Report Name: Microsoft Patch Tuesday, September 2022
Generated: 2022-09-18 22:08:27

Product Name	Prevalence	U	C	H	M	L	Comment
Kerberos	1			1	1		Kerberos
Remote Procedure Call Runtime	0.9			1			Remote Procedure Call Runtime
Windows DNS Server	0.9			1			Windows component
Windows Kernel	0.9				3		Windows Kernel
Windows LDAP	0.9			1			Windows LDAP
Windows TCP/IP	0.9			1			Windows component
.NET Core and Visual Studio	0.8			1			.NET Core and Visual Studio
.NET Framework	0.8			1			.NET Framework
DirectX Graphics Kernel	0.8				1		DirectX Graphics Kernel
Microsoft Edge	0.8			3	18	4	Web browser
Windows ALPC	0.8				1		Windows component
Windows Common Log File System Driver	0.8		1		1		Windows component
Windows Credential Roaming Service	0.8				1		Windows component
Windows DPAPI (Data Protection Application Programming Interface)	0.8				1		Windows component
Windows Defender Credential Guard	0.8			1	1		Windows component
Windows Distributed File System (DFS)	0.8				1		Windows component
Windows Enterprise App Management Service	0.8			1			Windows component
Windows Event Tracing	0.8				1		Windows component
Windows Fax Service	0.8			1			Windows component
Windows GDI	0.8			1			Windows component
Windows Graphics Component	0.8				3		Windows component
Windows Group Policy	0.8				1		Windows component
Windows Internet Key Exchange (IKE) Extension	0.8			1			Windows component
Windows Internet Key Exchange (IKE) Protocol Extensions	0.8			2			Windows component
Windows Photo Import API	0.8				1		Windows component
Windows Print Spooler	0.8				1		Windows component
Windows Remote Access	0.8				1		Windows component
Windows Secure Channel	0.8			2			Windows component
Microsoft SharePoint	0.7			4			Microsoft SharePoint
Raw Image Extension	0.7			1			Raw Image Extension
Microsoft Office Visio	0.6			2			Microsoft Visio
Microsoft PowerPoint	0.6			1			Microsoft PowerPoint
ARM processor	0.5				1		Processor
AV1 Video Extension	0.5			1			AV1 Video Extension
Azure Guest Configuration and Azure Arc-enabled servers	0.5				1		Azure Guest Configuration and Azure Arc-enabled servers
HTTP V3	0.5				1		HTTP V3
Microsoft Defender for Endpoint for Mac	0.5				1		Microsoft Defender for Endpoint for Mac
Microsoft Dynamics CRM (on-premises)	0.5			2			Microsoft Dynamics CRM (on-premises)
Microsoft ODBC Driver	0.5			5			Microsoft ODBC Driver
Microsoft OLE DB Provider for SQL Server	0.5			6			Microsoft OLE DB Provider for SQL Server
Network Device Enrollment Service (NDES)	0.5				1		Network Device Enrollment Service (NDES)
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism	0.5				1		SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
Visual Studio Code	0.3				1		Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0			31			Remote Code Execution
Security Feature Bypass	0.9			3	6		Security Feature Bypass
Denial of Service	0.7			5	2		Denial of Service
Memory Corruption	0.6				14		Memory Corruption
Elevation of Privilege	0.5		1	2	16		Elevation of Privilege
Information Disclosure	0.4				6		Information Disclosure
Unknown Vulnerability Type	0					4	Unknown Vulnerability Type

Urgent (0)

Critical (1)

1. Elevation of Privilege - Windows Common Log File System Driver (CVE-2022-37969) - Critical [604]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-35803.

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-37969*, CVE-2022-23960). Earlier this month, on September 1 and 2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) (CVE-2022-38012) ranked Low. Microsoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.

qualys: CVE-2022-37969 | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-37969 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. According to Microsoft, this vulnerability has been exploited in the wild. They also note that it has been publicly disclosed prior to a patch being available.

tenable: CVE-2022-24521, a similar vulnerability in CLFS, was patched earlier this year as part of Microsoft’s April Patch Tuesday release. CVE-2022-24521 flaw was disclosed to Microsoft by the National Security Agency (NSA) and CrowdStrike, which was also exploited in the wild. CVE-2022-37969 has been credited to several groups, including CrowdStrike, though it is unclear at this time if CVE-2022-37969 is potentially a patch-bypass for CVE-2022-24521.

rapid7: This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they’ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for CVE-2022-23960 (aka Spectre-BHB) for Windows 11 on ARM64.

zdi: CVE-2022-37969 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This bug in the Common Log File System (CLFS) allows an authenticated attacker to execute code with elevated privileges. Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link. Once they do, additional code executes with elevated privileges to take over a system. Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.

kaspersky: CVE-2022-37969, which is being actively exploited by attackers

kaspersky: CVE-2022-37969 is a zero-day vulnerability in the Common Log File System driver. This is not the most dangerous bug of those that were patched by the latest update (its CVSS rating is only 7.8), since, in order to take advantage of it, attackers need to somehow gain access to the victim’s computer. However, successful exploitation will allow them to elevate their privileges to SYSTEM. According to Microsoft some attackers are already using the exploit for this vulnerability in the wild; therefore, it should be patched as soon as possible.

High (41)

2. Security Feature Bypass - Microsoft Edge (CVE-2022-2856) - High [577]

Description: Chromium: CVE-2022-2856 Insufficient validation of untrusted input in Intents. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-2856 exists in the wild.

