. \n\nThe user would have to click on a specially crafted URL to be compromised by the attacker.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>)[CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>)[CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.3/10. _[Per Microsoft's severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn't allow for this type of nuance._\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released five (5) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 25 vulnerabilities affecting Adobe Acrobat and Reader, Commerce, FrameMaker, Illustrator, and Premiere Elements applications. Of these 25 vulnerabilities, 15 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 7.8/10 to 9.1/10, as summarized below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/AdobeAugust2022-ImpactSeverityRoundUp-1.png)\n\n* * *\n\n### [APSB22-38](<https://helpx.adobe.com/security/products/magento/apsb22-38.html>) | Security update available for Adobe Commerce\n\nThis update resolves seven (7) vulnerabilities:\n\n * Four (4) **_[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * One (1) **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>), [important](<https://helpx.adobe.com/security/severity-ratings.html>), and [moderate](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.\n\n* * *\n\n### [APSB22-39](<https://helpx.adobe.com/security/products/acrobat/apsb22-39.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves seven (7) vulnerabilities:\n\n * Three (3) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Four (4) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-41](<https://helpx.adobe.com/security/products/illustrator/apsb22-41.html>) | Security Updates Available for Adobe Illustrator\n\nThis update resolves four (4) vulnerabilities:\n\n * Two (2) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-42](<https://helpx.adobe.com/security/products/framemaker/apsb22-42.html>) | Security update available for Adobe FrameMaker\n\nThis update resolves six (6) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n### [APSB22-43](<https://helpx.adobe.com/security/products/premiere_elements/apsb22-43.html>) | Security update available for Adobe Premiere Elements\n\nThis update resolves one (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories for August 1-9, 2022 _New Content_\n\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n * [Cisco Patched Small Business RV Series Routers Multiple Vulnerabilities (CVE-2022-20827, CVE-2022-20841, and CVE-2022-20842)](<https://threatprotect.qualys.com/2022/08/04/cisco-patched-small-business-rv-series-routers-multiple-vulnerabilities-cve-2022-20827-cve-2022-20841-and-cve-2022-20842/>)\n * [VMware Patched Multiple Vulnerabilities in VMware Products including Identity Manager (vIDM) and Workspace ONE Access](<https://threatprotect.qualys.com/2022/08/03/vmware-patched-multiple-vulnerabilities-in-vmware-products-including-identity-manager-vidm-and-workspace-one-access/>)\n * [Atlassian Confluence Server and Confluence Data Center \u2013 Questions for Confluence App \u2013 Hardcoded Password Vulnerability (CVE-2022-26138)](<https://threatprotect.qualys.com/2022/08/01/atlassian-confluence-server-and-confluence-data-center-questions-for-confluence-app-hardcoded-password-vulnerability-cve-2022-26138/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/VMDR_2022AUG-1070x488.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>) _The old way of ranking vulnerabilities doesn\u2019t work anymore. Instead, enterprise security teams need to rate the true risks to their business. In this blog, we examine each of the risk scores delivered by Qualys TruRisk, the criteria used to compute them, and how they can be used to prioritize remediation._\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/PATCH_2022AUG-1070x488.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>) _New Content_\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### **[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) | Windows Print Spooler Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n * 21711: Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-35804](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804>)** | **SMB Client and Server Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24476: Status of the SMBv3 Client compressions setting\n * 20233: Status of the SMBv3 Server compressions setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### ****[CVE-2022-35755](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35755>)** | **Windows Print Spooler Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>)**, **[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>)** | **Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 11220: List of \u2018Inbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n * 14028: List of \u2018Outbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### **[CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>): Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24139: Status of the Windows Network File System (NFSV4) service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### ****[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>): Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 4079: Status of the \u2018Active Directory Certificate Service\u2019\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1368` OR id:`4079` OR id:`11220` OR id:`14028` OR id:`20233` OR id:`21711` OR id:`24139` OR id:`24476` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/PC_2022AUG-1070x488.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/qualys-shield.jpg) [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/qualys-shield.jpg) [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n##### Patch Tuesday is Complete.\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n![This image has an empty alt attribute; its file name is image-1070x560.jpeg](https://blog.qualys.com/wp-content/uploads/2022/03/image-1070x560.jpeg)\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-09T20:00:00", "type": "qualysblog", "title": "August 2022 Patch Tuesday | Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories, 25 Vulnerabilities with 15 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20827", "CVE-2022-20841", "CVE-2022-20842", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-26138", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-30190", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-33636", "CVE-2022-33646", "CVE-2022-33649", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34691", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35744", "CVE-2022-35755", "CVE-2022-35766", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35796", "CVE-2022-35804"], "modified": "2022-08-09T20:00:00", "id": "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-15T23:58:32", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 84 vulnerabilities (aka flaws) in the July 2022 update, including four (4) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday cumulative Windows update includes the fix for one (1) actively exploited zero-day vulnerability ([CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)). Earlier this month, July 6, 2022, Microsoft also released two (2) Microsoft Edge (Chromium-Based) security updates as well.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Tampering.\n\nMany of the vulnerabilities patched this month relate to remote code execution, but there are no reports of active exploitation (in the wild) except for [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), a Windows CSRSS Elevation of Privilege Vulnerability.\n\n## The July 2022 Microsoft vulnerabilities are classified as follows: \n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-JULY-IMPACT-1.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/07/13/microsoft-patches-84-vulnerabilities-including-one-zero-day-and-four-critical-in-the-july-2022-patch-tuesday/>)\n\n* * *\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) | Windows CSRSS Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nElevation of Privilege - Important - An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. (Article [5015874](<https://support.microsoft.com/help/5015874>))\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n* * *\n\n# **Microsoft Critical Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) covers multiple Microsoft product families, including Azure, Browser, ESU, Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 63 unique Microsoft products/versions are affected.\n\nDownloads include Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) | Windows Graphics Component Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.\n\nWindows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 are only affected by this vulnerability if either RDP 8.0 or RDP 8.1 is installed. If you do not have either of these versions of RDP installed on Windows 7 SP1 or Window Server 2008 R2 SP1, then you are not affected by this vulnerability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Microsoft Last But Not Least**\n\nEarlier in July, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-2294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>) and [CVE-2022-2295](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released four (4) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 27 vulnerabilities affecting Adobe Acrobat, Character Animator, Photoshop, Reader, and RoboHelp applications. Of these 27 vulnerabilities, 18 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 6.5/10 to 7.8/10, as summarized below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-JULY-ADOBE.png)\n\n* * *\n\n### [APSB22-10](<https://helpx.adobe.com/security/products/robohelp/apsb22-10.html>) | Security update available for RoboHelp\n\nThis update resolves one (1) [**_Important_** ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for RoboHelp. This update resolves a vulnerability rated [important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation could lead to arbitrary code execution in the context of current user. \n\n* * *\n\n### [APSB22-32](<https://helpx.adobe.com/security/products/acrobat/apsb22-32.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves 22 vulnerabilities; 15 **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and seven (7) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_**[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2**_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>), and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-34](<https://helpx.adobe.com/security/products/character_animator/apsb22-34.html>) | Security Updates Available for Adobe Character Animator\n\nThis update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>) _**vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution.\n\n* * *\n\n### [APSB22-35](<https://helpx.adobe.com/security/products/photoshop/apsb22-35.html>) | Security update available for Adobe Photoshop\n\nThis update resolves two (2) vulnerabilities; one (1) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and one (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves a [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability and an [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n* * *\n\n# Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-VMDR-1-1070x451.png)\n\n* * *\n\n# Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-Patch-1070x451.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n![This image has an empty alt attribute; its file name is image-1070x560.jpeg](https://blog.qualys.com/wp-content/uploads/2022/03/image-1070x560.jpeg)\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-12T20:09:23", "type": "qualysblog", "title": "July 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-30190", "CVE-2022-30221"], "modified": "2022-07-12T20:09:23", "id": "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-03T20:04:30", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks (**[CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>)***,[ ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)**[CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>)**). Earlier this month, on September 1-2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) ([CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>)) ranked _**Low**_.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.\n\n## **The September 2022 Microsoft Vulnerabilities are Classified as follows:**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/09/2022-09_SEP-iMPACT-SEVERITY.png)\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>) | Windows TCP/IP Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34721](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34721>), [CVE-2022-34722](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34722>) | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nAn unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. NOTE: This vulnerability_ only impacts IKEv1_. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Zero-Day Vulnerabilities Addressed**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [CVE-2022-37969](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969>) | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nAn attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.\n\nAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n### [CVE-2022-23960](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23960>) | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of [5.6](<https://nvd.nist.gov/vuln/detail/CVE-2022-23960>)/10.\n\n[CVE-2022-23960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960>) is regarding a vulnerability known as Spectre-BHB. MITRE created this CVE on behalf of Arm Limited.\n\nPlease see [Spectre-BHB on arm Developer](<https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB>) for more information.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Less Likely**_\n\n* * *\n\n# **Microsoft Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Sep>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 92 unique Microsoft products/versions are affected, including but not limited to .NET, Azure Arc, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office SharePoint, SPNEGO Extended Negotiation, Visual Studio Code, Windows Common Log File System Driver, Windows Credential Roaming Service, Windows Defender, Windows Distributed File System (DFS), Windows DPAPI (Data Protection Application Programming Interface), Windows Enterprise App Management, Windows Event Tracing, Windows Group Policy, Windows IKE Extension, Windows Kerberos, Windows Kernel, Windows LDAP - Lightweight Directory Access Protocol, Windows ODBC Driver, Windows OLE, Windows Print Spooler Components, Windows Remote Access Connection Manager, Windows TCP/IP, and Windows Transport Security Layer (TLS).\n\nDownloads include Cumulative Update, Monthly Rollup, Security Hotpatch Update, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-38009](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38009>) | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nIn a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.\n\nThe attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-26929](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26929>) | .NET Framework Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nThe word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nFor example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-38007](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38007>) | Azure Guest Configuration and Azure Arc-enabled Servers Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nAn attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in September 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including [CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>). The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>)[CVE-2022-38012](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38012>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.7/10.\n\nThe word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.\n\nFor example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.\n\nThis vulnerability could lead to a browser sandbox escape.\n\nSuccessful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.\n\nNOTE: [Per Microsoft's severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn't allow for this type of nuance which explains why this CVE is rated as Low, but the CVSSv3.1 score is 7.7\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released seven (7) [security bulletins and advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 63 vulnerabilities affecting Adobe Animate, Bridge, Illustrator, InCopy, InDesign, Photoshop, and Experience Manager applications. Of these 63 vulnerabilities, 35 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_** and 28 rated as _****_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_****_; ranging in severity from a CVSS score of 5.3/10 to 7.8/10, as summarized below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/09/2022-09_SEP-APSB-IMPACT-SEVERITY.png)\n\n* * *\n\n### [APSB22-40](<https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html>) | Security Update Available for Adobe Experience Manager\n\nThis update resolves 11 [_****__****_](<https://helpx.adobe.com/security/severity-ratings.html>)_****_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_****_ vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated [Important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.\n\n* * *\n\n### [APSB22-49](<https://helpx.adobe.com/security/products/bridge/apsb22-49.html>) | Security Update Available for Adobe Bridge\n\nThis update resolves 12 vulnerabilities:\n\n * Ten (10) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): _3\n\nAdobe has released a security update for Adobe Bridge. This update addresses [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-50](<https://helpx.adobe.com/security/products/indesign/apsb22-50.html>) | Security Update Available for Adobe InDesign\n\nThis update resolves 18 vulnerabilities:\n\n * Eight (8) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Ten (10) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): _3\n\nAdobe has released a security update for Adobe InDesign. This update addresses multiple [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, and memory leak.\n\n* * *\n\n### [APSB22-52](<https://helpx.adobe.com/security/products/photoshop/apsb22-52.html>) | Security Update Available for Adobe Photoshop\n\nThis update resolves ten (10) vulnerabilities:\n\n * Nine (9) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-53](<https://helpx.adobe.com/security/products/incopy/apsb22-53.html>) | Security Update Available for Adobe InCopy\n\nThis update resolves seven (7) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe InCopy. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-54](<https://helpx.adobe.com/security/products/animate/apsb22-54.html>) | Security Update Available for Adobe Animate\n\nThis update resolves two (2) [](<https://helpx.adobe.com/security/severity-ratings.html>)[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Animate. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. \n\n* * *\n\n### [APSB22-55](<https://helpx.adobe.com/security/products/illustrator/apsb22-55.html>) | Security Update Available for Adobe Illustrator\n\nThis update resolves three (3) vulnerabilities:\n\n * One (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical ](<https://helpx.adobe.com/security/severity-ratings.html>)and [important ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n* * *\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories from August to September 2022 Patch Tuesday Advisory\n\n_Sorted in Descending Order_\n\n * [Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday September 2022 Edition](<https://threatprotect.qualys.com/2022/09/14/microsoft-patches-vulnerabilities-79-including-16-microsoft-edge-chromium-based-with-2-zero-days-and-5-critical-in-patch-tuesday-september-2022-edition/>)\n * [Google Chrome Releases Fix for the Zero-day Vulnerability (CVE-2022-3075)](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)](<https://threatprotect.qualys.com/2022/08/29/atlassian-bitbucket-server-and-data-center-command-injection-vulnerability-cve-2022-36804/>)\n * [GitLab Patches Critical Remote Command Execution Vulnerability (CVE-2022-2884)](<https://threatprotect.qualys.com/2022/08/25/gitlab-patches-critical-remote-command-execution-vulnerability-cve-2022-2884/>)\n * [Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)](<https://threatprotect.qualys.com/2022/08/18/apple-releases-security-updates-to-patch-two-zero-day-vulnerabilities-cve-2022-32893-and-cve-2022-32894/>)\n * [Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)](<https://threatprotect.qualys.com/2022/08/18/google-chrome-zero-day-insufficient-input-validation-vulnerability-cve-2022-2856/>)\n * [Palo Alto Networks (PAN-OS) Reflected Amplification Denial-of-Service (DoS) Vulnerability (CVE-2022-0028)](<https://threatprotect.qualys.com/2022/08/16/palo-alto-networks-pan-os-reflected-amplification-denial-of-service-dos-vulnerability-cve-2022-0028/>)\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91937` OR qid:`91938` OR qid:`91939` OR qid:`91940` OR qid:`91941` OR qid:`91942` OR qid:`91943` OR qid:`91944` OR qid:`91945` OR qid:`91946` OR qid:`91947` OR qid:`110415` OR qid:`110416` OR qid:`377590` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/09/VMDR-September2022-1070x488.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Qualys VMDR Recognized as Best VM Solution by SC Awards 2022 & Leader by GigaOm](<https://blog.qualys.com/product-tech/2022/08/22/qualys-vmdr-recognized-as-best-vm-solution-by-sc-awards-2022-leader-by-gigaom>) **_New_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>)\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches with one click.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91937` OR qid:`91938` OR qid:`91939` OR qid:`91940` OR qid:`91941` OR qid:`91942` OR qid:`91943` OR qid:`91944` OR qid:`91945` OR qid:`91946` OR qid:`91947` OR qid:`110415` OR qid:`110416` OR qid:`377590` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/09/PATCH-September2022-1070x488.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications](<https://blog.qualys.com/qualys-insights/2022/09/08/let-smart-automation-reduce-the-risk-of-zero-day-attacks-on-third-party-applications-2>) **_New_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>)\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### [CVE-2022-38007](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38007>)** | Azure Guest Configuration and Azure Arc-enabled Servers Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nPolicy Compliance Control IDs (CIDs) for Checking Azure Arc-Enabled Servers on Linux:\n\n * **14112**: Status of the services installed on the Linux/UNIX host (stopped, running, failed, dead, \u2026) \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-34718](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34718>)**** | ****Windows TCP/IP Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **3720**: Status of the 'IPSEC Services' service\n * **14916**: Status of Windows Services \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n#### [CVE-2022-35838](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35838>)****** | **HTTP V3 Denial of Service (DoS) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **24717**: Status of the 'HTTP/3' service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-33679 ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33679>), [CVE-2022-33647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33647>)**** | **Windows Kerberos Elevation of Privilege (EoP) Vulnerability**\n\nThese vulnerabilities have a CVSSv3.1 score of 8.1/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **17108**: Status of the 'KDC support for claims, compound authentication and Kerberos armoring' setting (Enabled / Disabled)\n * **17109**: Status of the 'Kerberos client support for claims, compound authentication and Kerberos armoring' setting\n * **17197**: Status of the 'KDC support for claims, compound authentication, and Kerberos armoring' setting\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n#### [CVE-2022-38004](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38004>) **| Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **1161**: Status of the 'Fax' service\n * **14916**: Status of Windows Services\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1161` OR id:`3720` OR id:`14112` OR id:`14916` OR id:`14916` OR id:`17108` OR id:`17108` OR id:`17109` OR id:`17109` OR id:`17197` OR id:`17197` OR id:`24717` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/09/PC-September2022-1070x488.