Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities

Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239098

There were 147 vulnerabilities. Urgent: 1, Critical: 0, High: 36, Medium: 108, Low: 2.

There was a lot of great stuff this Patch Tuesday. There was a critical exploited in the wild MSDT DogWalk vulnerability, 3 critical Exchange vulnerabilities that could be easily missed in prioritization, 13 potentially dangerous vulnerabilities, 2 funny vulnerabilities and 3 mysterious ones. Let’s take a closer look.

$ cat comments_links.txt 
Qualys|August 2022 Patch Tuesday. Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories|https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday
ZDI|THE AUGUST 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/8/9/the-august-2022-security-update-review
Kaspersky|DogWalk and other vulnerabilities|https://www.kaspersky.com/blog/dogwalk-vulnerability-patch-tuesday-08-2022/45127/

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "August" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
MS PT Year: 2022
MS PT Month: August
MS PT Date: 2022-08-09
MS PT CVEs found: 121
Ext MS PT Date from: 2022-07-13
Ext MS PT Date to: 2022-08-08
Ext MS PT CVEs found: 26
ALL MS PT CVEs: 147
...

DogWalk

Remote Code Execution in Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-34713), dubbed DogWalk. The only Urgent level vulnerability. The Microsoft Support Diagnostic Tool (MSDT) is a service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. DogWalk vulnerability allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document. Exploitability Assessment: Exploitation in the wild detected. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). But it is not yet available in public exploit packs. DogWalk is similar to MSDT RCE Follina (CVE-2022-30190), which made some hype in May of this year. It’s not clear if this vulnerability is the result of a failed patch or something new.

3 Microsoft Exchange EOPs

Elevation of Privilege in Microsoft Exchange (CVE-2022-21980, CVE-2022-24516, CVE-2022-24477). I will not hide, this vulnerabilities were not detected as critical by Vulristics, only as Medium. This happened due to the fact that this are not RCEs, but EOPs. No public exploit or sign of exploitation in the wild. But these vulnerabilities are very critical, due to the fact that Exchange is often accessible from the Internet. And because of details about the vulnerability, which is only highlighted by ZDI. These bugs could allow an authenticated attacker to take over the mailboxes of all Exchange users, read and send emails or download attachments from any mailbox on the Exchange server. This gives access to valuable data and great opportunities for developing an attack. Administrators will also need to enable Extended Protection to fully address these vulnerabilities.

it is not clear how to highlight such vulnerabilities automatically, because there are few formal signs. Apparently it is required to raise the priority of the software available on the perimeter and software that operates with important data.

13 potentially dangerous vulnerabilities

  1. Remote Code Execution in Windows Point-to-Point Protocol (PPP) (CVE-2022-30133, CVE-2022-35744). The Point-to-Point Protocol (PPP) is the default RAS (remote access service) protocol in Windows and is a data link-layer protocol used to encapsulate higher network-layer protocols to pass over synchronous and asynchronous communication lines. Both vulnerabilities allow attackers to send requests to the remote access server, which can lead to the execution of malicious code on the machine. And both have the same CVSS score: 9.8. This vulnerabilities can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. Warning: Disabling Port 1723 could affect communications over your network. Exploitability Assessment: Exploitation Less Likely
  2. Remote Code Execution in Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-35766, CVE-2022-35794). SSTP is a VPN tunneling protocol designed to secure your online traffic. Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS (remote access service) server, which could lead to remote code execution (RCE) on the RAS server machine. Exploitability Assessment: Exploitation Less Likely
  3. Remote Code Execution in SMB Client and Server (CVE-2022-35804). The server side of this vulnerability would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. Interestingly, this bug only affects Windows 11, which implies some new functionality introduced this vulnerability. Either way, this could potentially be wormable between affected Windows 11 systems with SMB server enabled. Disabling SMBv3 compression is a workaround for this bug, but applying the update is the best method to remediate the vulnerability. This vulnerability is reminiscent of past SMB vulnerabilities such as the EternalBlue SMBv1 flaw patched in MS17-010 in March of 2017 that was exploited as part of the WannaCry incident in addition to the more recent CVE-2020-0796 “EternalDarkness” RCE flaw in SMB 3.1.1.
  4. Remote Code Execution in Visual Studio (CVE-2022-35777, CVE-2022-35825, CVE-2022-35826, CVE-2022-35827). The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit). None of the vendors highlighted these vulnerabilities. But it seems that this can be used in targeted phishing against developers.
  5. Elevation of Privilege in Active Directory (CVE-2022-34691). An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System. The advisory notes that exploitation is only possible when Active Directory Certificate Services is running on the domain. Exploitability Assessment: Exploitation Less Likely.
  6. Remote Code Execution in Windows Network File System (CVE-2022-34715). This is now the fourth month in a row with an NFS code execution patch. To exploit this, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server. This would provide the threat actor with code execution at elevated privileges. Although we have not yet seen the actual exploitation of such vulnerabilities.
  7. Elevation of Privilege in Windows Print Spooler (CVE-2022-35793, CVE-2022-35755). The Print Spooler is software built into the Windows operating system that temporarily stores print jobs in the computer’s memory until the printer is ready to print them. CVE-2022-35755 can be exploited using a specially crafted “input file,” while exploitation of CVE-2022-35793 requires a user click on a specially crafted URL. Both would give the attacker SYSTEM privileges. Both vulnerabilities can be mitigated by disabling the Print Spooler service, but CVE-2022-35793 can also be mitigated by disabling inbound remote printing via Group Policy.

2 funny vulnerabilities

  1. Vulristics suddenly highlighted the Memory Corruption in Microsoft Edge (CVE-2022-2623) vulnerability because there is a public exploit for it. It turned out that there was a bug in the exploit databases: 0day.today and packetstorm. CVE-2022-2623 was mistakenly written instead of CVE-2022-26233. And this also happens and no one checks it. Well, prioritization of vulnerabilities based on distorted source data does not work well.
  2. Denial of Service – Microsoft Outlook (CVE-2022-35742). This was reported through the ZDI program and is a mighty interesting bug. Sending a crafted email to a victim causes their Outlook application to terminate immediately. Outlook cannot be restarted. Upon restart, it will terminate again once it retrieves and processes the invalid message. It is not necessary for the victim to open the message or to use the Reading pane. The only way to restore functionality is to access the mail account using a different client (i.e., webmail, or administrative tools) and remove the offending email(s) from the mailbox before restarting Outlook.

3 mysterious vulnerabilities

  • CERT/CC: CVE-2022-34303 Crypto Pro Boot Loader Bypass
  • CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass
  • CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass

They came from the US CERT Coordination Center.

  1. No one writes anything about them, only Tenable. “security bypass vulnerabilities in a third-party driver affecting Windows Secure Boot”.
  2. Maybe this is of course a coincidence and we are talking about other software, but isn’t Crypto Pro a Russian CryptoPro, “the company’s main activity is cryptographic software development and public key infrastructure solutions based on national and international standards.”?
  3. Isn’t Eurosoft a Russian Eurosoft, “software for architectural design”?

It’s all very curious.

Full Vulristics report: ms_patch_tuesday_august2022

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.