MS PT Extended: CVE-2022-2856 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

qualys: Qualys Threat Protection High-Rated Advisories from August 10 thru September 2022 Patch Tuesday Advisory Sorted in Descending Order Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday September 2022 EditionGoogle Chrome Releases Fix for the Zero-day Vulnerability (CVE-2022-3075)Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)GitLab Patches Critical Remote Command Execution Vulnerability (CVE-2022-2884)Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)Palo Alto Networks (PAN-OS) Reflected Amplification Denial-of-Service (DoS) Vulnerability (CVE-2022-0028)Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch TuesdayVMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)

3. Security Feature Bypass - Microsoft Edge (CVE-2022-3075) - High [577]

Description: Chromium: CVE-2022-3075 Insufficient data validation in Mojo. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reportsrts that an exploit for CVE-2022-3075 exists in the wild.

MS PT Extended: CVE-2022-3075 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

qualys: Qualys Threat Protection High-Rated Advisories from August 10 thru September 2022 Patch Tuesday Advisory Sorted in Descending Order Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday September 2022 EditionGoogle Chrome Releases Fix for the Zero-day Vulnerability (CVE-2022-3075)Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)GitLab Patches Critical Remote Command Execution Vulnerability (CVE-2022-2884)Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)Palo Alto Networks (PAN-OS) Reflected Amplification Denial-of-Service (DoS) Vulnerability (CVE-2022-0028)Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch TuesdayVMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)

zdi: CVE-2022-3075 - Chromium: CVE-2022-3075 Insufficient data validation in Mojo. This patch was released by the Google Chrome team back on September 2, so this is more of an “in case you missed it.” This vulnerability allows code execution on affected Chromium-based browsers (like Edge) and has been detected in the wild. This is the sixth Chrome exploit detected in the wild this year. The trend shows the near-ubiquitous browser platform has become a popular target for attackers. Make sure to update all of your systems based on Chromium.

4. Remote Code Execution - Windows TCP/IP (CVE-2022-34718) - High [508]

Description: Windows TCP/IP Remote Code Execution Vulnerability.

qualys: CVE-2022-34718 | Windows TCP/IP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. Exploitability Assessment: Exploitation More Likely

qualys: CVE-2022-34718 | Windows TCP/IP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. Policy Compliance Control IDs (CIDs): 3720: Status of the ‘IPSEC Services’ service14916: Status of Windows Services  Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-34718 is a RCE in Windows TCP/IP that received a CVSSv3 score of 9.8 and was rated Exploitation More Likely according to Microsoft’s Exploitability Index. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. Successful exploitation could grant an unauthenticated attacker remote code execution. Microsoft has released patches for all supported versions of Windows, including Server Core editions.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

zdi: CVE-2022-34718 - Windows TCP/IP Remote Code Execution Vulnerability. This Critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. That officially puts it into the “wormable” category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.

kaspersky: - CVE-2022-34718 — a bug in Windows TCP/IP with a CVSS rating of 9.8. An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it.

5. Elevation of Privilege - Kerberos (CVE-2022-33679) - High [490]

Description: Windows Kerberos Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33647.

qualys: CVE-2022-33679 , CVE-2022-33647 | Windows Kerberos Elevation of Privilege (EoP) Vulnerability These vulnerabilities have a CVSSv3.1 score of 8.1/10. Policy Compliance Control IDs (CIDs): 17108: Status of the ‘KDC support for claims, compound authentication and Kerberos armoring’ setting (Enabled / Disabled)17109: Status of the ‘Kerberos client support for claims, compound authentication and Kerberos armoring’ setting17197: Status of the ‘KDC support for claims, compound authentication, and Kerberos armoring’ setting Exploitability Assessment: Exploitation Less Likely

6. Remote Code Execution - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721) - High [489]

Description: Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34722.

qualys: CVE-2022-34721, CVE-2022-34722 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. NOTE: This vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

kaspersky: - CVE-2022-34721 and CVE-2022-34722 — vulnerabilities in the Internet Key Exchange protocol that allow an attacker to execute malicious code by also sending an IP packet to a vulnerable machine. Both have a CVSS rating of 9.8. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.

7. Remote Code Execution - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34722) - High [489]

Description: Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34721.

qualys: CVE-2022-34721, CVE-2022-34722 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. NOTE: This vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

kaspersky: - CVE-2022-34721 and CVE-2022-34722 — vulnerabilities in the Internet Key Exchange protocol that allow an attacker to execute malicious code by also sending an IP packet to a vulnerable machine. Both have a CVSS rating of 9.8. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.

8. Remote Code Execution - Remote Procedure Call Runtime (CVE-2022-35830) - High [481]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability.

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

9. Remote Code Execution - Windows LDAP (CVE-2022-30200) - High [481]

Description: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability.

10. Remote Code Execution - Windows Enterprise App Management Service (CVE-2022-35841) - High [475]

Description: Windows Enterprise App Management Service Remote Code Execution Vulnerability.