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/qualys-shield.jpg) [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>) **_New_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/qualys-shield.jpg) [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n**Patch Tuesday is Complete.**\n\n* * *\n\n# Qualys [This Month in Vulnerabilities and Patches](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>) Webinar Series \n\n![This image has an empty alt attribute; its file name is image-1070x560.jpeg](https://blog.qualys.com/wp-content/uploads/2022/03/image-1070x560.jpeg)\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n* * *\n\n## NEW & NOTEWORTHY UPCOMING EVENTS\n\nThe content within this section will spotlight Vulnerability Management, Patch Management, Threat Protections, and Policy Compliance adjacent events available to our new and existing customers.\n\n* * *\n\n[WEBINARS](<https://gateway.on24.com/wcc/eh/3347108/category/91385/upcoming-webinars>)\n\n## [Introducing Qualys Threat Thursdays](<https://blog.qualys.com/vulnerabilities-threat-research/2022/09/01/introducing-qualys-threat-research-thursdays>)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/10/ThreatThursday.png)\n\nThe **Qualys Research Team** announces the first in a series of regular monthly webinars covering the latest threat intelligence analysis and insight. Join us each month for Threat Thursdays, where we will zero in on a specific malware or other exploit observed in the wild\u2026 and how to defend against it.\n\nPlease join us for the first [Threat Thursdays](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) monthly webinar where the Qualys Threat Research Team will present the latest threat intelligence\u2026 each and every month! \n\nTo quickly navigate to Threat Thursday blog posts, please use <https://blog.qualys.com/tag/threat-thursday>\n\n* * *\n\n[CONFERENCES](<https://www.qualys.com/qsc/locations/>)\n\n[![](https://blog.qualys.com/wp-content/uploads/2022/10/QSC2022LV.png)](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)[Register Now](<https://www.qualys.com/qsc/2022/las-vegas/?utm_source=qualys-homepage&utm_medium=event&utm_campaign=homepage-banner-qsc-2022&utm_term=qsc-q4-2022&utm_content=qualys-homepage-qsc&leadsource=344572821>)\n\n## [Qualys Annual Security Conference](<https://www.qualys.com/qsc/get-notified/#las-vegas/>) #QSC22\n\nNovember 7-10, 2022 \n\nThe Venetian Resort Las Vegas, 3355 Las Vegas Blvd. South, Las Vegas, NV 89109, US\n\n[Book your hotel here](<https://book.passkey.com/gt/218594637?gtid=9914abda1b2fe722d872e0ac3e0bdc09>) & take advantage of the discounted QSC rate of $229+ per night\n\nOr find a conference [near you](<https://www.qualys.com/qsc/locations/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T20:00:00", "type": "qualysblog", "title": "September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities with 5 Critical, plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities with 35 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0028", "CVE-2022-22047", "CVE-2022-23960", "CVE-2022-26929", "CVE-2022-2856", "CVE-2022-2884", "CVE-2022-30134", "CVE-2022-3075", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-33647", "CVE-2022-33679", "CVE-2022-34718", "CVE-2022-34721", "CVE-2022-34722", "CVE-2022-35838", "CVE-2022-36804", "CVE-2022-37969", "CVE-2022-38004", "CVE-2022-38007", "CVE-2022-38009", "CVE-2022-38012"], "modified": "2022-09-13T20:00:00", "id": "QUALYSBLOG:DE2E40D3BB574E53C7448F3A304849C9", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-07-25T12:00:43", "description": "Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary Atlassian has released patches to address a critical security flaw, being tracked as CVE-2022-26138 involving the usage of hard-coded credentials in the Questions For Confluence app for Confluence Server and Confluence Data Center. Additionally, CVE-2022-26136 has been assigned to an authentication bypass and cross-site scripting (XSS) vulnerabilities and CVE-2022-26137 has been assigned to a Cross-origin resource sharing (CORS) bypass vulnerability. Both CVEs impact multiple Atlassian products.", "cvss3": {}, "published": "2022-07-25T11:10:10", "type": "hivepro", "title": "Critical Vulnerabilities in Multiple Atlassian Products being exploited-in-wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-25T11:10:10", "id": "HIVEPRO:D92A8F5DF20362E41FF86142A0BECE42", "href": "https://www.hivepro.com/critical-vulnerabilities-in-multiple-atlassian-products-being-exploited-in-wild/", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2022-07-29T21:59:42", "description": "![Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](https://blog.rapid7.com/content/images/2022/07/GettyImages-1059877984.jpg)\n\nExploitation is underway for one of the [trio of critical Atlassian vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) that were published last week affecting several the company\u2019s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of [CVE-2022-26134 in Confluence Server and Confluence Data Center](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>).\n\n**CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:**\n\n * Confluence Server\n * Confluence Data Center\n\n**CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:**\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Crucible\n * Fisheye\n * Jira Server and Data Center\n * Jira Service Management Server and Data Center\n\n## CVE-2022-26138: Hardcoded password in Questions for Confluence app\n\nThe most critical of these three is [CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization\u2019s Confluence instance. Unsurprisingly, it didn\u2019t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.\n\n## Affected versions\n\n * Questions for Confluence 2.7.x\n\n * 2.7.34\n * 2.7.35\n * Questions for Confluence\n\n * 3.0.x\n * 3.0.2\n\n## Mitigation guidance\n\nOrganizations using on-prem Confluence should follow Atlassian\u2019s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian\u2019s advisory also includes information on how to look for evidence of exploitation. An [FAQ](<https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html>) has also been provided.\n\n> Please note: Atlassian\u2019s [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has a very important call-out that \u201cuninstalling the Questions for Confluence app does not remediate this vulnerability.\u201d\n\n## CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities\n\nTwo other vulnerabilities were announced at the same time, [CVE-2022-26136 and CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>), which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.\n\nThe list of affected versions is long and can be found on [Atlassian\u2019s Security Advisory](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>).\n\nWhile the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022 (ContentOnly-content-1.1.2602-202207292027).\n\n## Updates\n\n07/29/2022 - 5:30 PM EDT \nUpdated Rapid7 customers section to include information on a new remote vulnerability check.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T19:26:38", "type": "rapid7blog", "title": "Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-27T19:26:38", "id": "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "href": "https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-26T16:04:26", "description": "![CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center](https://blog.rapid7.com/content/images/2022/09/atlassian-bitbucket-etr.jpg)\n\nOn August 24, 2022, Atlassian published [an advisory for Bitbucket Server and Data Center](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) alerting users to [CVE-2022-36804](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>). The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with **read permissions** to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. CVE-2022-36804 carries a CVSSv3 score of 9.8 and is easily exploitable. Rapid7\u2019s vulnerability research team has a [full technical analysis in AttackerKB](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>), including how to use CVE-2022-36804 to create a simple reverse shell.\n\n[According to Shodan](<https://www.shodan.io/search?query=http.component%3A%22atlassian+bitbucket%22>), there are about 1,400 internet-facing servers, but it\u2019s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022 (edit: see note below), but there has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available. Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse- engineer, it\u2019s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon.\n\n**Note:** Several threat intelligence sources [reported](<https://twitter.com/Shadowserver/status/1573300004072132608>) seeing exploitation attempts in the wild as of September 23, 2022.\n\n**Affected products:** \nBitbucket Server and Data Center 7.6 prior to 7.6.17 \nBitbucket Server and Data Center 7.17 prior to 7.17.10 \nBitbucket Server and Data Center 7.21 prior to 7.21.4 \nBitbucket Server and Data Center 8.0 prior to 8.0.3 \nBitbucket Server and Data Center 8.1 prior to 8.1.3 \nBitbucket Server and Data Center 8.2 prior to 8.2.2 \nBitbucket Server and Data Center 8.3 prior to 8.3.1\n\n## Mitigation guidance\n\nOrganizations that use Bitbucket Server and Data Center in their environments should patch as quickly as possible [using Atlassian's guide](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html>), without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-36804 with an unauthenticated vulnerability check in the September 20, 2022 content release (`ContentOnly-content-1.1.2653-202209202050`).\n\nA detection rule, `Suspicious Process - Atlassian BitBucket Spawns Suspicious Commands`, was deployed to InsightIDR around 10am ET on September 22, 2022.\n\n## Updates\n\n**September 22, 2022 10:00AM ET** \nUpdated Rapid7 customers section to include information on a new IDR detection rule.\n\n**September 26, 2022 10:30 AM EDT** \nUpdated to reflect reports of exploitation in the wild.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>)_\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T15:14:26", "type": "rapid7blog", "title": "CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138", "CVE-2022-27511", "CVE-2022-29499", "CVE-2022-36804"], "modified": "2022-09-20T15:14:26", "id": "RAPID7BLOG:BCF3916E38EC7840E9BABBDD5431352B", "href": "https://blog.rapid7.com/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-26T21:03:28", "description": "![Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](https://blog.rapid7.com/content/images/2022/08/zimbra-etr.jpg)\n\nOver the past few weeks, five different vulnerabilities affecting [Zimbra Collaboration Suite](<https://www.zimbra.com/>) have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the **[latest version](<https://wiki.zimbra.com/wiki/Zimbra_Releases>)** on an urgent basis, and to upgrade future versions as quickly as possible once they are released.\n\n## Exploited RCE vulnerabilities\n\nThe following vulnerabilities can be used for remote code execution and are being [exploited in the wild](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>).\n\n### CVE-2022-30333\n\n[CVE-2022-30333](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>) is a path traversal vulnerability in `unRAR`, Rarlab\u2019s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes `unrar`. Zimbra Collaboration Suite uses a vulnerable implementation of `unrar` (specifically, the `amavisd` component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in [9.0.0 patch 25](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>) and [8.5.15 patch 32](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32>) by replacing `unrar` with `7z`.\n\nOur research team has a [full analysis of CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>) in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16796>) is also available. Note that the server **does not** necessarily need to be internet-facing to be exploited \u2014 it simply needs to receive a malicious email.\n\n### CVE-2022-27924\n\nCVE-2022-27924 is a blind Memcached injection vulnerability [first analyzed publicly](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user\u2019s credentials when a user attempts to authenticate. Combined with [CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>), an authenticated remote code execution vulnerability, and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a currently unpatched privilege escalation issue that was publicly disclosed [in October 2021](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>), capturing a user\u2019s password can lead to remote code execution as the root user on an organization\u2019s email server, which frequently contains sensitive data.\n\nOur research team has a [full analysis of CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>) in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for _any_ user by stacking multiple requests.\n\n### CVE-2022-27925\n\n[CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) is a directory traversal vulnerability in Zimbra Collaboration Suite Network Edition versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. (Note that Open Source Edition does not have that endpoint and is therefore not vulnerable.) On August 10, 2022, security firm [Volexity published findings](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 _without_ authentication.\n\n**Note:** Although the public advisories don't mention it, our testing indicated that Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable `mboximport` endpoint). Vulnerable versions are:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\nOur research team has a [full analysis of CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) in AttackerKB.\n\n### CVE-2022-37042\n\nAs noted above, CVE-2022-37042 is a critical authentication bypass that arises from an incomplete fix for CVE-2022-27925. Zimbra patched CVE-2022-37042 in [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>).\n\n## Unpatched privilege escalation CVE-2022-37393\n\nIn October of 2021, researcher Darren Martyn [published an exploit](<https://github.com/darrenmartyn/zimbra-slapper/>) for a zero-day [root privilege escalation vulnerability](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>) in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the `zimbra` user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.\n\nOur research team tested the privilege escalation in combination with CVE-2022-30333 at the end of July 2022, as well as the fully patched version on August 17, 2022, and found that all versions of Zimbra were affected through at least 9.0.0 P26 and 8.8.15 P33. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned [CVE-2022-37393](<https://nvd.nist.gov/vuln/detail/CVE-2022-37393>) (still awaiting NVD analysis) to track it. A [full analysis of CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) is available in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16807>) is also available.\n\n## Mitigation guidance\n\nWe strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring [Zimbra\u2019s release communications](<https://wiki.zimbra.com/wiki/Zimbra_Releases>) for future security updates, and patching on an urgent basis when new versions become available.\n\nThe AttackerKB analyses for [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>), [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) all include vulnerability details (including proofs of concept) and sample indicators of compromise (IOCs). Volexity\u2019s [blog](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published [lists of valid JSP files included in Zimbra installations](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\$Un\$authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0 (at time of writing).\n\nFinally, we recommend blocking internet traffic to Zimbra servers wherever possible and [configuring Zimbra to block external Memcached](<https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack>), even on patched versions of Zimbra.\n\n## Rapid7 customers\n\nVulnerability checks for all five Zimbra CVEs are available via a content-only update as of August 18, 3pm ET.\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR\u2019s built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Suspicious Process - Zimbra Collaboration Suite Webserver Spawns Script Interpreter\n * Suspicious Process - \u201cZimbra\u201d User Runs Shell or Script Interpreter\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_\n * _[Active Exploitation of Confluence CVE-2022-26134](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T12:55:18", "type": "rapid7blog", "title": "Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-08-17T12:55:18", "id": "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "href": "https://blog.rapid7.com/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-28T15:43:01", "description": "![What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/insightvm-q3-2022.jpg)\n\nAnother quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let\u2019s take a look at some of the key releases in [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) from Q3. \n\n## [[InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) and [Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>)] Recurring coverage for VMware vCenter\n\nRecurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.\n\nVMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a [number](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>) [of](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.\n\n## [InsightVM and Nexpose] Tune Assistant\n\nThe Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.\n\nTuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our [docs page](<https://docs.rapid7.com/insightvm/configuring-maximum-performance-in-an-enterprise-environment/>) on configuring maximum performance in an enterprise environment.\n\n![What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/image1-7.png)\n\n## [InsightVM and Nexpose] Windows Server 2022 Support\n\nWe want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. [Learn more](<https://www.rapid7.com/products/insightvm/system-requirements/>) about the systems we support. \n\n## [InsightVM and Nexpose] Checks for notable vulnerabilities\n\nWith exploitation of major vulnerabilities in [Mitel MiVoice Connect](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>), multiple [Confluence](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) [applications](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>), and [other](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) [popular](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>) [solutions](<https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/>), the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:\n\n * **Mitel MiVoice Connect Service Appliance | CVE-2022-29499:** An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>).\n * **\u201cQuestions\u201d add-on for Confluence Application | CVE-2022-26138:** This vulnerability affected \u201cQuestions,\u201d an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n * **Multiple vulnerabilities in Zimbra Collaboration Suite:** Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n * **CVE-2022-30333**\n * **CVE-2022-27924**\n * **CVE-2022-27925**\n * **CVE-2022-37042**\n * **CVE-2022-37393**\n\nWe were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.\n\n_**Additional reading:**_\n\n * _[The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading](<https://www.rapid7.com/blog/post/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/>)_\n * _[InsightVM: Best Practices to Improve Your Console](<https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/>)_\n * _[5 Steps for Dealing With Unknown Environments in InsightVM](<https://www.rapid7.com/blog/post/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/>)_\n * _[What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)_[ \n](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-28T14:11:35", "type": "rapid7blog", "title": "What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005", "CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-36804", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-09-28T14:11:35", "id": "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "href": "https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-16T21:58:42", "description": "![Patch Tuesday - July 2022](https://blog.rapid7.com/content/images/2022/07/patches-2.jpg)\n\nMicrosoft\u2019s updates for [July's Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) fix 86 CVEs, including two vulnerabilities in their Chromium-based Edge browser that were patched earlier in the month.\n\nOne 0-day vulnerability has been patched: [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) affects all currently supported versions of Microsoft\u2019s pervasive operating system. This is an elevation-of-privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS), a critical service that is often impersonated by malware. An attacker with an already-existing foothold can exploit this vulnerability to gain SYSTEM-level privileges. Two similar vulnerabilities in CSRSS ([CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) and [CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>)) were also fixed, likely as a result of Microsoft\u2019s investigation into the in-the-wild exploitation of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n\nFour critical remote code execution (RCE) vulnerabilities were fixed today. [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) affect network file system (NFS) servers, and [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) affects the remote procedure call (RPC) runtime. Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later. [CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) supposedly affects the Windows Graphics Component, though Microsoft\u2019s FAQ indicates that exploitation requires users to access a malicious RDP server.\n\nOver a third of today\u2019s vulnerabilities (a whopping 32 CVEs) affect their Azure Site Recovery offering. Anyone making use of this VMWare-to-Azure backup solution should be sure to upgrade to version 9.49 of the Microsoft Azure Site Recovery Unified Setup, available in [Update rollup 62](<https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b>).\n\n## Summary charts\n\n![Patch Tuesday - July 2022](https://blog.rapid7.com/content/images/2022/07/2022-07-vuln_count_severity.png)![Patch Tuesday - July 2022](https://blog.rapid7.com/content/images/2022/07/2022-07-vuln_count_impact.png)![Patch Tuesday - July 2022](https://blog.rapid7.com/content/images/2022/07/2022-07-cvssv3_hist.png)![Patch Tuesday - July 2022](https://blog.rapid7.com/content/images/2022/07/2022-07-vuln_count_component.png)\n\n## Summary tables\n\n### Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33676>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-33678](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33678>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-33674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33674>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-33675](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33675>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-33677](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33677>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-30181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30181>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33641>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33643>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33655>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33656>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33657>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33661>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33662](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33662>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33663](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33663>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33665](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33665>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33666](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33666>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33667>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33672](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33672>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33673](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33673>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-33642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33642>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33650>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33651>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33653>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33654>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33659>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33660>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33664>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33668>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33669>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33671>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-33652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33652>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes \n[CVE-2022-33658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33658>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes \n \n### Azure Microsoft Dynamics vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30187>) | Azure Storage Library Information Disclosure Vulnerability | No | No | 4.7 | Yes \n \n### Browser vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-2295](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2295>) | Chromium: CVE-2022-2295 Type Confusion in V8 | No | No | N/A | Yes \n[CVE-2022-2294](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2294>) | Chromium: CVE-2022-2294 Heap buffer overflow in WebRTC | No | No | N/A | Yes \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33633](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33633>) | Skype for Business and Lync Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-33632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33632>) | Microsoft Office Security Feature Bypass Vulnerability | No | No | 4.7 | Yes \n \n### System Center vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33637>) | Microsoft Defender for Endpoint Tampering Vulnerability | No | No | 6.5 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33644>) | Xbox Live Save Service Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-22045](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22045>) | Windows.Devices.Picker.dll Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30222>) | Windows Shell Remote Code Execution Vulnerability | No | No | 8.4 | Yes \n[CVE-2022-30216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30216>) | Windows Server Service Tampering Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-22041](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22041>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-30214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30214>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-22031](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22031>) | Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30212](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30212>) | Windows Connected Devices Platform Service Information Disclosure Vulnerability | No | No | 4.7 | Yes \n[CVE-2022-22711](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22711>) | Windows BitLocker Information Disclosure Vulnerability | No | No | 6.7 | Yes \n[CVE-2022-22038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22038>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-27776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-27776>) | HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data | No | No | N/A | Yes \n[CVE-2022-30215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30215>) | Active Directory Federation Services Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n \n### Windows ESU vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30208](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30208>) | Windows Security Account Manager (SAM) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-30206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30206>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30226>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-22022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22022>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-22023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22023>) | Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-22029](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22029>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-22039](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22039>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-22028](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22028>) | Windows Network File System Information Disclosure Vulnerability | No | No | 5.9 | Yes \n[CVE-2022-30225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30225>) | Windows Media Player Network Sharing Service Elevation of Privilege Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-30211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30211>) | Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21845](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21845>) | Windows Kernel Information Disclosure Vulnerability | No | No | 4.7 | Yes \n[CVE-2022-22025](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22025>) | Windows Internet Information Services Cachuri Module Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-30209](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30209>) | Windows IIS Server Elevation of Privilege Vulnerability | No | No | 7.4 | Yes \n[CVE-2022-22042](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22042>) | Windows Hyper-V Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-30223](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30223>) | Windows Hyper-V Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2022-30205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30205>) | Windows Group Policy Elevation of Privilege Vulnerability | No | No | 6.6 | Yes \n[CVE-2022-30221](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30221>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-22034](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22034>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30213>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-22024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22024>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22027](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22027>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22050>) | Windows Fax Service Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22043](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22043>) | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30220](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30220>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-22026](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22026>) | Windows CSRSS Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-22047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22047>) | Windows CSRSS Elevation of Privilege Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2022-22049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22049>) | Windows CSRSS Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30203](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30203>) | Windows Boot Manager Security Feature Bypass Vulnerability | No | No | 7.4 | Yes \n[CVE-2022-22037](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22037>) | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-30202](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30202>) | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-30224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30224>) | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-22036](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22036>) | Performance Counters for Windows Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-22040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22040>) | Internet Information Services Dynamic Compression Module Denial of Service Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-22048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22048>) | BitLocker Security Feature Bypass Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-23825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23825>) | AMD: CVE-2022-23825 AMD CPU Branch Type Confusion | No | No | N/A | Yes \n[CVE-2022-23816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23816>) | AMD: CVE-2022-23816 AMD CPU Branch Type Confusion | No | No | N/A | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T19:40:15", "type": "rapid7blog", "title": "Patch Tuesday - July 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-23816", "CVE-2022-23825", "CVE-2022-27776", "CVE-2022-30181", "CVE-2022-30187", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226", "CVE-2022-33632", "CVE-2022-33633", "CVE-2022-33637", "CVE-2022-33641", "CVE-2022-33642", "CVE-2022-33643", "CVE-2022-33644", "CVE-2022-33650", "CVE-2022-33651", "CVE-2022-33652", "CVE-2022-33653", "CVE-2022-33654", "CVE-2022-33655", "CVE-2022-33656", "CVE-2022-33657", "CVE-2022-33658", "CVE-2022-33659", "CVE-2022-33660", "CVE-2022-33661", "CVE-2022-33662", "CVE-2022-33663", "CVE-2022-33664", "CVE-2022-33665", "CVE-2022-33666", "CVE-2022-33667", "CVE-2022-33668", "CVE-2022-33669", "CVE-2022-33671", "CVE-2022-33672", "CVE-2022-33673", "CVE-2022-33674", "CVE-2022-33675", "CVE-2022-33676", "CVE-2022-33677", "CVE-2022-33678"], "modified": "2022-07-12T19:40:15", "id": "RAPID7BLOG:B54637535A9D368B19D4D9881C6C34B3", "href": "https://blog.rapid7.com/2022/07/12/patch-tuesday-july-2022/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T00:04:15", "description": "![Patch Tuesday - August 2022](https://blog.rapid7.com/content/images/2022/08/patches-2.jpg)\n\nIt's the week of [Hacker Summer Camp](<https://www.rapid7.com/blog/post/2022/08/04/what-were-looking-forward-to-at-black-hat-def-con-and-bsideslv-2022/>) in Las Vegas, and Microsoft has [published](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their Chromium-based Edge browser, and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month). As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.\n\nThere is one 0-day being patched this month. [CVE-2022-34713](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713>) is a remote code execution (RCE) vulnerability affecting the Microsoft Windows Support Diagnostic Tool (MSDT) \u2013 it carries a CVSSv3 base score of 7.8, as it requires convincing a potential victim to open a malicious file. The advisory indicates that this CVE is a variant of the \u201cDogwalk\u201d vulnerability, which made news alongside [Follina](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>) (CVE-2022-30190) back in May.\n\nPublicly disclosed, but not (yet) exploited is [CVE-2022-30134](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30134>), an Information Disclosure vulnerability affecting Exchange Server. In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages. Administrators should [enable Extended Protection](<https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/>) in order to fully remediate this vulnerability, as well as [the](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21979>) [five](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21980>) [other](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24516>) [vulnerabilities](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24477>) [affecting](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34692>) Exchange this month. Details about how to accomplish this are available via the [Exchange Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\nMicrosoft also patched several flaws affecting Remote Access Server (RAS). The most severe of these ([CVE-2022-30133](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30133>) and [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35744>)) are related to Windows Point-to-Point Tunneling Protocol and could allow RCE simply by sending a malicious connection request to a server. Seven CVEs affecting the Windows Secure Socket Tunneling Protocol (SSTP) on RAS were also fixed this month: six RCEs and one Denial of Service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network.\n\nVulnerabilities affecting Windows Network File System (NFS) have been trending in recent months, and today sees Microsoft patching [CVE-2022-34715](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34715>) (RCE, CVSS 9.8) affecting NFSv4.1 on Windows Server 2022.\n\nThis is the worst of it. One last vulnerability to highlight: [CVE-2022-35797](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35797>) is a Security Feature Bypass in [Windows Hello](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication#external-camera-security>) \u2013 Microsoft\u2019s biometric authentication mechanism for Windows 10. Successful exploitation requires physical access to a system, but would allow an attacker to bypass a facial recognition check.\n\n## Summary charts\n\n![Patch Tuesday - August 2022](https://blog.rapid7.com/content/images/2022/08/2022-08-vuln_count_severity.png)![Patch Tuesday - August 2022](https://blog.rapid7.com/content/images/2022/08/2022-08-vuln_count_impact.png)![Patch Tuesday - August 2022](https://blog.rapid7.com/content/images/2022/08/2022-08-cvssv3_hist.png)![Patch Tuesday - August 2022](https://blog.rapid7.com/content/images/2022/08/2022-08-vuln_count_component.png)\n\n## Summary tables\n\n### Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35802>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-30175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30175>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30176>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34687](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34687>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35773](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35773>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35779](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35779>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35806>) | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35772](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35772>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-35824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35824>) | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes \n[CVE-2022-33646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33646>) | Azure Batch Node Agent Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-35780](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35780>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35781](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35781>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35799](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35799>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35775](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35775>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35801](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35801>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35807>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35808>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35782](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35782>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35809>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35784>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35810>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35811>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35785>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35786>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35813>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35788](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35788>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35814>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35789](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35789>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35815](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35815>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35790>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35816>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35817](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35817>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35791](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35791>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35818](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35818>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35819>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-35776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35776>) | Azure Site Recovery Denial of Service Vulnerability | No | No | 6.2 | Yes \n[CVE-2022-34685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34685>) | Azure RTOS GUIX Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34686](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34686>) | Azure RTOS GUIX Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-35774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35774>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-35800](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35800>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-35787](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35787>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes \n[CVE-2022-35821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35821>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n[CVE-2022-35783](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35783>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes \n[CVE-2022-35812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35812>) | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes \n \n### Browser vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33649>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 9.6 | Yes \n[CVE-2022-33636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33636>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-35796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35796>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-2624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2624>) | Chromium: CVE-2022-2624 Heap buffer overflow in PDF | No | No | N/A | Yes \n[CVE-2022-2623](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2623>) | Chromium: CVE-2022-2623 Use after free in Offline | No | No | N/A | Yes \n[CVE-2022-2622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2622>) | Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing | No | No | N/A | Yes \n[CVE-2022-2621](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2621>) | Chromium: CVE-2022-2621 Use after free in Extensions | No | No | N/A | Yes \n[CVE-2022-2619](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2619>) | Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings | No | No | N/A | Yes \n[CVE-2022-2618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2618>) | Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals | No | No | N/A | Yes \n[CVE-2022-2617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2617>) | Chromium: CVE-2022-2617 Use after free in Extensions API | No | No | N/A | Yes \n[CVE-2022-2616](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2616>) | Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API | No | No | N/A | Yes \n[CVE-2022-2615](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2615>) | Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies | No | No | N/A | Yes \n[CVE-2022-2614](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2614>) | Chromium: CVE-2022-2614 Use after free in Sign-In Flow | No | No | N/A | Yes \n[CVE-2022-2612](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2612>) | Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input | No | No | N/A | Yes \n[CVE-2022-2611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2611>) | Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API | No | No | N/A | Yes \n[CVE-2022-2610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2610>) | Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch | No | No | N/A | Yes \n[CVE-2022-2606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2606>) | Chromium: CVE-2022-2606 Use after free in Managed devices API | No | No | N/A | Yes \n[CVE-2022-2605](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2605>) | Chromium: CVE-2022-2605 Out of bounds read in Dawn | No | No | N/A | Yes \n[CVE-2022-2604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2604>) | Chromium: CVE-2022-2604 Use after free in Safe Browsing | No | No | N/A | Yes \n[CVE-2022-2603](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2603>) | Chromium: CVE-2022-2603 Use after free in Omnibox | No | No | N/A | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-35777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35777>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35825>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35826>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35827>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34716>) | .NET Spoofing Vulnerability | No | No | 5.9 | Yes \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-30133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30133>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-35744](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35744>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-34691](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34691>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-34714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34714>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35745](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35745>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35752>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35753>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-34702](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34702>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35767>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-34706](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34706>) | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34707](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34707>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35768](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35768>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35756>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35751](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35751>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35795](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35795>) | Windows Error Reporting Service Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35820](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35820>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35750](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35750>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34713](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34713>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | Yes | Yes | 7.8 | Yes \n[CVE-2022-35743](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35743>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35760>) | Microsoft ATA Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30194](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30194>) | Windows WebBrowser Control Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-35769](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35769>) | Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2022-35793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35793>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-34690](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34690>) | Windows Fax Service Elevation of Privilege Vulnerability | No | No | 7.1 | Yes \n[CVE-2022-35759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35759>) | Windows Local Security Authority (LSA) Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-35747](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35747>) | Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability | No | No | 5.9 | Yes \n[CVE-2022-35758](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35758>) | Windows Kernel Memory Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34708>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34701>) | Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability | No | No | 5.3 | No \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-21980](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21980>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2022-24516](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24516>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2022-24477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24477>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2022-30134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30134>) | Microsoft Exchange Information Disclosure Vulnerability | No | Yes | 7.6 | Yes \n[CVE-2022-34692](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34692>) | Microsoft Exchange Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2022-21979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21979>) | Microsoft Exchange Information Disclosure Vulnerability | No | No | 4.8 | Yes \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-34717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34717>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-33648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33648>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35742>) | Microsoft Outlook Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-33631](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33631>) | Microsoft Excel Security Feature Bypass Vulnerability | No | No | 7.3 | Yes \n \n### System Center Azure vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-33640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33640>) | System Center Operations Manager: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? \n---|---|---|---|---|--- \n[CVE-2022-34715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34715>) | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-35804](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35804>) | SMB Client and Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-35761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35761>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 8.4 | Yes \n[CVE-2022-35766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35766>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-35794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35794>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2022-34699](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34699>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-33670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33670>) | Windows Partition Management Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34703](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34703>) | Windows Partition Management Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34696](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34696>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35746](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35746>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35749](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35749>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-34705](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34705>) | Windows Defender Credential Guard Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35771](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35771>) | Windows Defender Credential Guard Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35762](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35762>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35763](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35763>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35764>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35765>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-35792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35792>) | Storage Spaces Direct Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-30144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30144>) | Windows Bluetooth Service Remote Code Execution Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-35748](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35748>) | HTTP.sys Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-35755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35755>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-35757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35757>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.3 | Yes \n[CVE-2022-35754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35754>) | Unified Write Filter Elevation of Privilege Vulnerability | No | No | 6.7 | Yes \n[CVE-2022-35797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35797>) | Windows Hello Security Feature Bypass Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-34709](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34709>) | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 6 | Yes \n[CVE-2022-30197](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30197>) | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34710](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34710>) | Windows Defender Credential Guard Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34712>) | Windows Defender Credential Guard Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34704](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34704>) | Windows Defender Credential Guard Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-34303](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34303>) | CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass | No | No | N/A | Yes \n[CVE-2022-34302](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34302>) | CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass | No | No | N/A | Yes \n[CVE-2022-34301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34301>) | CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass | No | No | N/A | Yes \n \n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T19:34:51", "type": "rapid7blog", "title": "Patch Tuesday - August 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21979", "CVE-2022-21980", "CVE-2022-24477", "CVE-2022-24516", "CVE-2022-2603", "CVE-2022-2604", "CVE-2022-2605", "CVE-2022-2606", "CVE-2022-2610", "CVE-2022-2611", "CVE-2022-2612", "CVE-2022-2614", "CVE-2022-2615", "CVE-2022-2616", "CVE-2022-2617", "CVE-2022-2618", "CVE-2022-2619", "CVE-2022-2621", "CVE-2022-2622", "CVE-2022-2623", "CVE-2022-2624", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-30144", "CVE-2022-30175", "CVE-2022-30176", "CVE-2022-30190", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33631", "CVE-2022-33636", "CVE-2022-33640", "CVE-2022-33646", "CVE-2022-33648", "CVE-2022-33649", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34685", "CVE-2022-34686", "CVE-2022-34687", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34692", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-34715", "CVE-2022-34716", "CVE-2022-34717", "CVE-2022-35742", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35772", "CVE-2022-35773", "CVE-2022-35774", "CVE-2022-35775", "CVE-2022-35776", "CVE-2022-35777", "CVE-2022-35779", "CVE-2022-35780", "CVE-2022-35781", "CVE-2022-35782", "CVE-2022-35783", "CVE-2022-35784", "CVE-2022-35785", "CVE-2022-35786", "CVE-2022-35787", "CVE-2022-35788", "CVE-2022-35789", "CVE-2022-35790", "CVE-2022-35791", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35796", "CVE-2022-35797", "CVE-2022-35799", "CVE-2022-35800", "CVE-2022-35801", "CVE-2022-35802", "CVE-2022-35804", "CVE-2022-35806", "CVE-2022-35807", "CVE-2022-35808", "CVE-2022-35809", "CVE-2022-35810", "CVE-2022-35811", "CVE-2022-35812", "CVE-2022-35813", "CVE-2022-35814", "CVE-2022-35815", "CVE-2022-35816", "CVE-2022-35817", "CVE-2022-35818", "CVE-2022-35819", "CVE-2022-35820", "CVE-2022-35821", "CVE-2022-35824", "CVE-2022-35825", "CVE-2022-35826", "CVE-2022-35827"], "modified": "2022-08-09T19:34:51", "id": "RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "href": "https://blog.rapid7.com/2022/08/09/patch-tuesday-august-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-08-23T02:01:34", "description": "Hello everyone! In this episode, let's take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my [Vulristics](<https://github.com/leonov-av/vulristics>) vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August Patch Tuesdays.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239098>\n\nThere were 147 vulnerabilities. Urgent: 1, Critical: 0, High: 36, Medium: 108, Low: 2.\n\nThere was a lot of great stuff this Patch Tuesday. There was a critical exploited in the wild MSDT DogWalk vulnerability, 3 critical Exchange vulnerabilities that could be easily missed in prioritization, 13 potentially dangerous vulnerabilities, 2 funny vulnerabilities and 3 mysterious ones. Let's take a closer look.\n \n \n $ cat comments_links.txt \n Qualys|August 2022 Patch Tuesday. Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories|https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday\n ZDI|THE AUGUST 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/8/9/the-august-2022-security-update-review\n Kaspersky|DogWalk and other vulnerabilities|https://www.kaspersky.com/blog/dogwalk-vulnerability-patch-tuesday-08-2022/45127/\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"August\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n MS PT Year: 2022\n MS PT Month: August\n MS PT Date: 2022-08-09\n MS PT CVEs found: 121\n Ext MS PT Date from: 2022-07-13\n Ext MS PT Date to: 2022-08-08\n Ext MS PT CVEs found: 26\n ALL MS PT CVEs: 147\n ...\n\n## DogWalk\n\n**Remote Code Execution** in Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-34713), dubbed **DogWalk**. The only Urgent level vulnerability. The Microsoft Support Diagnostic Tool (MSDT) is a service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. DogWalk vulnerability allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document. Exploitability Assessment: Exploitation in the wild detected. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). But it is not yet available in public exploit packs. DogWalk is similar to MSDT RCE **Follina** (CVE-2022-30190), which made some hype in May of this year. It\u2019s not clear if this vulnerability is the result of a failed patch or something new. \n\n## 3 Microsoft Exchange EOPs\n\n**Elevation of Privilege** in Microsoft Exchange (CVE-2022-21980, CVE-2022-24516, CVE-2022-24477). I will not hide, this vulnerabilities were not detected as critical by Vulristics, only as Medium. This happened due to the fact that this are not RCEs, but EOPs. No public exploit or sign of exploitation in the wild. But these vulnerabilities are very critical, due to the fact that Exchange is often accessible from the Internet. And because of details about the vulnerability, which is only highlighted by ZDI. These bugs could allow an authenticated attacker to take over the mailboxes of all Exchange users, read and send emails or download attachments from any mailbox on the Exchange server. This gives access to valuable data and great opportunities for developing an attack. Administrators will also need to enable Extended Protection to fully address these vulnerabilities.\n\nit is not clear how to highlight such vulnerabilities automatically, because there are few formal signs. Apparently it is required to raise the priority of the software available on the perimeter and software that operates with important data.\n\n## 13 potentially dangerous vulnerabilities\n\n 1. **Remote Code Execution** in Windows Point-to-Point Protocol (PPP) (CVE-2022-30133, CVE-2022-35744). The Point-to-Point Protocol (PPP) is the default RAS (remote access service) protocol in Windows and is a data link-layer protocol used to encapsulate higher network-layer protocols to pass over synchronous and asynchronous communication lines. Both vulnerabilities allow attackers to send requests to the remote access server, which can lead to the execution of malicious code on the machine. And both have the same CVSS score: 9.8. This vulnerabilities can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. Warning: Disabling Port 1723 could affect communications over your network. Exploitability Assessment: Exploitation Less Likely\n 2. **Remote Code Execution **in Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-35766, CVE-2022-35794). SSTP is a VPN tunneling protocol designed to secure your online traffic. Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS (remote access service) server, which could lead to remote code execution (RCE) on the RAS server machine. Exploitability Assessment: Exploitation Less Likely\n 3. **Remote Code Execution** in SMB Client and Server (CVE-2022-35804). The server side of this vulnerability would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. Interestingly, this bug only affects Windows 11, which implies some new functionality introduced this vulnerability. Either way, this could potentially be wormable between affected Windows 11 systems with SMB server enabled. Disabling SMBv3 compression is a workaround for this bug, but applying the update is the best method to remediate the vulnerability. This vulnerability is reminiscent of past SMB vulnerabilities such as the EternalBlue SMBv1 flaw patched in MS17-010 in March of 2017 that was exploited as part of the [WannaCry](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>) incident in addition to the more recent CVE-2020-0796 \u201cEternalDarkness\u201d RCE flaw in SMB 3.1.1.\n 4. **Remote Code Execution** in Visual Studio (CVE-2022-35777, CVE-2022-35825, CVE-2022-35826, CVE-2022-35827). The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit). None of the vendors highlighted these vulnerabilities. But it seems that this can be used in targeted phishing against developers.\n 5. **Elevation of Privilege** in Active Directory (CVE-2022-34691). An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System. The advisory notes that exploitation is only possible when Active Directory Certificate Services is running on the domain. Exploitability Assessment: Exploitation Less Likely.\n 6. **Remote Code Execution** in Windows Network File System (CVE-2022-34715). This is now the fourth month in a row with an NFS code execution patch. To exploit this, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server. This would provide the threat actor with code execution at elevated privileges. Although we have not yet seen the actual exploitation of such vulnerabilities.\n 7. **Elevation of Privilege **in Windows Print Spooler (CVE-2022-35793, CVE-2022-35755). The Print Spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them. CVE-2022-35755 can be exploited using a specially crafted \u201cinput file,\u201d while exploitation of CVE-2022-35793 requires a user click on a specially crafted URL. Both would give the attacker SYSTEM privileges. Both vulnerabilities can be mitigated by disabling the Print Spooler service, but CVE-2022-35793 can also be mitigated by disabling inbound remote printing via Group Policy.\n\n## 2 funny vulnerabilities\n\n 1. Vulristics suddenly highlighted the **Memory Corruption** in Microsoft Edge (CVE-2022-2623) vulnerability because there is a public exploit for it. It turned out that there was a bug in the exploit databases: 0day.today and packetstorm. CVE-2022-2623 was mistakenly written instead of CVE-2022-26233. And this also happens and no one checks it. Well, prioritization of vulnerabilities based on distorted source data does not work well.\n 2. **Denial of Service** - Microsoft Outlook (CVE-2022-35742). This was reported through the ZDI program and is a mighty interesting bug. Sending a crafted email to a victim causes their Outlook application to terminate immediately. Outlook cannot be restarted. Upon restart, it will terminate again once it retrieves and processes the invalid message. It is not necessary for the victim to open the message or to use the Reading pane. The only way to restore functionality is to access the mail account using a different client (i.e., webmail, or administrative tools) and remove the offending email(s) from the mailbox before restarting Outlook.\n\n## 3 mysterious vulnerabilities\n\n * CERT/CC: CVE-2022-34303 Crypto Pro Boot Loader Bypass\n * CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass\n * CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass\n\nThey came from the US CERT Coordination Center.\n\n 1. No one writes anything about them, only Tenable. "security bypass vulnerabilities in a third-party driver affecting Windows Secure Boot". \n 2. Maybe this is of course a coincidence and we are talking about other software, but isn't Crypto Pro a Russian [CryptoPro](<https://www.cryptopro.ru/>), "the company\u2019s main activity is cryptographic software development and public key infrastructure solutions based on national and international standards."?\n 3. Isn't Eurosoft a [Russian Eurosoft](<http://eurosoft.ru/>), "software for architectural design"? \n\nIt's all very curious.\n\nFull Vulristics report: [ms_patch_tuesday_august2022](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_august2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-23T00:00:26", "type": "avleonov", "title": "Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2022-21980", "CVE-2022-24477", "CVE-2022-24516", "CVE-2022-2623", "CVE-2022-26233", "CVE-2022-30133", "CVE-2022-30190", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34691", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35742", "CVE-2022-35744", "CVE-2022-35755", "CVE-2022-35766", "CVE-2022-35777", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35804", "CVE-2022-35825", "CVE-2022-35826", "CVE-2022-35827"], "modified": "2022-08-23T00:00:26", "id": "AVLEONOV:37BE727F2D0C216B8B10BD6CBE6BD061", "href": "https://avleonov.com/2022/08/23/microsoft-patch-tuesday-august-2022-dogwalk-exchange-eops-13-potentially-dangerous-2-funny-3-mysterious-vulnerabilities/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-14T11:59:47", "description": "Hello everyone! Microsoft has been acting weird lately. I mean the recent [publication of a propaganda report](<https://t.me/avleonovcom/1021>) about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn't be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in theory, should be more or less neutral, does this\u2026 This is a clear signal. It's not about business anymore. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239096>\n\nI'll take a closer look at this report in the next episode of the Vulnerability Management news, but for now let's take a look at Microsoft July Patch Tuesday. Yes, the vendor is behaving strangely, but Microsoft products need to be patched. Right? At least for now. And tracking vulnerabilities is always a good thing. ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png)\n\nOn July Patch Tuesday, July 12, 84 vulnerabilities were released. Between June and July Patch Tuesdays, 15 vulnerabilities were released. This gives us 99 vulnerabilities in the report. \n \n \n $ cat comments_links.txt \n Qualys|July 2022 Patch Tuesday. Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/07/12/july-2022-patch-tuesday\n ZDI|The July 2022 Security Update Review|https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"July\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n Creating Patch Tuesday profile...\n MS PT Year: 2022\n MS PT Month: July\n MS PT Date: 2022-07-12\n MS PT CVEs found: 84\n Ext MS PT Date from: 2022-06-15\n Ext MS PT Date to: 2022-07-11\n Ext MS PT CVEs found: 15\n ALL MS PT CVEs: 99\n ...\n\n * Urgent: 0\n * Critical: 1\n * High: 19\n * Medium: 78\n * Low: 1\n\nInterestingly, in this Patch Tuesday, more than half of all vulnerabilities are EoP.\n\n## CSRSS EoP\n\nWhat can I say, prioritization in [Vulristics](<https://github.com/leonov-av/vulristics>) works correctly. At the top of the July Patch Tuesday list is one critical and actively exploited **Elevation of Privilege** in Windows CSRSS (CVE-2022-22047). This vulnerability has been widely reported in the media.\n\nClient Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown.\n\nCSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or side-by-side support, instead of issuing a system call, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel.\n\nThis Elevation of Privilege vulnerability in CSRSS allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default.\n\nMicrosoft says this vulnerability has been exploited in the wild, though no further details have been shared. There is no public exploit yet. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft\u2019s investigation into the in-the-wild exploitation of CVE-2022-22047.\n\n## RPC RCE\n\n**Remote Code Execution** in Remote Procedure Call Runtime (CVE-2022-22038). Here Microsoft has a POC exploit. This July Patch Tuesday bug could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high. Additional actions by an attacker are required in order to prepare a target for successful exploitation and an attacker would need to make \u201crepeated exploitation attempts\u201d to take advantage of this bug, but unless you are actively blocking RPC activity, you may not see these attempts.\n\n## Microsoft Edge Memory Corruption\n\nBetween June and July Patch Tuesday, **Memory Corruption** in Microsoft Edge (CVE-2022-2294) was released. Heap buffer overflow in WebRTC, to be precise. WebRTC (Web Real-Time Communication) is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps. So, the vulnerability is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. Google is aware that an exploit for this vulnerability exists in the wild. If you\u2019re using Microsoft Edge (Chromium-based), make sure it gets updated as soon as possible.\n\n## Azure Site Recovery RCEs and EOPs\n\nThere are also a lot of vulnerabilities in Azure Site Recovery in July Patch Tuesday. Both EoPs and RCEs, and quite a few with non-public exploits of the POC maturity level. According to the description "Site Recovery is a native disaster recovery as a service (DRaaS)", it would seem that this should be patched by Microsoft themselves. But in fact, there is a Microsoft Azure Site Recovery suite installed on the hosts, and at least some of the vulnerabilities were found in it. \n\nLet's see, for example, **Elevation of Privilege** in Azure Site Recovery (CVE-2022-33675). The vulnerability was discovered and [reported to Microsoft by Tenable researcher Jimi Sebree](<https://www.tenable.com/security/research/tra-2022-26>). The Microsoft Azure Site Recovery suite contains a DLL hijacking flaw that allows for privilege escalation from any low privileged user to SYSTEM. \n\nIncorrect permissions on the service\u2019s executable directory (E:\\Program Files (x86)\\Microsoft Azure Site Recovery\\home\\svsystems\\transport\\\\) allow new files to be created by any user. The service launched from this directory runs automatically and with SYSTEM privileges and attempts to load several DLLs from this directory. This allows for a DLL hijacking/planting attack via several libraries that are attempted to be loaded from this location when the service is launched. Existing deployments should ensure that the Microsoft-supplied patches have been appropriately applied.\n\nThe full Vulristics report is available here: [ms_patch_tuesday_july2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_july2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-23T08:34:29", "type": "avleonov", "title": "Microsoft Patch Tuesday July 2022: propaganda report, CSRSS EoP, RPC RCE, Edge, Azure Site Recovery", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22038", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-33675"], "modified": "2022-07-23T08:34:29", "id": "AVLEONOV:B87691B304EF70215B926F66B871260A", "href": "https://avleonov.com/2022/07/23/microsoft-patch-tuesday-july-2022-propaganda-report-csrss-eop-rpc-rce-edge-azure-site-recovery/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-14T16:51:25", "description": "Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the [avleonovcom](<https://t.me/avleonovcom>) and [avleonovrus](<https://t.me/avleonovrus>) telegram channels. Therefore, if you want to read them earlier, subscribe to these channels.\n\n_The main idea of \u200b\u200bthis episode. Microsoft is a biased company. In fact, they should now be perceived as another US agency. Does this mean that we need to forget about Microsoft and stop tracking what they do? No, it doesn't. They do a lot of interesting things that can at least be researched and copied. Does this mean that we need to stop using Microsoft products? In some locations (you know which ones) for sure, in some we can continue to use such products if it is reasonable, but it's necessary to have a plan B. And this does not only apply to Microsoft. So, it's time for a flexible approaches. Here we do it this way, there we do it differently. It seems that rather severe fragmentation of the IT market is a long-term trend and it's necessary to adapt to it._\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239097>\n\nWhat's in this episode:\n\n 1. Microsoft released a propaganda report, what does this mean for us?