11. Remote Code Execution - .NET Framework (CVE-2022-26929) - High [462]

Description: .NET Framework Remote Code Execution Vulnerability.

qualys: CVE-2022-26929 | .NET Framework Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. Exploitability Assessment: Exploitation Less Likely

12. Remote Code Execution - Microsoft Edge (CVE-2022-38012) - High [462]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

MS PT Extended: CVE-2022-38012 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-37969*, CVE-2022-23960). Earlier this month, on September 1 and 2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) (CVE-2022-38012) ranked Low. Microsoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.

qualys: Microsoft Edge | Last But Not Least Earlier in September 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including CVE-2022-38012. The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see Security Update Guide Supports CVEs Assigned by Industry Partners.

qualys: CVE-2022-38012 | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.7/10. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. This vulnerability could lead to a browser sandbox escape. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. NOTE: Per Microsoft’s severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn’t allow for this type of nuance which explains why this CVE is rated as Low, but the CVSSv3.1 score is 7.7

13. Remote Code Execution - Windows Fax Service (CVE-2022-38004) - High [462]

Description: Windows Fax Service Remote Code Execution Vulnerability.

qualys: CVE-2022-38004 | Windows Network File System Remote Code Execution (RCE) Vulnerability  This vulnerability has a CVSSv3.1 score of 7.8/10. Policy Compliance Control IDs (CIDs): 1161: Status of the ‘Fax’ service14916: Status of Windows Services Exploitability Assessment: Exploitation Less Likely

14. Remote Code Execution - Microsoft SharePoint (CVE-2022-37961) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38008, CVE-2022-38009.

15. Remote Code Execution - Microsoft SharePoint (CVE-2022-38008) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-37961, CVE-2022-38009.

16. Remote Code Execution - Microsoft SharePoint (CVE-2022-38009) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-37961, CVE-2022-38008.

qualys: CVE-2022-38009 | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint. Exploitability Assessment: Exploitation Less Likely

17. Elevation of Privilege - Windows GDI (CVE-2022-34729) - High [452]

Description: Windows GDI Elevation of Privilege Vulnerability.

18. Remote Code Execution - Microsoft SharePoint (CVE-2022-35823) - High [443]

Description: Microsoft SharePoint Remote Code Execution Vulnerability.

19. Remote Code Execution - Raw Image Extension (CVE-2022-38011) - High [429]

Description: Raw Image Extension Remote Code Execution Vulnerability.

20. Security Feature Bypass - Windows Defender Credential Guard (CVE-2022-35822) - High [428]

Description: Windows Defender Credential Guard Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-34709.

MS PT Extended: CVE-2022-35822 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

21. Remote Code Execution - Microsoft Office Visio (CVE-2022-37963) - High [424]

Description: Microsoft Office Visio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38010.

22. Remote Code Execution - Microsoft Office Visio (CVE-2022-38010) - High [424]

Description: Microsoft Office Visio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-37963.

23. Remote Code Execution - Microsoft PowerPoint (CVE-2022-37962) - High [424]

Description: Microsoft PowerPoint Remote Code Execution Vulnerability.

24. Denial of Service - Windows DNS Server (CVE-2022-34724) - High [420]

Description: Windows DNS Server Denial of Service Vulnerability.

zdi: CVE-2022-34724 - Windows DNS Server Denial of Service Vulnerability. This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.

25. Remote Code Execution - Microsoft Dynamics CRM (on-premises) (CVE-2022-34700) - High [418]

Description: Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-35805.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

kaspersky: - CVE-2022-34700 and CVE-2022-35805 — a pair of vulnerabilities in the Microsoft Dynamics customer relationship management (CRM) software. Their exploitation allows an authenticated user to execute arbitrary SQL commands, after which the attacker can elevate their rights and execute commands inside the Dynamics 365 database with db_owner rights. Since an attacker still needs to somehow authenticate, the CVSS ratings of these vulnerabilities are slightly lower (8.8), but they are still considered critical.

26. Remote Code Execution - Microsoft Dynamics CRM (on-premises) (CVE-2022-35805) - High [418]

Description: Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34700.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

kaspersky: - CVE-2022-34700 and CVE-2022-35805 — a pair of vulnerabilities in the Microsoft Dynamics customer relationship management (CRM) software. Their exploitation allows an authenticated user to execute arbitrary SQL commands, after which the attacker can elevate their rights and execute commands inside the Dynamics 365 database with db_owner rights. Since an attacker still needs to somehow authenticate, the CVSS ratings of these vulnerabilities are slightly lower (8.8), but they are still considered critical.

27. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-34726) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34727, CVE-2022-34730, CVE-2022-34732, CVE-2022-34734.

28. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-34727) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34726, CVE-2022-34730, CVE-2022-34732, CVE-2022-34734.

29. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-34730) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34726, CVE-2022-34727, CVE-2022-34732, CVE-2022-34734.

30. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-34732) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34726, CVE-2022-34727, CVE-2022-34730, CVE-2022-34734.

31. Remote Code Execution - Microsoft ODBC Driver (CVE-2022-34734) - High [418]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34726, CVE-2022-34727, CVE-2022-34730, CVE-2022-34732.

32. Remote Code Execution - Microsoft OLE DB Provider for SQL Server (CVE-2022-34731) - High [418]

Description: Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35840.

33. Remote Code Execution - Microsoft OLE DB Provider for SQL Server (CVE-2022-34733) - High [418]

Description: Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35840.

34. Remote Code Execution - Microsoft OLE DB Provider for SQL Server (CVE-2022-35834) - High [418]

Description: Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35835, CVE-2022-35836, CVE-2022-35840.

35. Remote Code Execution - Microsoft OLE DB Provider for SQL Server (CVE-2022-35835) - High [418]

Description: Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35836, CVE-2022-35840.

36. Remote Code Execution - Microsoft OLE DB Provider for SQL Server (CVE-2022-35836) - High [418]

Description: Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35840.

37. Remote Code Execution - Microsoft OLE DB Provider for SQL Server (CVE-2022-35840) - High [418]

Description: Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836.

38. Remote Code Execution - AV1 Video Extension (CVE-2022-38019) - High [405]

Description: AV1 Video Extension Remote Code Execution Vulnerability.