\n 2. Microsoft released the Autopatch feature, is it a good idea to use it?\n 3. Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n 4. The new Nessus Expert and why it's probably Tenable's worst release\n 5. Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n 6. Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?\n 7. 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\n## Microsoft released a propaganda report, what does this mean for us?\n\nLet's start with the most important topic. Microsoft [released a propaganda report](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK>) about the evil Russians and how they (Microsoft) defend one well-known country. I usually avoid such topics, but in this case, I just can't.\n\n 1. Most of the report is "water" and unproven "highly-likely" stuff. It's boring to read. More than half of the report is not about cyber attacks at all, but about propaganda/disinformation "attacks" in media, social networks, etc. With strange historical digressions. For example, they give a photo of some article from an Indian newspaper of the 1980s and write that this publication was organized by the KGB. I'm not kidding, look at page 12.\n 2. On the other hand, the most important thing in this report is not what is written, but who released it. It's not mainstream media, it's not a government agency like the NSA or CIA, it's Microsoft - a global IT vendor that should, in theory, be more or less neutral. And now they are releasing such reports! If you still believe Microsoft is a non-government commercial company, look through this report. This position is the most official, the foreword was written by the current president of Microsoft.\n 3. From a technical point of view, it is interesting that the state IT infrastructure was transferred to the cloud and Microsoft technologies (Defender for Endpoint?) were used to protect it. Almost all technical information is on the 9th page of the report.\n 4. They write about 2 important security options. The first is that Microsoft made a free Vulnerability Management for them. "The first has been the use of technology acquired from RiskIQ that identifies and maps organizational attack surfaces, including devices that are unpatched against known vulnerabilities and therefore are the most susceptible to attack." It's not entirely clear how they did it. They could just connect hosts to Defender for Endpoint. But perhaps they massively activated the collection of data from hosts in some other way.\n 5. The description of the second protection option hints at the existence of a such non-standard methods: "MSTIC recognized that XXX malware could be mitigated meaningfully by turning on a feature in Microsoft Defender called controlled folder access. This typically would require that IT administrators access devices across their organization, work made more difficult and potentially even dangerous in ZZZ conditions. The YYY government therefore authorized Microsoft through special legal measures to act proactively and remotely to turn on this feature across devices throughout the government and across the country." And here it is not so important that Microsoft set up controlled folder access, it is important how they did it. It turns out that MS can massively remotely tweak security options if the government of a certain country has allowed them to do so. Wow! And what else can they do, on which hosts and under what conditions?\n 6. The main concern, of course, is that Microsoft products, including cloud-based security services, are still widely used in Russian organizations. And not only in Russia, but also in other countries that have some disagreements with US policy. Such publications confirm that Microsoft is a highly biased and unstable IT vendor, and something needs to be done about it quickly.\n\nAnd it would be fair to ask: "Weren't you, Alexander, promoting Microsoft's security services? And now you've turned against them?" ![\ud83e\udd14](https://s.w.org/images/core/emoji/14.0.0/72x72/1f914.png)\n\nAnd it's easy to point to some posts from my blog:\n\n 1. [Microsoft security solutions against ransomware and APT](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) (the best business breakfast I've ever had - the catering was top notch ![\ud83d\udc4d](https://s.w.org/images/core/emoji/14.0.0/72x72/1f44d.png))\n 2. [Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python](<https://avleonov.com/2021/02/19/microsoft-defender-for-endpoint-why-you-may-need-it-and-how-to-export-hosts-via-api-in-python/>)\n 3. [Getting Hosts from Microsoft Intune MDM using Python](<https://avleonov.com/2021/06/09/getting-hosts-from-microsoft-intune-mdm-using-python/>)\n 4. [How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API](<https://avleonov.com/2021/08/16/how-to-get-antivirus-related-data-from-microsoft-defender-for-endpoint-using-intune-and-graph-api/>)\n 5. [Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures](<https://avleonov.com/2021/09/14/microsoft-defender-for-endpoint-the-latest-versions-of-antivirus-engine-signatures/>)\n\nIt's paradoxical, but I don't have a post about exporting vulnerabilities from Defender for Endpoint. ![\ud83d\ude43](https://s.w.org/images/core/emoji/14.0.0/72x72/1f643.png) I was going to make a post about it, but there were always more important topics. ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png)\n\nWhat can I say. I still think that Defender for Endpoint is a cool and user-friendly solution. Although sometimes it may be buggy. I also think it's logical to use your OS vendor's security services. Just because you already have complete trust in your OS vendor. Right? \u0410nd other OS vendors should provide security services, as Microsoft does. But the question is what to do if it has become very difficult to trust your OS vendor? To put it mildly.\n\nNot to say that I did not [write about such risks](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) at all:\n\n"It will be a difficult decision to store this critical data in Microsoft cloud. Even with Microsoft\u2019s guarantees that all the data is stored securely and they touch it with AI only."\n\nBut of course this was not enough. And 5 years ago, things looked very different. \n\u00af_(\u30c4)_/\u00af\n\n## Microsoft released the Autopatch feature, is it a good idea to use it?\n\nContinuing the topic of Microsoft security services. In mid-July, Microsoft [released the Autopatch feature](<https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-autopatch-is-now-generally-available/>) for Windows 10/11 with Enterprise E3 and E5 licenses (not regular, but more expensive licenses). Also [Hybrid Azure Active Directory must be configured](<https://www.theregister.com/2022/07/12/windows_auopatch_live/>). But if everything is purchased and configured properly, then updates for MS products, drivers and other software (in perspective) can be automatically installed from the MS cloud. And it will be more often than once a month. And in the correct way. If you install all updates on all hosts at the same time, there will be a high risk of mass failures. Therefore, patches will be installed gradually. If a failure is detected, the system administrator will be able to react and roll back the problematic patch.\n\n"The 'test ring' contains a minimum number of devices, the 'first ring' roughly 1% of all endpoints in the corporate environment, the 'fast ring' around 9%, and the 'broad ring" the rest of 90% of devices. \nThe updates get deployed progressively, starting with the test ring and moving on to the larger sets of devices after a validation period that allows device performance monitoring and pre-update metrics comparison. \nWindows Autopatch also has built-in Halt and Rollback features that will block updates from being applied to higher test rings or automatically rolled back to help resolve update issues."\n\nIs it convenient? Yes, of course it's convenient. Is it dangerous? Well, it depends on trust in the vendor, faith in vendor's stability and security. Speaking of Microsoft, this can be very controversial for many organizations in many locations. ![\ud83d\ude0f](https://s.w.org/images/core/emoji/14.0.0/72x72/1f60f.png)\n\nBut in general, along with Defender for Endpoint (EDR, VM) and Intune this Autopatch feature looks like a step in the right direction for the OS vendor. At least if we're talking about desktops. If you trust your OS vendor, it makes sense to trust that vendor's services to make life easier for system administrators and security guys. I don't know if vendors of commercial Linux distributions, including Russian ones, are thinking about this, but it seems it makes sense to take such concepts from MS.\n\nOn the other hand, such Autopatch is not a panacea of course. Everything is not so trivial with updating third-party software. But MS seems to have a lot of resources to gradually move in this direction. Vulnerability detection for third-party software in Defender for Endpoint works quite well, which is also not an easy task. Therefore, I think they will be able to update such software in future. If [Qualys can](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-zero-touch-patching-for-vulnerability-remediation/>), then MS will handle this as well.\n\n## Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n\nThere has been a lot of news about [Confluence vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) this week. Atlassian has released three of them.\n\n[CVE-2022-26136 & CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>): Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it's time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.\n\n[CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>): Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled! ![\ud83e\udd21](https://s.w.org/images/core/emoji/14.0.0/72x72/1f921.png) The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn't it funny? ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png) This can be fixed by patching or blocking/deleting the user.\n\nWhat can be said here:\n\n 1. Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.\n 2. This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that "oh, sorry, that was a bug".\n 3. Those who make Confluence and similar services available on the network perimeter are their own enemies.\n\n## The new Nessus Expert and why it's probably Tenable's worst release\n\nTenable [introduced Nessus Expert](<https://www.tenable.com/blog/introducing-nessus-expert-now-built-for-the-modern-attack-surface>). They have Nessus Professional, and now there will be Nessus Expert with new features:\n\n 1. [Infrastructure as Code Scanning](<https://youtu.be/Ks5XN0ZpzBw>). In fact, they added [Terrascan](<https://runterrascan.io/>) (acquired this year) to Nessus. So far, it looks very sloppy. This is a separate independent tab in the menu and scan results cannot be viewed in the GUI and can only be downloaded as Json file.\n 2. [External attack surface scanning](<https://youtu.be/_TYvN_GS-AA>). They took these features from [Bit Discovery](<https://www.whitehatsec.com/bit-discovery/>) (also acquired this year). You can run a scan that will look for subdomains for a domain. But only for 5 domains per quarter. If you want more, you need to pay extra. Not to say that this is some kind of exclusive feature. The results can be viewed in the GUI. But that's all. There is no synergy with the usual functionality of Nessus.\n\nThe press release recalls how [Renaud Deraison](<https://t.me/avleonovcom/966>) released first Nessus 24 years ago. But under him, and even more so under Ron Gula, there were no such terrible releases with freshly bought functionality, attached to the main product "with blue electrical tape". And such a Frankenstein monster could never be presented as a new product. Sadness and marketing. Let's see if it gets better with time.\n\n## Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n\nI looked at the new features in [Rapid7 Nexpose/InsightVM added in Q2 2022](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>). Some changes are like "OMG, how did they live without it?!"\n\nThey just added support for CVSS v3 severity in dashboards. CVSS v3 was released in June 2015. CVSS v3 data has been available in NVD since 2017. And now, 5 years after that, Rapid7 decided to take into account these data as well? Well, ok.\n\nOr that they used to have such weird patching dashboards that progress on the Remediation Project was only visible when the patches were applied to all assets. And now it's better: "Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress". Indeed, better late than never.\n\nRapid7 just added support for AlmaLinux and Rocky Linux. Although stable versions of these distributions appeared more than a year ago and are already actively used in enterprise businesses as a replacement for CentOS. It turns out that Rapid7 clients have just now got the opportunity to scan these distributions.\n\nRapid7 use the term "recurring coverage" for supported software products. And they have a [public list of such products](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>). "The following software list encompasses those products and services that we are specifically committed to providing ongoing, automated coverage". The list is not very big, but it's cool that it's public.\n\nOn the other hand, there are cool features. At least one, [Scan Assistant](<https://docs.rapid7.com/insightvm/scan-assistant/>). This feature was introduced in December last year, but now it has been improved. This is an agent that does not collect or analyze data, but is only needed for authentication. It solves the problems of using system accounts for scanning, which can be very risky if the scanner host or one of the targets is compromised. This way you can install Scan Assistant on hosts and Vulnerability Scanner will authenticate to hosts using certificates rather than real system accounts.\n\n"Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter."\n\nThis is a cool and useful feature. As far as I know, other VM vendors do not have this. In Q2, Rapid7 added some automation for updating this Scan Assistant and rotating certificates. It's cool that the functionality is evolving. But for now, it's only for Windows.\n\nAnd there are updates that did not cause any special emotions in me. These are, for example, Asset correlation for Citrix VDI instances and vulnerability detection for Oracle E-Business Suite and VMware Horizon. They added and it's good.\n\n## **Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?**\n\nThe ["Palo Alto 2022 Unit 42 Incident Response Report" makes the amusing claim](<https://unit42.paloaltonetworks.com/incident-response-report/>) that attackers typically start scanning organizations' perimeters for vulnerabilities 15 minutes after a CVE is published.\n\nJust like this:\n\n"The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced."\n\nThey do not write how exactly they got these 15 minutes. Or I didn't find it. But apparently they could detect attempts to exploit some specific vulnerabilities. They could use honeypots or IDS for this. And then they could get the difference between the timestamp for exploitaition and the timestamp for vulnerability publication.\n\n[There is an example](<https://unit42.paloaltonetworks.com/cve-2022-1388/>) that 5 days after some vulnerability was published, they released a detection signature. And in 10 hours, they collected two and a half thousand attempts to exploit this vulnerability.\n\n"For example, Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts".\n\nIt's cool of course. But still, the signature was not released immediately. Therefore, it is difficult to say exactly when the malicious scans began.\n\nBut that's not the point. It is not so important whether the scans really start after 15 minutes or some time later. The fact is that attackers monitor the news flow about vulnerabilities. And the fact that they are motivated to scan your perimeter more often than you. And they are motivated to use non-standard checks for this. Not just the ones in your commercial vulnerability scanner.\n\nTherefore, there are only two options. You can compete in speed with attackers. Or you may know and control your perimeter far better than any outside researcher can. This means that you must understand why a particular service is needed on the perimeter. And whenever possible, try to minimize the number of such services as much as possible. For such services, you should specifically monitor security bulletins and start responding even before detection checks appear in vulnerability scanners. And of course before the media starts screaming about this vulnerability.\n\nOf course, it's easier said than done.\n\n## 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\nIn the same "[Palo Alto 2022 Unit 42 Incident Response Report](<https://unit42.paloaltonetworks.com/incident-response-report/>)" there is one more interesting point. Groups of vulnerabilities that were most often used in attacks. "For cases where responders positively identified the vulnerability exploited by the threat actor, more than 87% of them fell into one of six CVE categories.".\n\nCVE categories:\n\n * 55% Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)\n * 14% Log4j\n * 7% SonicWall CVEs\n * 5% Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)\n * 4% Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)\n * 3% Fortinet CVEs\n * 13% Other\n\nOn the one hand, this can be used to prioritize vulnerabilities. And also to identify software and software groups that need special monitoring. I would also like to look at the vulnerabilities in the Other category. But unfortunately they are not included in the report.\n\nOn the other hand, it shows how all these vulnerabilities and incidents depend on a particular region. Well of course Microsoft Exchange is used everywhere. Log4j has also affected almost every organization in one way or another. Perhaps in our region, I mean in Russia, some organizations use Fortinet. But SonicWall and Zoho look absolutely exotic. And in those locations where Unit 42 solves incident response cases, these are very important vendors and products.\n\nOr we can remember [last year's story with Kaseya VSA](<https://avleonov.com/2021/07/05/last-weeks-security-news-printnightmare-kaseya-intune-metasploit-docker-escape/>). Thousands of companies have been affected by the ransomware. But again, it was not in our region and therefore it was not particularly interesting for us.\n\nTaking into account the exodus of Western vendors from the Russian IT market, the landscapes "here" and "there" will differ more and more. More and more incidents in Russia, will occur due to vulnerabilities in our local software. In software that Western information security vendors may never have heard of. BTW, have you heard about [1C](<https://en.wikipedia.org/wiki/1C_Company>) ([Odin-Ass](<https://pikabu.ru/story/rossiyskiy_ryinok_programmnogo_obespecheniya_takoy_strannyiy_3895019>) ![\ud83d\ude05](https://s.w.org/images/core/emoji/14.0.0/72x72/1f605.png))? And it works both ways. Does this mean that in Russia, we will need Vulnerability Management solutions focused on our Russian IT realities? Well apparently yes. And something tells me that this will not only happen in Russia.\n\nIt seems that the time of total globalization in IT is running out. And the ability of VM vendors to relatively easily take positions in new regions is also disappearing. The great fragmentation is coming. But it will be even more interesting that way. ![\ud83d\ude09](https://s.w.org/images/core/emoji/14.0.0/72x72/1f609.png)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T11:30:44", "type": "avleonov", "title": "Vulnerability Management news and publications #2", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2022-1388", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-08-14T11:30:44", "id": "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "href": "https://avleonov.com/2022/08/14/vulnerability-management-news-and-publications-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-07-16T16:17:19", "description": "It\u2019s time to triage a lot of [patching](<https://www.malwarebytes.com/business/vulnerability-patch-management>) again. Microsoft\u2019s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of [known to be exploited in the wild list](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) that are due for patching by August 2, 2022.\n\n## Microsoft\n\nIn total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as \u201cCritical\u201d since they are remote code execution (RCE) vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:\n\n[CVE-2022-22029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22029>): Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.\n\n[CVE-2022-22039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22039>): Another Windows Network File System (NFS) RCE vulnerability. It's possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.\n\n[CVE-2022-22038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22038>): Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[CVE-2022-30221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30221>): Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim's system in the context of the targeted user.\n\n## Azure Site Recovery\n\nA huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. [Azure Site Recovery](<https://docs.microsoft.com/en-us/azure/site-recovery/>) is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.\n\nAccording to Microsoft, [SQL injection](<https://www.malwarebytes.com/glossary/sql-injection>) vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.\n\n## CVE-2022-22047\n\nThe vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\nThis type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.\n\nThe vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system\u2019s operation and is mainly responsible for Win32 console handling and GUI shutdown.\n\nThis type of vulnerability are often chained together with others in macros, which makes the decision to [roll back Office Macro blocking](<https://blog.malwarebytes.com/business/2022/07/microsoft-appears-to-be-rolling-back-office-macro-blocking/>) incomprehensible, even if it is only temporary.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.\n\nAdobe released [security updates](<https://helpx.adobe.com/security.html>) for Acrobat, Character Animator, Photoshop, Reader, and RoboHelp.\n\nCisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and [several other security updates](<https://tools.cisco.com/security/center/publicationListing.x>).\n\nCitrix released [hotfixes](<https://support.citrix.com/article/CTX461397/citrix-hypervisor-security-bulletin-for-cve202223816-and-cve202223825>) to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.\n\nGoogle released [Android's July security updates](<https://source.android.com/security/bulletin/2022-07-01>) including 3 labelled as \u201cCritical\u201d.\n\nSAP released its [July 2022 Patch Day bulletin](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) with 20 new Security Notes.\n\nVMWare released [security updates](<https://www.vmware.com/security/advisories.html>).\n\nStay safe, everyone!\n\nThe post [Update now\u2014July Patch Tuesday patches include fix for exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-july-patch-tuesday-patches-include-fix-for-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T12:21:53", "type": "malwarebytes", "title": "Update now\u2014July Patch Tuesday patches include fix for exploited zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-30221"], "modified": "2022-07-13T12:21:53", "id": "MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-july-patch-tuesday-patches-include-fix-for-exploited-zero-day/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-07-27T17:42:56", "description": "The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\n\nThis blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.\n\nPSOAs, which [Microsoft also refers to as cyber mercenaries](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>), sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\n\n## Who is KNOTWEED?\n\nKNOTWEED is an Austria-based PSOA named DSIRF. The [DSIRF website](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) [web archive link] says they provide services_ \u201cto multinational corporations in the technology, retail, energy and financial sectors_\u201d and that they have \u201c_a set of highly sophisticated techniques in gathering and analyzing information._\u201d They publicly offer several services including \u201c_an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d _and _\u201chighly sophisticated Red Teams to challenge your company's most critical assets.\u201d_ \n \nHowever, [multiple](<https://www.intelligenceonline.com/surveillance--interception/2022/04/06/after-finfisher-s-demise-berlin-explores-cyber-tool-options,109766000-art>) [news](<https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html>) [reports](<https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich>) have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.\n\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.\n\n## Observed actor activity\n\n### KNOTWEED initial access\n\nMSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: _Jumplump _for the persistent loader and _Corelump _for the main malware.\n\n#### KNOTWEED exploits in 2022\n\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.\n\nThe CVE-2022-22047 vulnerability is related to an issue with [activation context](<https://docs.microsoft.com/windows/win32/sbscs/activation-contexts>) caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.\n\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.\n\nIt's important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker _cannot_ control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.\n\n#### KNOTWEED exploits in 2021\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>)) being used in conjunction with an Adobe Reader exploit ([CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\n\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.\n\n![A screenshot of the digital signature details tab from the file properties page. The tab states that the digital signature for the file is OK. The name indicated under the signer information portion is DSIRF GmbH.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig1-Valid-digital-signature-from-DSIRF.png)Figure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\n\n#### Malicious Excel documents\n\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2a-Examples-of-KNOTWEED-macro-obfuscation.png) ![Two screenshots of macro code snippet, presenting different examples of how the macro is obfuscated to evade detection. In the first code snippet, text from the Kama Sutra is inserted among the macro code. The second code snippet presents the code of a function where the attacker uses Excel 4 macro for obfuscation.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2b-Examples-of-KNOTWEED-macro-obfuscation.png)Figure 2: Two examples of KNOTWEED Excel macro obfuscation\n\nAfter de-obfuscating strings at runtime, the VBA macro uses the _ExecuteExcel4Macro_ function to call native Win32 functions to load shellcode into memory allocated using _VirtualAlloc_. Each opcode is individually copied into a newly allocated buffer using _memset_ before _CreateThread_ is called to execute the shellcode.\n\n![A screenshot of a code snippet where the malware copies opcode to a newly allocated buffer.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig3-copying-opcodes.png)Figure 3: Copying opcodes ![A screenshot of a code snippet where the malware calls the CreateThread function to execute the shellcode.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig4-Calling-CreateThread.png)Figure 4: Calling CreateThread on shellcode\n\nThe following section describes the shellcode executed by the macro.\n\n### KNOTWEED malware and tactics, techniques, and procedures (TTPs)\n\n#### Corelump downloader and loader shellcode\n\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode's purpose is to retrieve the _Corelump_ second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the _0xFF 0xD9_ marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s _%TEMP%_ directory.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig5-Image-embedded-with-the-KNOTWEED-loader-shellcode-and-Corelump.png)Figure 5: One of the images embedded with the loader shellcode and Corelump\n\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the _Corelump_ malware using a second RC4 key and manually loads it into memory.\n\n#### Corelump malware\n\n_Corelump _is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.\n\nAs part of installation, _Corelump_ makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, _Corelump_ also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), and modifying the image file checksum with a computed value from _CheckSumMappedFile._ These trojanized binaries (_Jumplump_) are dropped to disk in _C:\\Windows\\System32\\spool\\drivers\\color\\_, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).\n\n#### Jumplump loader\n\n_Jumplump _is responsible for loading _Corelump _into memory from the JPEG file in the %TEMP% directory. If _Corelump_ is not present, _Jumplump_ attempts to download it again from the C2 server. Both_ Jumplump _and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.\n\n![A screenshot of assembly code presenting the jmp/instruction obfuscation used in Jumplump malware. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig6-Disassembly-showing-jmp-instructions.png)Figure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\n\n#### Mex and PassLib\n\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):\n\n[Chisel](<https://github.com/jpillora/chisel>)| [mimikatz](<https://github.com/ParrotSec/mimikatz>)| [SharpHound3](<https://github.com/BloodHoundAD/SharpHound3>) \n---|---|--- \n[Curl](<https://github.com/curl/curl>)| [Ping Castle](<https://github.com/vletoux/pingcastle>)| [SharpOxidResolver](<https://github.com/S3cur3Th1sSh1t/SharpOxidResolver>) \n[Grouper2](<https://github.com/l0ss/Grouper2>)| [Rubeus](<https://github.com/GhostPack/Rubeus>)| [PharpPrinter](<https://github.com/rvrsh3ll/SharpPrinter>) \n[Internal Monologue](<https://github.com/eladshamir/Internal-Monologue>)| [SCShell](<https://github.com/Mr-Un1k0d3r/SCShell>)| [SpoolSample](<https://github.com/leechristensen/SpoolSample>) \n[Inveigh](<https://github.com/Kevin-Robertson/Inveigh>)| [Seatbelt](<https://github.com/GhostPack/Seatbelt>)| [StandIn](<https://github.com/FuzzySecurity/StandIn>) \n[Lockless](<https://github.com/GhostPack/Lockless>)| [SharpExec](<https://github.com/anthemtotheego/SharpExec>)| \n \nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.\n\n#### Post-compromise actions\n\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\n\n * Setting of _UseLogonCredential _to \u201c1\u201d to enable plaintext credentials:\n * _reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f_\n * Credential dumping via _comsvcs.dll_:\n * _rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump_\n * Attempt to access emails with dumped credentials from a KNOTWEED IP address\n * Using Curl to download KNOTWEED tooling from public file shares such as _vultrobjects[.]com_\n * Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\n\n### KNOTWEED infrastructure connections to DSIRF\n\nPivoting off a known command-and-control domain identified by MSTIC, _acrobatrelay[.]com_, RiskIQ expanded the view of KNOTWEED's attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.\n\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including _demo3[.]dsirf[.]eu_ (the company's own website), and several subdomains that appear to have been used for malware development, including _debugmex[.]dsirflabs[.]eu_ (likely a server used for debugging malware with the bespoke utility tool Mex) and _szstaging[.]dsirflabs[.]eu_ (likely a server used to stage Subzero malware).\n\n## Detection and prevention\n\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.\n\n### Behaviors\n\n_Corelump _drops the_ Jumplump_ loader DLLs to _C:\\Windows\\System32\\spool\\drivers\\color\\\\. _This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\n\n_Jumplump_ uses COM hijacking for persistence, modifying COM registry keys to point to the _Jumplump_ DLL in _C:\\Windows\\System32\\spool\\drivers\\color\\_. Modifications of default system CLSID values should be monitored to detect this technique (e.g., _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{GUID}\\InProcServer32 Default_ value). The five CLSIDs used by _Jumplump_ are listed below with their original clean values on Windows 11:\n\n * {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = "_%SystemRoot%\\System32\\ApplicationFrame.dll_"\n * {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = "_%SystemRoot%\\system32\\propsys.dll_"\n * {4590f811-1d3a-11d0-891f-00aa004b2e24} = "_%SystemRoot%\\system32\\wbem\\wbemprox.dll_"\n * {4de225bf-cf59-4cfc-85f7-68b90f185355} = "_%SystemRoot%\\system32\\wbem\\wmiprvsd.dll_"\n * {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = "_%SystemRoot%\\System32\\Actioncenter.dll_"\n\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as _HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, _and LSASS credential dumping via minidumps.\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * All customers should prioritize patching of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n * Confirm that Microsoft Defender Antivirus is updated to security intelligence update **1.371.503.0** or later to detect the related indicators.\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.\n * [Change Excel macro security settings](<https://support.microsoft.com/office/change-macro-security-settings-in-excel-a97c09d2-c082-46b8-b19f-e8621e8fe373>) to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros](<https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/>) by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI](<https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal>)) is on. This feature\u2014enabled by default\u2014is on if the Group Policy setting for Macro Run Time Scan Scope is set to \u201cEnable for All Files\u201d or \u201cEnable for Low Trust Files\u201d.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _Note:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n\n## Indicators of compromise (IOCs)\n\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.\n\nIndicator| Type| Description \n---|---|--- \n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629| SHA-256| Malicious Excel document and VBA \n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f| SHA-256| Malicious Excel document and VBA \n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964| SHA-256| Jumplump malware \ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b| SHA-256| Jumplump malware \nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc| SHA-256| Jumplump malware \n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206| SHA-256| Jumplump malware \n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc| SHA-256| Jumplump malware \n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d| SHA-256| Jumplump malware \n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d| SHA-256| Jumplump malware \nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec| SHA-256| Jumplump malware \n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53| SHA-256| Jumplump malware \n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431| SHA-256| Jumplump malware \nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d| SHA-256| Corelump malware \nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca| SHA-256| Mex tool \ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6| SHA-256| Passlib tool \nacrobatrelay[.]com__| Domain| C2 \nfinconsult[.]cc| Domain| C2 \nrealmetaldns[.]com| Domain| C2 \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft Defender Antivirus\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build **1.371.503.0** as the following family names:\n\n * _Backdoor:O97M/JumplumpDropper_\n * _Trojan:Win32/Jumplump_\n * _Trojan:Win32/Corelump_\n * _HackTool:Win32/Mexlib_\n * _Trojan:Win32/Medcerc_\n * _Behavior:Win32/SuspModuleLoad_\n\n### Microsoft Defender for Endpoint\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:\n\n * _COM Hijacking _- Detects multiple behaviors, including _JumpLump_ malware persistence techniques.\n * _Possible privilege escalation using CTF module _- Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities\n * _KNOTWEED actor activity detected _- Detects KNOTWEED actor activities\n * _WDigest configuration change _- Detects potential retrieval of clear text password from changes to _UseLogonCredential_ registry key\n * _Sensitive credential memory read _- Detects LSASS credential dumping via minidumps\n * _Suspicious Curl behavior _- Detects the use of Curl to download KNOTWEED tooling from public file shares\n * _Suspicious screen capture activity_ - Detects _Corelump_ behavior of capturing screenshots of the compromised system\n\n## Hunting queries\n\n### Microsoft Sentinel\n\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\_ folder:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml>\n\n**Abnormally large JPEG downloaded from new source**\n\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml>\n\n**Suspected ****credential dumping**\n\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml>\n\n**Downgrade to ****plaintext credentials**\n\nThis query looks for registry key being set to enabled plain text credentials\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml>\n\n### Microsoft 365 Defender advanced hunting\n\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\ folder_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml>\n\nThe post [Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-27T14:00:00", "type": "mmpc", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-2204", "CVE-2022-22047"], "modified": "2022-07-27T14:00:00", "id": "MMPC:85647D37E79AFEF2BFF74B4682648C5E", "href": "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-07-27T17:46:22", "description": "The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.\n\nThis blog details Microsoft\u2019s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED\u2019s malware and tools.\n\nPSOAs, which [Microsoft also refers to as cyber mercenaries](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>), sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.\n\n## Who is KNOTWEED?\n\nKNOTWEED is an Austria-based PSOA named DSIRF. The [DSIRF website](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) [web archive link] says they provide services_ \u201cto multinational corporations in the technology, retail, energy and financial sectors_\u201d and that they have \u201c_a set of highly sophisticated techniques in gathering and analyzing information._\u201d They publicly offer several services including \u201c_an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities\u201d _and _\u201chighly sophisticated Red Teams to challenge your company's most critical assets.\u201d_ \n \nHowever, [multiple](<https://www.intelligenceonline.com/surveillance--interception/2022/04/06/after-finfisher-s-demise-berlin-explores-cyber-tool-options,109766000-art>) [news](<https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html>) [reports](<https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich>) have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft\u2019s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It\u2019s important to note that the identification of targets in a country doesn\u2019t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.\n\nMSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.\n\n## Observed actor activity\n\n### KNOTWEED initial access\n\nMSTIC found KNOTWEED\u2019s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: _Jumplump _for the persistent loader and _Corelump _for the main malware.\n\n#### KNOTWEED exploits in 2022\n\nIn May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim\u2019s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED\u2019s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we\u2019ve seen no evidence of browser-based attacks.\n\nThe CVE-2022-22047 vulnerability is related to an issue with [activation context](<https://docs.microsoft.com/windows/win32/sbscs/activation-contexts>) caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.\n\nCVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.\n\nIt's important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker _cannot_ control the path isn\u2019t considered dangerous. Hence, these sandboxes aren\u2019t a barrier to the exploitation of CVE-2022-22047.\n\n#### KNOTWEED exploits in 2021\n\nIn 2021, MSRC received a report of two Windows privilege escalation exploits ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>) and [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>)) being used in conjunction with an Adobe Reader exploit ([CVE-2021-28550](<https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>)), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.\n\nWe were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by \u2018DSIRF GmbH\u2019.\n\n![A screenshot of the digital signature details tab from the file properties page. The tab states that the digital signature for the file is OK. The name indicated under the signer information portion is DSIRF GmbH.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig1-Valid-digital-signature-from-DSIRF.png)Figure 1. Valid digital signature from DSIRF on Medic Service exploit DLL\n\n#### Malicious Excel documents\n\nIn addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2a-Examples-of-KNOTWEED-macro-obfuscation.png) ![Two screenshots of macro code snippet, presenting different examples of how the macro is obfuscated to evade detection. In the first code snippet, text from the Kama Sutra is inserted among the macro code. The second code snippet presents the code of a function where the attacker uses Excel 4 macro for obfuscation.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig2b-Examples-of-KNOTWEED-macro-obfuscation.png)Figure 2: Two examples of KNOTWEED Excel macro obfuscation\n\nAfter de-obfuscating strings at runtime, the VBA macro uses the _ExecuteExcel4Macro_ function to call native Win32 functions to load shellcode into memory allocated using _VirtualAlloc_. Each opcode is individually copied into a newly allocated buffer using _memset_ before _CreateThread_ is called to execute the shellcode.\n\n![A screenshot of a code snippet where the malware copies opcode to a newly allocated buffer.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig3-copying-opcodes.png)Figure 3: Copying opcodes ![A screenshot of a code snippet where the malware calls the CreateThread function to execute the shellcode.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig4-Calling-CreateThread.png)Figure 4: Calling CreateThread on shellcode\n\nThe following section describes the shellcode executed by the macro.\n\n### KNOTWEED malware and tactics, techniques, and procedures (TTPs)\n\n#### Corelump downloader and loader shellcode\n\nThe downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode's purpose is to retrieve the _Corelump_ second-stage malware from the actor\u2019s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the _0xFF 0xD9_ marker that signifies the end of a JPEG file). The JPEG is then written to the user\u2019s _%TEMP%_ directory.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig5-Image-embedded-with-the-KNOTWEED-loader-shellcode-and-Corelump.png)Figure 5: One of the images embedded with the loader shellcode and Corelump\n\nThe downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the _Corelump_ malware using a second RC4 key and manually loads it into memory.\n\n#### Corelump malware\n\n_Corelump _is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED\u2019s C2 server.\n\nAs part of installation, _Corelump_ makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, _Corelump_ also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), and modifying the image file checksum with a computed value from _CheckSumMappedFile._ These trojanized binaries (_Jumplump_) are dropped to disk in _C:\\Windows\\System32\\spool\\drivers\\color\\_, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).\n\n#### Jumplump loader\n\n_Jumplump _is responsible for loading _Corelump _into memory from the JPEG file in the %TEMP% directory. If _Corelump_ is not present, _Jumplump_ attempts to download it again from the C2 server. Both_ Jumplump _and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.\n\n![A screenshot of assembly code presenting the jmp/instruction obfuscation used in Jumplump malware. ](https://www.microsoft.com/security/blog/uploads/securityprod/2022/07/Fig6-Disassembly-showing-jmp-instructions.png)Figure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump\n\n#### Mex and PassLib\n\nKNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):\n\n[Chisel](<https://github.com/jpillora/chisel>)| [mimikatz](<https://github.com/ParrotSec/mimikatz>)| [SharpHound3](<https://github.com/BloodHoundAD/SharpHound3>) \n---|---|--- \n[Curl](<https://github.com/curl/curl>)| [Ping Castle](<https://github.com/vletoux/pingcastle>)| [SharpOxidResolver](<https://github.com/S3cur3Th1sSh1t/SharpOxidResolver>) \n[Grouper2](<https://github.com/l0ss/Grouper2>)| [Rubeus](<https://github.com/GhostPack/Rubeus>)| [PharpPrinter](<https://github.com/rvrsh3ll/SharpPrinter>) \n[Internal Monologue](<https://github.com/eladshamir/Internal-Monologue>)| [SCShell](<https://github.com/Mr-Un1k0d3r/SCShell>)| [SpoolSample](<https://github.com/leechristensen/SpoolSample>) \n[Inveigh](<https://github.com/Kevin-Robertson/Inveigh>)| [Seatbelt](<https://github.com/GhostPack/Seatbelt>)| [StandIn](<https://github.com/FuzzySecurity/StandIn>) \n[Lockless](<https://github.com/GhostPack/Lockless>)| [SharpExec](<https://github.com/anthemtotheego/SharpExec>)| \n \nPassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.\n\n#### Post-compromise actions\n\nIn victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:\n\n * Setting of _UseLogonCredential _to \u201c1\u201d to enable plaintext credentials:\n * _reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f_\n * Credential dumping via _comsvcs.dll_:\n * _rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump_\n * Attempt to access emails with dumped credentials from a KNOTWEED IP address\n * Using Curl to download KNOTWEED tooling from public file shares such as _vultrobjects[.]com_\n * Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF\n\n### KNOTWEED infrastructure connections to DSIRF\n\nPivoting off a known command-and-control domain identified by MSTIC, _acrobatrelay[.]com_, RiskIQ expanded the view of KNOTWEED's attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.\n\nRiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including _demo3[.]dsirf[.]eu_ (the company's own website), and several subdomains that appear to have been used for malware development, including _debugmex[.]dsirflabs[.]eu_ (likely a server used for debugging malware with the bespoke utility tool Mex) and _szstaging[.]dsirflabs[.]eu_ (likely a server used to stage Subzero malware).\n\n## Detection and prevention\n\nMicrosoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.\n\n### Behaviors\n\n_Corelump _drops the_ Jumplump_ loader DLLs to _C:\\Windows\\System32\\spool\\drivers\\color\\\\. _This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.\n\n_Jumplump_ uses COM hijacking for persistence, modifying COM registry keys to point to the _Jumplump_ DLL in _C:\\Windows\\System32\\spool\\drivers\\color\\_. Modifications of default system CLSID values should be monitored to detect this technique (e.g., _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{GUID}\\InProcServer32 Default_ value). The five CLSIDs used by _Jumplump_ are listed below with their original clean values on Windows 11:\n\n * {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = "_%SystemRoot%\\System32\\ApplicationFrame.dll_"\n * {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = "_%SystemRoot%\\system32\\propsys.dll_"\n * {4590f811-1d3a-11d0-891f-00aa004b2e24} = "_%SystemRoot%\\system32\\wbem\\wbemprox.dll_"\n * {4de225bf-cf59-4cfc-85f7-68b90f185355} = "_%SystemRoot%\\system32\\wbem\\wmiprvsd.dll_"\n * {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = "_%SystemRoot%\\System32\\Actioncenter.dll_"\n\nMany of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as _HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest, _and LSASS credential dumping via minidumps.\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * All customers should prioritize patching of [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>).