39. Denial of Service - .NET Core and Visual Studio (CVE-2022-38013) - High [401]

Description: .NET Core and Visual Studio Denial of Service Vulnerability.

40. Denial of Service - Windows Internet Key Exchange (IKE) Extension (CVE-2022-34720) - High [401]

Description: Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability.

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

41. Denial of Service - Windows Secure Channel (CVE-2022-30196) - High [401]

Description: Windows Secure Channel Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-35833.

42. Denial of Service - Windows Secure Channel (CVE-2022-35833) - High [401]

Description: Windows Secure Channel Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-30196.

Medium (44)

43. Elevation of Privilege - Kerberos (CVE-2022-33647) - Medium [398]

Description: Windows Kerberos Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33679.

qualys: CVE-2022-33679 , CVE-2022-33647 | Windows Kerberos Elevation of Privilege (EoP) Vulnerability These vulnerabilities have a CVSSv3.1 score of 8.1/10. Policy Compliance Control IDs (CIDs): 17108: Status of the ‘KDC support for claims, compound authentication and Kerberos armoring’ setting (Enabled / Disabled)17109: Status of the ‘Kerberos client support for claims, compound authentication and Kerberos armoring’ setting17197: Status of the ‘KDC support for claims, compound authentication, and Kerberos armoring’ setting Exploitability Assessment: Exploitation Less Likely

44. Elevation of Privilege - Azure Guest Configuration and Azure Arc-enabled servers (CVE-2022-38007) - Medium [395]

Description: Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability.

qualys: CVE-2022-38007 | Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. An attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons. Exploitability Assessment: Exploitation Less Likely

qualys: CVE-2022-38007 | Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. Policy Compliance Control IDs (CIDs) for Checking Azure Arc-Enabled Servers on Linux: 14112: Status of the services installed on the Linux/UNIX host (stopped, running, failed, dead, …)  Exploitability Assessment: Exploitation Less Likely

45. Elevation of Privilege - Windows Kernel (CVE-2022-37956) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37957, CVE-2022-37964.

tenable: CVE-2022-37956, CVE-2022-37957 and CVE-2022-37964 are EoP vulnerabilities impacting the Windows Kernel. All three vulnerabilities received CVSSv3 scores of 7.8 and if exploited, could allow an attacker to gain SYSTEM level privileges. Of the three, only CVE-2022-37957 was rated as “Exploitation More Likely.” Curiously, all three impact various versions of Windows. For instance CVE-2022-37964 only affects Windows 7, Windows Server 2008 and 2008 R2. CVE-2022-37956 affects all supported versions of Windows and Windows server, while CVE-2022-37957 only affects Windows 10 and above, including Windows Server versions 2016, 2019 and 2022.

46. Elevation of Privilege - Windows Kernel (CVE-2022-37957) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37956, CVE-2022-37964.

tenable: CVE-2022-37956, CVE-2022-37957 and CVE-2022-37964 are EoP vulnerabilities impacting the Windows Kernel. All three vulnerabilities received CVSSv3 scores of 7.8 and if exploited, could allow an attacker to gain SYSTEM level privileges. Of the three, only CVE-2022-37957 was rated as “Exploitation More Likely.” Curiously, all three impact various versions of Windows. For instance CVE-2022-37964 only affects Windows 7, Windows Server 2008 and 2008 R2. CVE-2022-37956 affects all supported versions of Windows and Windows server, while CVE-2022-37957 only affects Windows 10 and above, including Windows Server versions 2016, 2019 and 2022.

47. Elevation of Privilege - Windows Kernel (CVE-2022-37964) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37956, CVE-2022-37957.

tenable: CVE-2022-37956, CVE-2022-37957 and CVE-2022-37964 are EoP vulnerabilities impacting the Windows Kernel. All three vulnerabilities received CVSSv3 scores of 7.8 and if exploited, could allow an attacker to gain SYSTEM level privileges. Of the three, only CVE-2022-37957 was rated as “Exploitation More Likely.” Curiously, all three impact various versions of Windows. For instance CVE-2022-37964 only affects Windows 7, Windows Server 2008 and 2008 R2. CVE-2022-37956 affects all supported versions of Windows and Windows server, while CVE-2022-37957 only affects Windows 10 and above, including Windows Server versions 2016, 2019 and 2022.

48. Denial of Service - Windows Event Tracing (CVE-2022-35832) - Medium [374]

Description: Windows Event Tracing Denial of Service Vulnerability.

49. Security Feature Bypass - Network Device Enrollment Service (NDES) (CVE-2022-37959) - Medium [371]

Description: Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability.

50. Elevation of Privilege - DirectX Graphics Kernel (CVE-2022-37954) - Medium [360]

Description: DirectX Graphics Kernel Elevation of Privilege Vulnerability.

51. Elevation of Privilege - Windows Common Log File System Driver (CVE-2022-35803) - Medium [360]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37969.

52. Elevation of Privilege - Windows Defender Credential Guard (CVE-2022-34711) - Medium [360]

Description: Windows Defender Credential Guard Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-34705, CVE-2022-35771.

MS PT Extended: CVE-2022-34711 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

53. Elevation of Privilege - Windows Distributed File System (DFS) (CVE-2022-34719) - Medium [360]

Description: Windows Distributed File System (DFS) Elevation of Privilege Vulnerability.

54. Elevation of Privilege - Windows Group Policy (CVE-2022-37955) - Medium [360]

Description: Windows Group Policy Elevation of Privilege Vulnerability.