\n * Confirm that Microsoft Defender Antivirus is updated to security intelligence update **1.371.503.0** or later to detect the related indicators.\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.\n * [Change Excel macro security settings](<https://support.microsoft.com/office/change-macro-security-settings-in-excel-a97c09d2-c082-46b8-b19f-e8621e8fe373>) to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros](<https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/>) by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI](<https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal>)) is on. This feature\u2014enabled by default\u2014is on if the Group Policy setting for Macro Run Time Scan Scope is set to \u201cEnable for All Files\u201d or \u201cEnable for Low Trust Files\u201d.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _Note:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n\n## Indicators of compromise (IOCs)\n\nThe following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.\n\nIndicator| Type| Description \n---|---|--- \n78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629| SHA-256| Malicious Excel document and VBA \n0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f| SHA-256| Malicious Excel document and VBA \n441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964| SHA-256| Jumplump malware \ncbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b| SHA-256| Jumplump malware \nfd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc| SHA-256| Jumplump malware \n5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206| SHA-256| Jumplump malware \n7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc| SHA-256| Jumplump malware \n02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d| SHA-256| Jumplump malware \n7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d| SHA-256| Jumplump malware \nafab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec| SHA-256| Jumplump malware \n894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53| SHA-256| Jumplump malware \n4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431| SHA-256| Jumplump malware \nc96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d| SHA-256| Corelump malware \nfa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca| SHA-256| Mex tool \ne64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6| SHA-256| Passlib tool \nacrobatrelay[.]com__| Domain| C2 \nfinconsult[.]cc| Domain| C2 \nrealmetaldns[.]com| Domain| C2 \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft Defender Antivirus\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build **1.371.503.0** as the following family names:\n\n * _Backdoor:O97M/JumplumpDropper_\n * _Trojan:Win32/Jumplump_\n * _Trojan:Win32/Corelump_\n * _HackTool:Win32/Mexlib_\n * _Trojan:Win32/Medcerc_\n * _Behavior:Win32/SuspModuleLoad_\n\n### Microsoft Defender for Endpoint\n\nMicrosoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:\n\n * _COM Hijacking _- Detects multiple behaviors, including _JumpLump_ malware persistence techniques.\n * _Possible privilege escalation using CTF module _- Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities\n * _KNOTWEED actor activity detected _- Detects KNOTWEED actor activities\n * _WDigest configuration change _- Detects potential retrieval of clear text password from changes to _UseLogonCredential_ registry key\n * _Sensitive credential memory read _- Detects LSASS credential dumping via minidumps\n * _Suspicious Curl behavior _- Detects the use of Curl to download KNOTWEED tooling from public file shares\n * _Suspicious screen capture activity_ - Detects _Corelump_ behavior of capturing screenshots of the compromised system\n\n## Hunting queries\n\n### Microsoft Sentinel\n\nThe following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDAVDetection.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDFileHashesJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/KNOTWEEDC2DomainsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\_ folder:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml>\n\n**Abnormally large JPEG downloaded from new source**\n\nThis query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml>\n\n**Suspected ****credential dumping**\n\nThis query looks for attackers using comsvcs.dll to dump credentials from memory\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/SuspectedLSASSDump.yaml>\n\n**Downgrade to ****plaintext credentials**\n\nThis query looks for registry key being set to enabled plain text credentials\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/WDigestDowngradeAttack.yaml>\n\n### Microsoft 365 Defender advanced hunting\n\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.\n\n**Microsoft Defender Antivirus detections related to KNOTWEED**\n\nThis query identifies detection of related malware and tools by Microsoft Defender Antivirus:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml>\n\n**File hash IOCs related to KNOTWEED**\n\nThis query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml>\n\n**Domain IOCs related to KNOTWEED**\n\nThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml>\n\n**COM registry key modified to point to Color Profile folder**\n\nThis query identifies modifications to COM registry keys to point to executable files in _C:\\Windows\\System32\\spool\\drivers\\color\\_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml>\n\n**PE file dropped in Color Profile folder**\n\nThis query looks for PE files being created in the _C:\\Windows\\System32\\spool\\drivers\\color\\ folder_:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml>\n\n**Downloading new file using Curl**\n\nThis query looks for new files being downloaded using Curl.\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml>\n\nThe post [Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-27T14:00:00", "type": "mssecure", "title": "Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-2204", "CVE-2022-22047"], "modified": "2022-07-27T14:00:00", "id": "MSSECURE:85647D37E79AFEF2BFF74B4682648C5E", "href": "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2022-07-16T21:59:04", "description": "**Microsoft** today released updates to fix at least 86 security vulnerabilities in its **Windows** operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block **macros** in **Office** documents downloaded from the Internet.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png)\n\nIn February, security experts hailed Microsoft's decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.\n\nMacros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft's plan, the new warnings provided no such way to enable the macros.\n\nAs _Ars Technica_ veteran reporter **Dan Goodin** [put it](<https://arstechnica.com/information-technology/2022/07/microsoft-makes-major-course-reversal-allows-office-to-run-untrusted-macros/>), "security professionals\u2014some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity\u2014cheered the change."\n\nBut last week, Microsoft abruptly changed course. As [first reported](<https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-back-decision-to-block-office-macros-by-default/>) by _BleepingComputer_, Redmond said it would roll back the changes based on feedback from users.\n\n"While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros," Bleeping's **Sergiu Gatlan** wrote.\n\nMicrosoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.\n\nThe zero-day Windows vulnerability already seeing active attacks is [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro's **Zero Day Initiative** notes that while this bug is listed as being under active attack, there\u2019s no information from Microsoft on where or how widely it is being exploited.\n\n"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," ZDI's Dustin Childs [wrote](<https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review>). "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default."\n\n**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.\n\n"Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM," he said. "With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly."\n\nAfter a brief reprieve from patching serious security problems in the **Windows Print Spooler** service, we are back to business as usual. July's patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as [CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>), [CVE-2022-22041](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22041>), [CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>), and [CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>). Experts at security firm **Tenable** note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.\n\nRoughly a third of the patches issued today involve weaknesses in Microsoft's Azure Site Recovery offering. Other components seeing updates this month include **Microsoft Defender for Endpoint**; **Microsoft Edge** (Chromium-based); **Office**; **Windows BitLocker**; **Windows Hyper-V**; **Skype for Business** and **Microsoft Lync**; and **Xbox**.\n\nFour of the flaws fixed this month address vulnerabilities Microsoft rates "critical," meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) affect Network File System (NFS) servers, and [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) affects the Remote Procedure Call (RPC) runtime.\n\n"Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later," said **Greg Wiseman**, product manager at **Rapid7**. "[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) supposedly affects the Windows Graphics Component, though Microsoft\u2019s FAQ indicates that exploitation requires users to access a malicious RDP server."\n\nSeparately, Adobe today [issued patches](<https://helpx.adobe.com/security.html>) to address at least 27 vulnerabilities across multiple products, including **Acrobat** and **Reader**, **Photoshop**, **RoboHelp**, and **Adobe Character Animator**.\n\nFor a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft%20July%202022%20Patch%20Tuesday/28838/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T01:02:49", "type": "krebs", "title": "Microsoft Patch Tuesday, July 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22022", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22041", "CVE-2022-22047", "CVE-2022-30206", "CVE-2022-30221", "CVE-2022-30226"], "modified": "2022-07-13T01:02:49", "id": "KREBS:4D5B2D5FA1A6E077B46D7F3051319E72", "href": "https://krebsonsecurity.com/2022/07/microsoft-patch-tuesday-july-2022-edition/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2022-09-27T08:08:51", "description": "### *Detect date*:\n08/09/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, bypass security restrictions, execute arbitrary code, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2022 (Server Core installation) \nWindows Server 2019 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 11 for ARM64-based Systems \nWindows Server 2016 \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows Server 2019 \nWindows 10 for x64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-35759](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35759>) \n[CVE-2022-34705](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34705>) \n[CVE-2022-35765](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35765>) \n[CVE-2022-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>) \n[CVE-2022-35763](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35763>) \n[CVE-2022-34703](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34703>) \n[CVE-2022-35751](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35751>) \n[CVE-2022-34707](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34707>) \n[CVE-2022-30194](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30194>) \n[CVE-2022-35771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35771>) \n[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) \n[CVE-2022-34714](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34714>) \n[CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>) \n[CVE-2022-35794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794>) \n[CVE-2022-35766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35766>) \n[CVE-2022-34709](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34709>) \n[CVE-2022-34704](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34704>) \n[CVE-2022-35767](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35767>) \n[CVE-2022-35769](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35769>) \n[CVE-2022-35804](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804>) \n[CVE-2022-30197](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30197>) \n[CVE-2022-35795](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35795>) \n[CVE-2022-35760](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35760>) \n[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) \n[CVE-2022-35747](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35747>) \n[CVE-2022-35743](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35743>) \n[CVE-2022-35764](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35764>) \n[CVE-2022-30144](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30144>) \n[CVE-2022-35761](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35761>) \n[CVE-2022-35762](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35762>) \n[CVE-2022-34702](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34702>) \n[CVE-2022-35757](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35757>) \n[CVE-2022-34690](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34690>) \n[CVE-2022-35745](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35745>) \n[CVE-2022-35750](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35750>) \n[CVE-2022-34708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34708>) \n[CVE-2022-35792](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35792>) \n[CVE-2022-35753](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35753>) \n[CVE-2022-34712](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34712>) \n[CVE-2022-34701](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34701>) \n[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) \n[CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>) \n[CVE-2022-35746](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35746>) \n[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) \n[CVE-2022-35820](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35820>) \n[CVE-2022-34696](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34696>) \n[CVE-2022-33670](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33670>) \n[CVE-2022-34706](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34706>) \n[CVE-2022-34699](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34699>) \n[CVE-2022-35754](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35754>) \n[CVE-2022-35748](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35748>) \n[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>) \n[CVE-2022-35758](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35758>) \n[CVE-2022-35755](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35755>) \n[CVE-2022-35797](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35797>) \n[CVE-2022-35749](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35749>) \n[CVE-2022-35768](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35768>) \n[CVE-2022-35752](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35752>) \n[CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>) \n[CVE-2022-34710](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34710>) \n[CVE-2022-35756](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35756>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5016627](<http://support.microsoft.com/kb/5016627>) \n[5016672](<http://support.microsoft.com/kb/5016672>) \n[5016622](<http://support.microsoft.com/kb/5016622>) \n[5016683](<http://support.microsoft.com/kb/5016683>) \n[5016639](<http://support.microsoft.com/kb/5016639>) \n[5016616](<http://support.microsoft.com/kb/5016616>) \n[5016623](<http://support.microsoft.com/kb/5016623>) \n[5016684](<http://support.microsoft.com/kb/5016684>) \n[5016681](<http://support.microsoft.com/kb/5016681>) \n[5012170](<http://support.microsoft.com/kb/5012170>) \n[5016629](<http://support.microsoft.com/kb/5016629>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "kaspersky", "title": "KLA12602 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30133", "CVE-2022-30144", "CVE-2022-30194", "CVE-2022-30197", "CVE-2022-33670", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34690", "CVE-2022-34691", "CVE-2022-34696", "CVE-2022-34699", "CVE-2022-34701", "CVE-2022-34702", "CVE-2022-34703", "CVE-2022-34704", "CVE-2022-34705", "CVE-2022-34706", "CVE-2022-34707", "CVE-2022-34708", "CVE-2022-34709", "CVE-2022-34710", "CVE-2022-34712", "CVE-2022-34713", "CVE-2022-34714", "CVE-2022-34715", "CVE-2022-35743", "CVE-2022-35744", "CVE-2022-35745", "CVE-2022-35746", "CVE-2022-35747", "CVE-2022-35748", "CVE-2022-35749", "CVE-2022-35750", "CVE-2022-35751", "CVE-2022-35752", "CVE-2022-35753", "CVE-2022-35754", "CVE-2022-35755", "CVE-2022-35756", "CVE-2022-35757", "CVE-2022-35758", "CVE-2022-35759", "CVE-2022-35760", "CVE-2022-35761", "CVE-2022-35762", "CVE-2022-35763", "CVE-2022-35764", "CVE-2022-35765", "CVE-2022-35766", "CVE-2022-35767", "CVE-2022-35768", "CVE-2022-35769", "CVE-2022-35771", "CVE-2022-35792", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35795", "CVE-2022-35797", "CVE-2022-35804", "CVE-2022-35820"], "modified": "2022-09-27T00:00:00", "id": "KLA12602", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12602/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-27T08:09:15", "description": "### *Detect date*:\n07/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft ESU. Malicious users can exploit these vulnerabilities to gain privileges, bypass security restrictions, obtain sensitive information, execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>) \n[CVE-2022-30203](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30203>) \n[CVE-2022-23825](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23825>) \n[CVE-2022-22023](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22023>) \n[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) \n[CVE-2022-30211](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30211>) \n[CVE-2022-30202](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30202>) \n[CVE-2022-22037](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22037>) \n[CVE-2022-22048](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22048>) \n[CVE-2022-22036](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22036>) \n[CVE-2022-22028](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22028>) \n[CVE-2022-30205](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30205>) \n[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) \n[CVE-2022-30225](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30225>) \n[CVE-2022-21845](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21845>) \n[CVE-2022-22042](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22042>) \n[CVE-2022-30220](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30220>) \n[CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) \n[CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) \n[CVE-2022-30223](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30223>) \n[CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) \n[CVE-2022-30209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30209>) \n[CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>) \n[CVE-2022-22050](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22050>) \n[CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) \n[CVE-2022-22043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22043>) \n[CVE-2022-30224](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30224>) \n[CVE-2022-22024](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22024>) \n[CVE-2022-22034](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22034>) \n[CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>) \n[CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>) \n[CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>) \n[CVE-2022-30213](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30213>) \n[CVE-2022-22027](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22027>) \n[CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) \n[CVE-2022-23816](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23816>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-30206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30206>)7.2High \n[CVE-2022-30203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30203>)4.6Warning \n[CVE-2022-23825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23825>)2.1Warning \n[CVE-2022-22023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22023>)6.9High \n[CVE-2022-30221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30221>)5.1High \n[CVE-2022-30211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30211>)6.0High \n[CVE-2022-30202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30202>)6.9High \n[CVE-2022-22037](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22037>)8.5Critical \n[CVE-2022-22048](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22048>)6.6High \n[CVE-2022-22036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22036>)4.4Warning \n[CVE-2022-22028](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22028>)4.3Warning \n[CVE-2022-30205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30205>)6.0High \n[CVE-2022-22047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22047>)7.2High \n[CVE-2022-30225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30225>)3.6Warning \n[CVE-2022-21845](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21845>)4.7Warning \n[CVE-2022-22042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22042>)4.0Warning \n[CVE-2022-30220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30220>)7.2High \n[CVE-2022-22039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22039>)6.0High \n[CVE-2022-22049](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22049>)7.2High \n[CVE-2022-30223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30223>)2.7Warning \n[CVE-2022-22026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22026>)7.2High \n[CVE-2022-30209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30209>)5.8High \n[CVE-2022-22040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22040>)7.5Critical \n[CVE-2022-22050](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22050>)7.2High \n[CVE-2022-22025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22025>)5.0Critical \n[CVE-2022-22043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22043>)7.2High \n[CVE-2022-30224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30224>)6.9High \n[CVE-2022-22024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22024>)5.1High \n[CVE-2022-22034](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22034>)7.2High \n[CVE-2022-30226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30226>)3.6Warning \n[CVE-2022-22022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22022>)3.6Warning \n[CVE-2022-30208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30208>)4.0Warning \n[CVE-2022-30213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30213>)2.1Warning \n[CVE-2022-22027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22027>)6.8High \n[CVE-2022-22029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22029>)6.8High\n\n### *KB list*:\n[5015866](<http://support.microsoft.com/kb/5015866>) \n[5015862](<http://support.microsoft.com/kb/5015862>) \n[5015870](<http://support.microsoft.com/kb/5015870>) \n[5015861](<http://support.microsoft.com/kb/5015861>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "kaspersky", "title": "KLA12581 Multiple vulnerabilities in Microsoft ESU", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-23816", "CVE-2022-23825", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2022-09-26T00:00:00", "id": "KLA12581", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12581/", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-09-27T08:09:16", "description": "### *Detect date*:\n07/12/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, bypass security restrictions, obtain sensitive information, cause denial of service, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2016 (Server Core installation) \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 8.1 for 32-bit systems \nRemote Desktop client for Windows Desktop \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2016 \nWindows 10 Version 1607 for x64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 11 