55. Elevation of Privilege - Windows Print Spooler (CVE-2022-38005) - Medium [360]

Description: Windows Print Spooler Elevation of Privilege Vulnerability.

56. Elevation of Privilege - Windows ALPC (CVE-2022-34725) - Medium [347]

Description: Windows ALPC Elevation of Privilege Vulnerability.

57. Elevation of Privilege - Windows Credential Roaming Service (CVE-2022-30170) - Medium [347]

Description: Windows Credential Roaming Service Elevation of Privilege Vulnerability.

58. Elevation of Privilege - Windows Photo Import API (CVE-2022-26928) - Medium [347]

Description: Windows Photo Import API Elevation of Privilege Vulnerability.

59. Denial of Service - HTTP V3 (CVE-2022-35838) - Medium [344]

Description: HTTP V3 Denial of Service Vulnerability.

qualys: CVE-2022-35838 | HTTP V3 Denial of Service (DoS) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Policy Compliance Control IDs (CIDs): 24717: Status of the ‘HTTP/3’ service Exploitability Assessment: Exploitation Less Likely

60. Security Feature Bypass - Microsoft Edge (CVE-2022-2860) - Medium [333]

Description: Chromium: CVE-2022-2860 Insufficient policy enforcement in Cookies. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2860 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

61. Security Feature Bypass - Microsoft Edge (CVE-2022-3045) - Medium [333]

Description: Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3045 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

62. Security Feature Bypass - Microsoft Edge (CVE-2022-3047) - Medium [333]

Description: Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3047 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

63. Security Feature Bypass - Microsoft Edge (CVE-2022-3054) - Medium [333]

Description: Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3054 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

64. Security Feature Bypass - Microsoft Edge (CVE-2022-3056) - Medium [333]

Description: Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3056 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

65. Information Disclosure - Windows Graphics Component (CVE-2022-38006) - Medium [327]

Description: Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34728, CVE-2022-35837.

66. Information Disclosure - Windows DPAPI (Data Protection Application Programming Interface) (CVE-2022-34723) - Medium [313]

Description: Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability.

67. Information Disclosure - Windows Graphics Component (CVE-2022-34728) - Medium [313]

Description: Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-35837, CVE-2022-38006.

68. Information Disclosure - Windows Remote Access (CVE-2022-35831) - Medium [313]

Description: Windows Remote Access Connection Manager Information Disclosure Vulnerability.

69. Elevation of Privilege - Microsoft Defender for Endpoint for Mac (CVE-2022-35828) - Medium [304]

Description: Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability.

70. Information Disclosure - Windows Graphics Component (CVE-2022-35837) - Medium [300]

Description: Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34728, CVE-2022-38006.

71. Memory Corruption - ARM processor (CVE-2022-23960) - Medium [297]

Description: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-37969*, CVE-2022-23960). Earlier this month, on September 1 and 2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) (CVE-2022-38012) ranked Low. Microsoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.

qualys: CVE-2022-23960 | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 5.6/10. CVE-2022-23960 is regarding a vulnerability known as Spectre-BHB. MITRE created this CVE on behalf of Arm Limited. Please see Spectre-BHB on arm Developer for more information. Exploitability Assessment: Exploitation Less Likely

tenable: Microsoft patched 62 CVEs in its September 2022 Patch Tuesday release, with five rated as critical and 57 rated as important. This count omits CVE-2022-23960, a cache speculation restriction vulnerability as it was issued by MITRE and applies to Arm CPUs.

rapid7: This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they’ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for CVE-2022-23960 (aka Spectre-BHB) for Windows 11 on ARM64.

kaspersky: A vulnerability relevant to ARM processors — CVE-2022-23960

kaspersky: CVE-2022-23960 is the second vulnerability that was publicly disclosed before the patch. Theoretically, this could have meant that attackers could have started using it before it was patched, but it doesn’t seem to have been the case. In fact, CVE-2022-23960 is yet another variation of the Spectre vulnerability, which interferes with a processor’s speculative execution of instructions mechanism. In other words, the probability of its use in real attacks is extremely small — the danger is somewhat theoretical. What’s more, this vulnerability is only relevant for the Windows 11 on ARM64-based systems, which makes exploitation even less practical.

72. Information Disclosure - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958) - Medium [283]

Description: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability.

73. Memory Corruption - Microsoft Edge (CVE-2022-2852) - Medium [272]

Description: Chromium: CVE-2022-2852 Use after free in FedCM. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2852 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

74. Memory Corruption - Microsoft Edge (CVE-2022-2853) - Medium [272]

Description: Chromium: CVE-2022-2853 Heap buffer overflow in Downloads. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2853 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

75. Memory Corruption - Microsoft Edge (CVE-2022-2854) - Medium [272]

Description: Chromium: CVE-2022-2854 Use after free in SwiftShader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2854 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

76. Memory Corruption - Microsoft Edge (CVE-2022-2855) - Medium [272]

Description: Chromium: CVE-2022-2855 Use after free in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2855 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

77. Memory Corruption - Microsoft Edge (CVE-2022-2857) - Medium [272]

Description: Chromium: CVE-2022-2857 Use after free in Blink. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2857 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

78. Memory Corruption - Microsoft Edge (CVE-2022-2858) - Medium [272]

Description: Chromium: CVE-2022-2858 Use after free in Sign-In Flow. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-2858 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

79. Memory Corruption - Microsoft Edge (CVE-2022-3038) - Medium [272]

Description: Chromium: CVE-2022-3038 Use after free in Network Service. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3038 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

80. Memory Corruption - Microsoft Edge (CVE-2022-3039) - Medium [272]

Description: Chromium: CVE-2022-3039 Use after free in WebSQL. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3039 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

81. Memory Corruption - Microsoft Edge (CVE-2022-3040) - Medium [272]

Description: Chromium: CVE-2022-3040 Use after free in Layout. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3040 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

82. Memory Corruption - Microsoft Edge (CVE-2022-3041) - Medium [272]

Description: Chromium: CVE-2022-3041 Use after free in WebSQL. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3041 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

83. Memory Corruption - Microsoft Edge (CVE-2022-3046) - Medium [272]

Description: Chromium: CVE-2022-3046 Use after free in Browser Tag. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3046 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

84. Memory Corruption - Microsoft Edge (CVE-2022-3055) - Medium [272]

Description: Chromium: CVE-2022-3055 Use after free in Passwords. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3055 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

85. Memory Corruption - Microsoft Edge (CVE-2022-3058) - Medium [272]

Description: Chromium: CVE-2022-3058 Use after free in Sign-In Flow. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2022-3058 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

86. Elevation of Privilege - Visual Studio Code (CVE-2022-38020) - Medium [252]

Description: Visual Studio Code Elevation of Privilege Vulnerability.

Low (4)

87. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-2861) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-2861 Inappropriate implementation in Extensions API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-2861 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

88. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3044) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3044 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

89. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3053) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3053 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

90. Unknown Vulnerability Type - Microsoft Edge (CVE-2022-3057) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2022-3057 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

Exploitation in the wild detected (3)

Elevation of Privilege (1)

• Windows Common Log File System Driver (CVE-2022-37969)

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-37969*, CVE-2022-23960). Earlier this month, on September 1 and 2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) (CVE-2022-38012) ranked Low. Microsoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.

qualys: CVE-2022-37969 | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-37969 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. According to Microsoft, this vulnerability has been exploited in the wild. They also note that it has been publicly disclosed prior to a patch being available.

tenable: CVE-2022-24521, a similar vulnerability in CLFS, was patched earlier this year as part of Microsoft’s April Patch Tuesday release. CVE-2022-24521 flaw was disclosed to Microsoft by the National Security Agency (NSA) and CrowdStrike, which was also exploited in the wild. CVE-2022-37969 has been credited to several groups, including CrowdStrike, though it is unclear at this time if CVE-2022-37969 is potentially a patch-bypass for CVE-2022-24521.

rapid7: This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they’ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for CVE-2022-23960 (aka Spectre-BHB) for Windows 11 on ARM64.

zdi: CVE-2022-37969 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This bug in the Common Log File System (CLFS) allows an authenticated attacker to execute code with elevated privileges. Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link. Once they do, additional code executes with elevated privileges to take over a system. Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.

kaspersky: CVE-2022-37969, which is being actively exploited by attackers

kaspersky: CVE-2022-37969 is a zero-day vulnerability in the Common Log File System driver. This is not the most dangerous bug of those that were patched by the latest update (its CVSS rating is only 7.8), since, in order to take advantage of it, attackers need to somehow gain access to the victim’s computer. However, successful exploitation will allow them to elevate their privileges to SYSTEM. According to Microsoft some attackers are already using the exploit for this vulnerability in the wild; therefore, it should be patched as soon as possible.

Security Feature Bypass (2)

• Microsoft Edge (CVE-2022-2856, CVE-2022-3075)

MS PT Extended: CVE-2022-2856 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3075 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

qualys: Qualys Threat Protection High-Rated Advisories from August 10 thru September 2022 Patch Tuesday Advisory Sorted in Descending Order Microsoft Patches Vulnerabilities 79 including 16 Microsoft Edge (Chromium-Based); with 2 Zero-days and 5 Critical in Patch Tuesday September 2022 EditionGoogle Chrome Releases Fix for the Zero-day Vulnerability (CVE-2022-3075)Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)GitLab Patches Critical Remote Command Execution Vulnerability (CVE-2022-2884)Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)Palo Alto Networks (PAN-OS) Reflected Amplification Denial-of-Service (DoS) Vulnerability (CVE-2022-0028)Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch TuesdayVMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)

zdi: CVE-2022-3075 - Chromium: CVE-2022-3075 Insufficient data validation in Mojo. This patch was released by the Google Chrome team back on September 2, so this is more of an “in case you missed it.” This vulnerability allows code execution on affected Chromium-based browsers (like Edge) and has been detected in the wild. This is the sixth Chrome exploit detected in the wild this year. The trend shows the near-ubiquitous browser platform has become a popular target for attackers. Make sure to update all of your systems based on Chromium.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (87)

Remote Code Execution (31)

• Windows TCP/IP (CVE-2022-34718)

qualys: CVE-2022-34718 | Windows TCP/IP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. Exploitability Assessment: Exploitation More Likely

qualys: CVE-2022-34718 | Windows TCP/IP Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. Policy Compliance Control IDs (CIDs): 3720: Status of the ‘IPSEC Services’ service14916: Status of Windows Services  Exploitability Assessment: Exploitation More Likely

tenable: CVE-2022-34718 is a RCE in Windows TCP/IP that received a CVSSv3 score of 9.8 and was rated Exploitation More Likely according to Microsoft’s Exploitability Index. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. Successful exploitation could grant an unauthenticated attacker remote code execution. Microsoft has released patches for all supported versions of Windows, including Server Core editions.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

zdi: CVE-2022-34718 - Windows TCP/IP Remote Code Execution Vulnerability. This Critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. That officially puts it into the “wormable” category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.

kaspersky: - CVE-2022-34718 — a bug in Windows TCP/IP with a CVSS rating of 9.8. An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it.

• Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721, CVE-2022-34722)

qualys: CVE-2022-34721, CVE-2022-34722 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. NOTE: This vulnerability only impacts IKEv1. IKEv2 is not impacted. However, all Windows Servers are affected because they accept both V1 and V2 packets. Exploitability Assessment: Exploitation Less Likely

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

kaspersky: - CVE-2022-34721 and CVE-2022-34722 — vulnerabilities in the Internet Key Exchange protocol that allow an attacker to execute malicious code by also sending an IP packet to a vulnerable machine. Both have a CVSS rating of 9.8. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.

• Remote Procedure Call Runtime (CVE-2022-35830)

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

• Windows LDAP (CVE-2022-30200)
• Windows Enterprise App Management Service (CVE-2022-35841)
• .NET Framework (CVE-2022-26929)

qualys: CVE-2022-26929 | .NET Framework Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. Exploitability Assessment: Exploitation Less Likely

• Microsoft Edge (CVE-2022-38012)

MS PT Extended: CVE-2022-38012 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-37969*, CVE-2022-23960). Earlier this month, on September 1 and 2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) (CVE-2022-38012) ranked Low. Microsoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.

qualys: Microsoft Edge | Last But Not Least Earlier in September 2022, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities including CVE-2022-38012. The vulnerability assigned to the CVE is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see Security Update Guide Supports CVEs Assigned by Industry Partners.

qualys: CVE-2022-38012 | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 7.7/10. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. This vulnerability could lead to a browser sandbox escape. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. NOTE: Per Microsoft’s severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn’t allow for this type of nuance which explains why this CVE is rated as Low, but the CVSSv3.1 score is 7.7

• Windows Fax Service (CVE-2022-38004)

qualys: CVE-2022-38004 | Windows Network File System Remote Code Execution (RCE) Vulnerability  This vulnerability has a CVSSv3.1 score of 7.8/10. Policy Compliance Control IDs (CIDs): 1161: Status of the ‘Fax’ service14916: Status of Windows Services Exploitability Assessment: Exploitation Less Likely

• Microsoft SharePoint (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, CVE-2022-38009)

qualys: CVE-2022-38009 | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint. Exploitability Assessment: Exploitation Less Likely

• Raw Image Extension (CVE-2022-38011)
• Microsoft Office Visio (CVE-2022-37963, CVE-2022-38010)
• Microsoft PowerPoint (CVE-2022-37962)
• Microsoft Dynamics CRM (on-premises) (CVE-2022-34700, CVE-2022-35805)

rapid7: Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

kaspersky: - CVE-2022-34700 and CVE-2022-35805 — a pair of vulnerabilities in the Microsoft Dynamics customer relationship management (CRM) software. Their exploitation allows an authenticated user to execute arbitrary SQL commands, after which the attacker can elevate their rights and execute commands inside the Dynamics 365 database with db_owner rights. Since an attacker still needs to somehow authenticate, the CVSS ratings of these vulnerabilities are slightly lower (8.8), but they are still considered critical.

• Microsoft ODBC Driver (CVE-2022-34726, CVE-2022-34727, CVE-2022-34730, CVE-2022-34732, CVE-2022-34734)
• Microsoft OLE DB Provider for SQL Server (CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35840)
• AV1 Video Extension (CVE-2022-38019)

Elevation of Privilege (18)

• Kerberos (CVE-2022-33647, CVE-2022-33679)

qualys: CVE-2022-33679 , CVE-2022-33647 | Windows Kerberos Elevation of Privilege (EoP) Vulnerability These vulnerabilities have a CVSSv3.1 score of 8.1/10. Policy Compliance Control IDs (CIDs): 17108: Status of the ‘KDC support for claims, compound authentication and Kerberos armoring’ setting (Enabled / Disabled)17109: Status of the ‘Kerberos client support for claims, compound authentication and Kerberos armoring’ setting17197: Status of the ‘KDC support for claims, compound authentication, and Kerberos armoring’ setting Exploitability Assessment: Exploitation Less Likely

• Windows GDI (CVE-2022-34729)
• Azure Guest Configuration and Azure Arc-enabled servers (CVE-2022-38007)

qualys: CVE-2022-38007 | Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. An attacker who successfully exploited the vulnerability could replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure VM with the Guest Configuration Linux Extension installed, this would run in the context of the GC Policy Agent daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons. Exploitability Assessment: Exploitation Less Likely

qualys: CVE-2022-38007 | Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. Policy Compliance Control IDs (CIDs) for Checking Azure Arc-Enabled Servers on Linux: 14112: Status of the services installed on the Linux/UNIX host (stopped, running, failed, dead, …)  Exploitability Assessment: Exploitation Less Likely

• Windows Kernel (CVE-2022-37956, CVE-2022-37957, CVE-2022-37964)

tenable: CVE-2022-37956, CVE-2022-37957 and CVE-2022-37964 are EoP vulnerabilities impacting the Windows Kernel. All three vulnerabilities received CVSSv3 scores of 7.8 and if exploited, could allow an attacker to gain SYSTEM level privileges. Of the three, only CVE-2022-37957 was rated as “Exploitation More Likely.” Curiously, all three impact various versions of Windows. For instance CVE-2022-37964 only affects Windows 7, Windows Server 2008 and 2008 R2. CVE-2022-37956 affects all supported versions of Windows and Windows server, while CVE-2022-37957 only affects Windows 10 and above, including Windows Server versions 2016, 2019 and 2022.