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2019 \nWindows Server 2012 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows Server 2022 \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2022 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>) \n[CVE-2022-30222](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30222>) \n[CVE-2022-30203](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30203>) \n[CVE-2022-23825](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23825>) \n[CVE-2022-22023](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22023>) \n[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) \n[CVE-2022-30211](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30211>) \n[CVE-2022-30214](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30214>) \n[CVE-2022-30212](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30212>) \n[CVE-2022-30202](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30202>) \n[CVE-2022-22037](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22037>) \n[CVE-2022-27776](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-27776>) \n[CVE-2022-22031](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22031>) \n[CVE-2022-33644](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33644>) \n[CVE-2022-22048](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22048>) \n[CVE-2022-22036](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22036>) \n[CVE-2022-22028](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22028>) \n[CVE-2022-30205](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30205>) \n[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) \n[CVE-2022-30225](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30225>) \n[CVE-2022-30216](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216>) \n[CVE-2022-21845](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21845>) \n[CVE-2022-22042](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22042>) \n[CVE-2022-30220](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30220>) \n[CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) \n[CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) \n[CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) \n[CVE-2022-30223](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30223>) \n[CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) \n[CVE-2022-30209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30209>) \n[CVE-2022-22711](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22711>) \n[CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>) \n[CVE-2022-22050](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22050>) \n[CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) \n[CVE-2022-22043](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22043>) \n[CVE-2022-30224](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30224>) \n[CVE-2022-22024](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22024>) \n[CVE-2022-22034](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22034>) \n[CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>) \n[CVE-2022-22041](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22041>) \n[CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>) \n[CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>) \n[CVE-2022-30215](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30215>) \n[CVE-2022-22045](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22045>) \n[CVE-2022-30213](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30213>) \n[CVE-2022-22027](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22027>) \n[CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) \n[CVE-2022-23816](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23816>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-30206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30206>)7.2High \n[CVE-2022-30222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30222>)4.6Warning \n[CVE-2022-30203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30203>)4.6Warning \n[CVE-2022-23825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23825>)2.1Warning \n[CVE-2022-22023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22023>)6.9High \n[CVE-2022-30221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30221>)5.1High \n[CVE-2022-30211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30211>)6.0High \n[CVE-2022-30214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30214>)6.0High \n[CVE-2022-30212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30212>)4.7Warning \n[CVE-2022-30202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30202>)6.9High \n[CVE-2022-22037](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22037>)8.5Critical \n[CVE-2022-27776](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776>)4.3Warning \n[CVE-2022-22031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22031>)7.2High \n[CVE-2022-33644](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33644>)4.4Warning \n[CVE-2022-22048](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22048>)6.6High \n[CVE-2022-22036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22036>)4.4Warning \n[CVE-2022-22028](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22028>)4.3Warning \n[CVE-2022-30205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30205>)6.0High \n[CVE-2022-22047](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22047>)7.2High \n[CVE-2022-30225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30225>)3.6Warning \n[CVE-2022-30216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30216>)6.5High \n[CVE-2022-21845](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21845>)4.7Warning \n[CVE-2022-22042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22042>)4.0Warning \n[CVE-2022-30220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30220>)7.2High \n[CVE-2022-22039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22039>)6.0High \n[CVE-2022-22038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22038>)6.8High \n[CVE-2022-22049](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22049>)7.2High \n[CVE-2022-30223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30223>)2.7Warning \n[CVE-2022-22026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22026>)7.2High \n[CVE-2022-30209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30209>)5.8High \n[CVE-2022-22711](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22711>)4.9Warning \n[CVE-2022-22040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22040>)7.5Critical \n[CVE-2022-22050](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22050>)7.2High \n[CVE-2022-22025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22025>)5.0Critical \n[CVE-2022-22043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22043>)7.2High \n[CVE-2022-30224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30224>)6.9High \n[CVE-2022-22024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22024>)5.1High \n[CVE-2022-22034](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22034>)7.2High \n[CVE-2022-30226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30226>)3.6Warning \n[CVE-2022-22041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22041>)8.5Critical \n[CVE-2022-22022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22022>)3.6Warning \n[CVE-2022-30208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30208>)4.0Warning \n[CVE-2022-30215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30215>)8.5Critical \n[CVE-2022-22045](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22045>)6.9High \n[CVE-2022-30213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30213>)2.1Warning \n[CVE-2022-22027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22027>)6.8High \n[CVE-2022-22029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22029>)6.8High\n\n### *KB list*:\n[5015808](<http://support.microsoft.com/kb/5015808>) \n[5015875](<http://support.microsoft.com/kb/5015875>) \n[5015811](<http://support.microsoft.com/kb/5015811>) \n[5015863](<http://support.microsoft.com/kb/5015863>) \n[5015877](<http://support.microsoft.com/kb/5015877>) \n[5015807](<http://support.microsoft.com/kb/5015807>) \n[5015832](<http://support.microsoft.com/kb/5015832>) \n[5015874](<http://support.microsoft.com/kb/5015874>) \n[5015814](<http://support.microsoft.com/kb/5015814>) \n[5015827](<http://support.microsoft.com/kb/5015827>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-12T00:00:00", "type": "kaspersky", "title": "KLA12580 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22031", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22045", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-22711", "CVE-2022-23816", "CVE-2022-23825", "CVE-2022-27776", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30212", "CVE-2022-30213", "CVE-2022-30214", "CVE-2022-30215", "CVE-2022-30216", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226", "CVE-2022-33644"], "modified": "2022-09-26T00:00:00", "id": "KLA12580", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12580/", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2022-11-30T12:08:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/17134132/abstract_binary_brain_report-990x400.jpg)\n\n * [IT threat evolution in Q3 2022](<https://securelist.com/it-threat-evolution-q3-2022/107957/>)\n * **IT threat evolution in Q3 2022. Non-mobile statistics**\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2022:\n\n * Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.\n * Web Anti-Virus recognized 251,288,987 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.\n * Ransomware attacks were defeated on the computers of 72,941 unique users.\n * Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Number of users attacked by banking malware\n\nIn Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154318/01-en-malware-report-q3-2022-pc-stat.png>))_\n\n### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 33.2 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.2 \n3 | IcedID | Trojan-Banker.Win32.IcedID | 10.0 \n4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.8 \n5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.8 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.1 \n7 | RTM | Trojan-Banker.Win32.RTM | 1.9 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.4 \n9 | Tinba/TinyBanker | Trojan-Banker.Win32.Tinba | 1.4 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of financial malware attacks\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.7 \n2 | Afghanistan | 4.6 \n3 | Paraguay | 2.8 \n4 | Tajikistan | 2.8 \n5 | Yemen | 2.3 \n6 | Sudan | 2.3 \n7 | China | 2.0 \n8 | Switzerland | 2.0 \n9 | Egypt | 1.9 \n10 | Venezuela | 1.8 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nThe third quarter of 2022 saw the builder for LockBit, a well-known ransomware, [leaked online](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/>). LockBit themselves attributed the leakage to one of their developers' personal initiative, not the group's getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy [spotted back in May](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>). A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.\n\nMass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The [former](<https://www.qnap.com/en/security-advisory/QSA-22-21>) threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter [attacked](<https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version>) devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.\n\nThe United States Department of Justice [announced](<https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors>) that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely [used](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) by the North Korean operators Andariel. The DOJ said victims had started getting their money back.\n\nThe creators of the little-known AstraLocker and Yashma ransomware [published](<https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/>) decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.\n\n### Number of new modifications\n\nIn Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.\n\n_Number of new ransomware modifications, Q3 2021 \u2014 Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154421/03-en-ru-es-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154500/04-en-malware-report-q3-2022-pc-stat.png>))_\n\n**TOP 10 most common families of ransomware Trojans**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of attacked users\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.66 \n2 | Yemen | 1.30 \n3 | South Korea | 0.98 \n4 | Taiwan | 0.77 \n5 | Mozambique | 0.64 \n6 | China | 0.52 \n7 | Colombia | 0.43 \n8 | Nigeria | 0.40 \n9 | Pakistan | 0.39 \n10 | Venezuela | 0.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.46 \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data. \n** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June's figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.\n\n_Number of new miner modifications, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154533/06-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.\n\n_Number of unique users attacked by miners, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154601/07-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Geography of miner attacks\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.38 \n2 | Kazakhstan | 2.13 \n3 | Uzbekistan | 2.01 \n4 | Rwanda | 1.93 \n5 | Tajikistan | 1.83 \n6 | Venezuela | 1.78 \n7 | Kyrgyzstan | 1.73 \n8 | Mozambique | 1.57 \n9 | Tanzania | 1.56 \n10 | Ukraine | 1.54 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nQ3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let's begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: [CVE-2022-30220](<https://nvd.nist.gov/vuln/detail/CVE-2022-30220>), along with [CVE-2022-35803](<https://nvd.nist.gov/vuln/detail/CVE-2022-35803>) and [CVE-2022-37969](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>), both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: [CVE-2022-22022](<https://nvd.nist.gov/vuln/detail/CVE-2022-22022>), [CVE-2022-30206](<https://nvd.nist.gov/vuln/detail/CVE-2022-30206>), and [CVE-2022-30226](<https://nvd.nist.gov/vuln/detail/CVE-2022-30226>). These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation ([CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>), [CVE-2022-22049](<https://nvd.nist.gov/vuln/detail/CVE-2022-22049>), and [CVE-2022-22026](<https://nvd.nist.gov/vuln/detail/CVE-2022-22026>)), while [CVE-2022-22038](<https://nvd.nist.gov/vuln/detail/CVE-2022-22038>) affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including [CVE-2022-22034](<https://nvd.nist.gov/vuln/detail/CVE-2022-22034>) and [CVE-2022-35750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35750>), which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, [CVE-2022-34713](<https://nvd.nist.gov/vuln/detail/CVE-2022-34713>) and [CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>), which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.\n\nMost of the network threats detected in Q3 2022 were again attacks associated with [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library ([CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), and [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/cve-2021-45105>)) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are [CVE-2022-22028](<https://nvd.nist.gov/vuln/detail/CVE-2022-22028>), which can lead to leakage of confidential information, as well as [CVE-2022-22029](<https://nvd.nist.gov/vuln/detail/CVE-2022-22029>), [CVE-2022-22039](<https://nvd.nist.gov/vuln/detail/CVE-2022-22039>) and [CVE-2022-34715](<https://nvd.nist.gov/vuln/detail/CVE-2022-34715>), which a cybercriminal can use to remotely execute arbitrary code in the system \u2014 in kernel context \u2014 by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability [CVE-2022-34718](<https://nvd.nist.gov/vuln/detail/CVE-2022-34718>), which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the [CVE-2022-34724](<https://nvd.nist.gov/vuln/detail/CVE-2022-34724>) vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.\n\nTwo vulnerabilities in Microsoft Exchange Server, [CVE-2022-41040](<https://nvd.nist.gov/vuln/detail/CVE-2022-41040>) and [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082>), received considerable media coverage. They were collectively dubbed "ProxyNotShell" in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.\n\n### Vulnerability statistics\n\nIn Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections \u2014 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:\n\n * [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;\n * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), which allows downloading and running malicious script files;\n * [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>), also known as "Follina", which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;\n * [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154631/09-en-malware-report-q3-2022-pc-stat.png>))_\n\nThese were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:\n\n * [CVE-2022-2294](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>), in the WebRTC component, which leads to buffer overflow;\n * [CVE-2022-2624](<https://nvd.nist.gov/vuln/detail/CVE-2022-2624>), which exploits a memory overflow error in the PDF viewing component;\n * [CVE-2022-2295](<https://nvd.nist.gov/vuln/detail/CVE-2022-2295>), a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;\n * [CVE-2022-3075](<https://nvd.nist.gov/vuln/detail/CVE-2022-3075>), an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.\n\nSince many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.\n\nA series of vulnerabilities were identified in Microsoft Edge. Worth noting is [CVE-2022-33649](<https://nvd.nist.gov/vuln/detail/CVE-2022-33649>), which allows running an application in the system by circumventing the browser protections; [CVE-2022-33636](<https://nvd.nist.gov/vuln/detail/CVE-2022-33636>) and [CVE-2022-35796](<https://nvd.nist.gov/vuln/detail/CVE-2022-35796>), Race Condition vulnerabilities that ultimately allow a sandbox escape; and [CVE-2022-38012](<https://nvd.nist.gov/vuln/detail/CVE-2022-38012>), which exploits an application memory corruption error, with similar results.\n\nThe Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: [CVE-2022-38476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476>), a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities [CVE-2022-38477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477>) and [CVE-2022-38478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478>), which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.\n\nThe remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.\n\n## Attacks on macOS\n\nThe third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries. In particular, researchers found [Operation In(ter)ception](<https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/>), a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.\n\n[CloudMensis](<https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/>), a spy program written in Objective-C, used cloud storage services as C&C servers and [shared several characteristics](<https://twitter.com/ESETresearch/status/1575103839115804672>) with the RokRAT Windows malware operated by ScarCruft.\n\nThe creators of XCSSET [adapted](<https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/>) their toolset to macOS Monterey and migrated from Python 2 to Python 3.\n\nIn Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake [VPN application](<https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/>) and fake [Salesforce updates](<https://twitter.com/ESETresearch/status/1547943014860894210>), both built on the Sliver framework.\n\nIn addition to this, researchers announced a new multi-platform [find](<https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/>): the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.\n\n### TOP 20 threats for macOS\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 14.77 \n2 | AdWare.OSX.Pirrit.ac | 10.45 \n3 | AdWare.OSX.Agent.ai | 9.40 \n4 | Monitor.OSX.HistGrabber.b | 7.15 \n5 | AdWare.OSX.Pirrit.j | 7.10 \n6 | AdWare.OSX.Bnodlero.at | 6.09 \n7 | AdWare.OSX.Bnodlero.ax | 5.95 \n8 | Trojan-Downloader.OSX.Shlayer.a | 5.71 \n9 | AdWare.OSX.Pirrit.ae | 5.27 \n10 | Trojan-Downloader.OSX.Agent.h | 3.87 \n11 | AdWare.OSX.Bnodlero.bg | 3.46 \n12 | AdWare.OSX.Pirrit.o | 3.32 \n13 | AdWare.OSX.Agent.u | 3.13 \n14 | AdWare.OSX.Agent.gen | 2.90 \n15 | AdWare.OSX.Pirrit.aa | 2.85 \n16 | Backdoor.OSX.Twenbc.e | 2.85 \n17 | AdWare.OSX.Ketin.h | 2.82 \n18 | AdWare.OSX.Pirrit.gen | 2.69 \n19 | Trojan-Downloader.OSX.Lador.a | 2.52 \n20 | Downloader.OSX.InstallCore.ak | 2.28 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as "Advanced Mac Cleaner," had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.\n\n### Geography of threats for macOS\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 1.71 \n2 | Canada | 1.70 \n3 | Russia | 1.57 \n4 | India | 1.53 \n5 | United States | 1.52 \n6 | Spain | 1.48 \n7 | Australia | 1.36 \n8 | Italy | 1.35 \n9 | Mexico | 1.27 \n10 | United Kingdom | 1.24 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nFrance, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.\n\nTelnet | 75.92% \n---|--- \nSSH | 24.08% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022_\n\nA majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.\n\nTelnet | 97.53% \n---|--- \nSSH | 2.47% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022_\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 28.67 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 18.63 \n3 | Backdoor.Linux.Mirai.ba | 11.63 \n4 | Backdoor.Linux.Mirai.cw | 10.94 \n5 | Backdoor.Linux.Gafgyt.a | 3.69 \n6 | Backdoor.Linux.Mirai.ew | 3.49 \n7 | Trojan-Downloader.Shell.Agent.p | 2.56 \n8 | Backdoor.Linux.Gafgyt.bj | 1.63 \n9 | Backdoor.Linux.Mirai.et | 1.17 \n10 | Backdoor.Linux.Mirai.ek | 1.08 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics are published in the DDoS report for Q3 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources country and territory, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154703/11-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **_Malware_**_ class_; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 19.65 \n2 | Belarus | 17.01 \n3 | Serbia | 15.05 \n4 | Russia | 14.12 \n5 | Algeria | 14.01 \n6 | Turkey | 13.82 \n7 | Tunisia | 13.31 \n8 | Bangladesh | 13.30 \n9 | Moldova | 13.22 \n10 | Palestine | 12.61 \n11 | Yemen | 12.58 \n12 | Ukraine | 12.25 \n13 | Libya | 12.23 \n14 | Sri Lanka | 11.97 \n15 | Kyrgyzstan | 11.69 \n16 | Estonia | 11.65 \n17 | Hong Kong | 11.52 \n18 | Nepal | 11.52 \n19 | Syria | 11.39 \n20 | Lithuania | 11.33 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 9.08% of internet users' computers worldwide were subjected to at least one **Malware**-class web attack.\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2022, our File Anti-Virus detected **49,275,253** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThese rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 46.48 \n2 | Yemen | 45.12 \n3 | Afghanistan | 44.18 \n4 | Cuba | 40.48 \n5 | Tajikistan | 39.17 \n6 | Bangladesh | 37.06 \n7 | Uzbekistan | 37.00 \n8 | Ethiopia | 36.96 \n9 | South Sudan | 36.89 \n10 | Myanmar | 36.64 \n11 | Syria | 34.82 \n12 | Benin | 34.56 \n13 | Burundi | 33.91 \n14 | Tanzania | 33.05 \n15 | Rwanda | 33.03 \n16 | Chad | 33.01 \n17 | Venezuela | 32.79 \n18 | Cameroon | 32.30 \n19 | Sudan | 31.93 \n20 | Malawi | 31.88 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\nOn average worldwide, Malware-class local threats were registered on 14.74% of users' computers at least once during Q3. Russia scored 16.60% in this ranking.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-18T08:10:34", "type": "securelist", "title": "IT threat evolution in Q3 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-40444", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-22022", "CVE-2022-22026", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2624", "CVE-2022-30190", "CVE-2022-30206", "CVE-2022-30220", "CVE-2022-30226", "CVE-2022-3075", "CVE-2022-33636", "CVE-2022-33649", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-34718", "CVE-2022-34724", "CVE-2022-35743", "CVE-2022-35750", "CVE-2022-35796", "CVE-2022-35803", "CVE-2022-37969", "CVE-2022-38012", "CVE-2022-38476", "CVE-2022-38477", "CVE-2022-38478", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-18T08:10:34", "id": "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "href": "https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}