• DirectX Graphics Kernel (CVE-2022-37954)
• Windows Common Log File System Driver (CVE-2022-35803)
• Windows Defender Credential Guard (CVE-2022-34711)

MS PT Extended: CVE-2022-34711 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

• Windows Distributed File System (DFS) (CVE-2022-34719)
• Windows Group Policy (CVE-2022-37955)
• Windows Print Spooler (CVE-2022-38005)
• Windows ALPC (CVE-2022-34725)
• Windows Credential Roaming Service (CVE-2022-30170)
• Windows Photo Import API (CVE-2022-26928)
• Microsoft Defender for Endpoint for Mac (CVE-2022-35828)
• Visual Studio Code (CVE-2022-38020)

Security Feature Bypass (7)

• Windows Defender Credential Guard (CVE-2022-35822)

MS PT Extended: CVE-2022-35822 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

• Network Device Enrollment Service (NDES) (CVE-2022-37959)
• Microsoft Edge (CVE-2022-2860, CVE-2022-3045, CVE-2022-3047, CVE-2022-3054, CVE-2022-3056)

MS PT Extended: CVE-2022-2860 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3047 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3054 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3056 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3045 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

Denial of Service (7)

• Windows DNS Server (CVE-2022-34724)

zdi: CVE-2022-34724 - Windows DNS Server Denial of Service Vulnerability. This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.

• .NET Core and Visual Studio (CVE-2022-38013)
• Windows Internet Key Exchange (IKE) Extension (CVE-2022-34720)

tenable: CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows IKE protocol extensions that received a CVSSv3 score of 9.8 and were rated Exploitation Less Likely. The IKE protocol is a component of IPsec used to set up security associations (relationships among devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks. Yuki Chen with Cyber KunLun is credited with disclosing both of these flaws along with CVE-2022-34720, a denial of service flaw in the IKE Protocol Exchange, and CVE-2022-35830, a RCE vulnerability in the Remote Procedure Call runtime.

• Windows Secure Channel (CVE-2022-30196, CVE-2022-35833)
• Windows Event Tracing (CVE-2022-35832)
• HTTP V3 (CVE-2022-35838)

qualys: CVE-2022-35838 | HTTP V3 Denial of Service (DoS) Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Policy Compliance Control IDs (CIDs): 24717: Status of the ‘HTTP/3’ service Exploitability Assessment: Exploitation Less Likely

Information Disclosure (6)

• Windows Graphics Component (CVE-2022-34728, CVE-2022-35837, CVE-2022-38006)
• Windows DPAPI (Data Protection Application Programming Interface) (CVE-2022-34723)
• Windows Remote Access (CVE-2022-35831)
• SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958)

Memory Corruption (14)

• ARM processor (CVE-2022-23960)

qualys: Microsoft Patch Tuesday Summary Microsoft has fixed 63 vulnerabilities (aka flaws) in the September 2022 update, including five (5) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-37969*, CVE-2022-23960). Earlier this month, on September 1 and 2, 2022, Microsoft also released a total of 16 Microsoft Edge (Chromium-Based) updates, one (1) addressing a Remote Code Execution (RCE) (CVE-2022-38012) ranked Low. Microsoft has fixed several flaws in its software, including Denial of Service, Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution, and Security Feature Bypass.

qualys: CVE-2022-23960 | Windows Common Log File System Driver Elevation of Privilege (EoP) Vulnerability This vulnerability has a CVSSv3.1 score of 5.6/10. CVE-2022-23960 is regarding a vulnerability known as Spectre-BHB. MITRE created this CVE on behalf of Arm Limited. Please see Spectre-BHB on arm Developer for more information. Exploitability Assessment: Exploitation Less Likely

tenable: Microsoft patched 62 CVEs in its September 2022 Patch Tuesday release, with five rated as critical and 57 rated as important. This count omits CVE-2022-23960, a cache speculation restriction vulnerability as it was issued by MITRE and applies to Arm CPUs.

rapid7: This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they’ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for CVE-2022-23960 (aka Spectre-BHB) for Windows 11 on ARM64.

kaspersky: A vulnerability relevant to ARM processors — CVE-2022-23960

kaspersky: CVE-2022-23960 is the second vulnerability that was publicly disclosed before the patch. Theoretically, this could have meant that attackers could have started using it before it was patched, but it doesn’t seem to have been the case. In fact, CVE-2022-23960 is yet another variation of the Spectre vulnerability, which interferes with a processor’s speculative execution of instructions mechanism. In other words, the probability of its use in real attacks is extremely small — the danger is somewhat theoretical. What’s more, this vulnerability is only relevant for the Windows 11 on ARM64-based systems, which makes exploitation even less practical.

• Microsoft Edge (CVE-2022-2852, CVE-2022-2853, CVE-2022-2854, CVE-2022-2855, CVE-2022-2857, CVE-2022-2858, CVE-2022-3038, CVE-2022-3039, CVE-2022-3040, CVE-2022-3041, CVE-2022-3046, CVE-2022-3055, CVE-2022-3058)

MS PT Extended: CVE-2022-2854 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3040 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-2858 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-2853 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3038 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3058 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3039 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3041 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3055 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-2852 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-2857 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3046 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-2855 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

Unknown Vulnerability Type (4)

• Microsoft Edge (CVE-2022-2861, CVE-2022-3044, CVE-2022-3053, CVE-2022-3057)

MS PT Extended: CVE-2022-3057 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3053 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-2861 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12

MS PT Extended: CVE-2022-3044 was published before September 2022 Patch Tuesday from 2022-08-10 to 2022-09-12